Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Documentation

Version

  1. uberAgent
  2. 6.0
  3. About uberAgent
  4. Default Configuration
  5. uberAgent-ESA-am-sigma-proc-creation-high.conf
Previous document Next document
This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

uberAgent-ESA-am-sigma-proc-creation-high.conf

The following is the uberAgent-ESA-am-sigma-proc-creation-high.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: high
#

[ActivityMonitoringRule]
# Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
RuleName = MMC20 Lateral Movement
EventType = Process.Start
Tag = proc-start-mmc20-lateral-movement
RiskScore = 75
Query = (Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mmc.exe" and Process.CommandLine like r"%-Embedding%")

[ActivityMonitoringRule]
# Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
RuleName = MSHTA Suspicious Execution 01
EventType = Process.Start
Tag = proc-start-mshta-suspicious-execution-01
RiskScore = 75
Query = (Process.Path like r"%\\mshta.exe" and (Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.lnk%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.zip%"))

[ActivityMonitoringRule]
# Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
RuleName = Suspicious Esentutl Use
EventType = Process.Start
Tag = proc-start-suspicious-esentutl-use
RiskScore = 75
Query = (Process.CommandLine like r"% /vss %" and Process.CommandLine like r"% /y %")

[ActivityMonitoringRule]
# Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
RuleName = Activity Related to NTDS.dit Domain Hash Retrieval
EventType = Process.Start
Tag = proc-start-activity-related-to-ntds.dit-domain-hash-retrieval
RiskScore = 75
Query = (Process.CommandLine like r"vssadmin.exe Delete Shadows" or Process.CommandLine like r"vssadmin create shadow /for=C:" or Process.CommandLine like r"copy \\_\\GLOBALROOT\\Device\\%\\windows\\ntds\\ntds.dit" or Process.CommandLine like r"copy \\_\\GLOBALROOT\\Device\\%\\config\\SAM" or Process.CommandLine like r"vssadmin delete shadows /for=C:" or Process.CommandLine like r"reg SAVE HKLM\\SYSTEM " or Process.CommandLine like r"esentutl.exe /y /vss %\\ntds.dit%" or Process.CommandLine like r"esentutl.exe /y /vss %\\SAM" or Process.CommandLine like r"esentutl.exe /y /vss %\\SYSTEM")

[ActivityMonitoringRule]
# Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
RuleName = In-memory PowerShell
EventType = Image.Load
Tag = image-load-in-memory-powershell
RiskScore = 75
Query = ((Image.Path like r"%\\System.Management.Automation.Dll" or Image.Path like r"%\\System.Management.Automation.ni.Dll") and not ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\WINDOWS\\System32\\sdiagnhost.exe" or Process.Path like r"%\\mscorsvw.exe" or Process.Path like r"%\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe")))

[ActivityMonitoringRule]
# The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
RuleName = Fax Service DLL Search Order Hijack
EventType = Image.Load
Tag = image-load-fax-service-dll-search-order-hijack
RiskScore = 75
Query = (((Process.Path like r"%fxssvc.exe") and (Image.Path like r"%ualapi.dll")) and not ((Image.Path like r"C:\\Windows\\WinSxS\\%")))

[ActivityMonitoringRule]
# Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
RuleName = Possible Process Hollowing Image Loading
EventType = Image.Load
Tag = image-load-possible-process-hollowing-image-loading
RiskScore = 75
Query = ((Process.Path like r"%\\notepad.exe") and (Image.Path like r"%\\samlib.dll" or Image.Path like r"%\\WinSCard.dll"))

[ActivityMonitoringRule]
# Detects any assembly DLL being loaded by an Office Product
RuleName = dotNET DLL Loaded Via Office Applications
EventType = Image.Load
Tag = image-load-dotnet-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"C:\\Windows\\assembly\\%"))

[ActivityMonitoringRule]
# Detects CLR DLL being loaded by an Office Product
RuleName = CLR DLL Loaded Via Office Applications
EventType = Image.Load
Tag = image-load-clr-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\clr.dll%"))

[ActivityMonitoringRule]
# Detects any GAC DLL being loaded by an Office Product
RuleName = GAC DLL Loaded Via Office Applications
EventType = Image.Load
Tag = image-load-gac-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"C:\\Windows\\Microsoft.NET\\assembly\\GAC\_MSIL%"))

[ActivityMonitoringRule]
# Detects DSParse DLL being loaded by an Office Product
RuleName = Active Directory Parsing DLL Loaded Via Office Applications
EventType = Image.Load
Tag = image-load-active-directory-parsing-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\dsparse.dll%"))

[ActivityMonitoringRule]
# Detects Kerberos DLL being loaded by an Office Product
RuleName = Active Directory Kerberos DLL Loaded Via Office Applications
EventType = Image.Load
Tag = image-load-active-directory-kerberos-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\kerberos.dll"))

[ActivityMonitoringRule]
# Detects DLL's Loaded Via Word Containing VBA Macros
RuleName = VBA DLL Loaded Via Microsoft Word
EventType = Image.Load
Tag = image-load-vba-dll-loaded-via-microsoft-word
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\VBE7.DLL" or Image.Path like r"%\\VBEUI.DLL" or Image.Path like r"%\\VBE7INTL.DLL"))

[ActivityMonitoringRule]
# Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
RuleName = Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
EventType = Image.Load
Tag = image-load-windows-mangement-instrumentation-dll-loaded-via-microsoft-word
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\wmiutils.dll" or Image.Path like r"%\\wbemcomn.dll" or Image.Path like r"%\\wbemprox.dll" or Image.Path like r"%\\wbemdisp.dll" or Image.Path like r"%\\wbemsvc.dll"))

[ActivityMonitoringRule]
# IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
RuleName = Svchost DLL Search Order Hijack
EventType = Image.Load
Tag = image-load-svchost-dll-search-order-hijack
RiskScore = 75
Query = (((Process.Path like r"%\\svchost.exe") and (Image.Path like r"%\\tsmsisrv.dll" or Image.Path like r"%\\tsvipsrv.dll" or Image.Path like r"%\\wlbsctrl.dll")) and not ((Image.Path like r"C:\\Windows\\WinSxS\\%")))

[ActivityMonitoringRule]
# Detects non wmiprvse loading WMI modules
RuleName = WMI Modules Loaded
EventType = Image.Load
Tag = image-load-wmi-modules-loaded
RiskScore = 75
Query = ((Image.Path like r"%\\wmiclnt.dll" or Image.Path like r"%\\WmiApRpl.dll" or Image.Path like r"%\\wmiprov.dll" or Image.Path like r"%\\wmiutils.dll" or Image.Path like r"%\\wbemcomn.dll" or Image.Path like r"%\\wbemprox.dll" or Image.Path like r"%\\WMINet\_Utils.dll" or Image.Path like r"%\\wbemsvc.dll" or Image.Path like r"%\\fastprox.dll") and not ((Process.Path like r"%\\WmiPrvSe.exe" or Process.Path like r"%\\WmiAPsrv.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\DeviceCensus.exe" or Process.Path like r"%\\CompatTelRunner.exe" or Process.Path like r"%\\sdiagnhost.exe" or Process.Path like r"%\\SIHClient.exe" or Process.Path like r"%\\ngentask.exe" or Process.Path like r"%\\windows\\system32\\taskhostw.exe" or Process.Path like r"%\\windows\\system32\\MoUsoCoreWorker.exe")))

[ActivityMonitoringRule]
# Detects WMI command line event consumers
RuleName = WMI Persistence - Command Line Event Consumer
EventType = Image.Load
Tag = image-load-wmi-persistence-command-line-event-consumer
RiskScore = 75
Query = (Process.Path like r"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and Image.Path like r"%\\wbemcons.dll")

[ActivityMonitoringRule]
# Attempts to detect system changes made by Blue Mockingbird
RuleName = Blue Mockingbird
EventType = Process.Start
Tag = proc-start-blue-mockingbird
RiskScore = 75
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%sc config%" and Process.CommandLine like r"%wercplsupporte.dll%")

[ActivityMonitoringRule]
# Attempts to detect system changes made by Blue Mockingbird
RuleName = Blue Mockingbird
EventType = Process.Start
Tag = proc-start-blue-mockingbird
RiskScore = 75
Query = (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%COR\_PROFILER")

[ActivityMonitoringRule]
# Detects various indicators of Microsoft Connection Manager Profile Installer execution
RuleName = CMSTP Execution
EventType = Process.Start
Tag = proc-start-cmstp-execution
RiskScore = 75
Query = Parent.Path like r"%\\cmstp.exe"

[ActivityMonitoringRule]
# Detects creation or execution of UserInitMprLogonScript persistence method
RuleName = Logon Scripts (UserInitMprLogonScript)
EventType = Process.Start
Tag = proc-start-logon-scripts-(userinitmprlogonscript)
RiskScore = 75
Query = (((Parent.Path like r"%\\userinit.exe" and not (Process.Path like r"%\\explorer.exe")) and not ((Process.CommandLine like r"%netlogon.bat%" or Process.CommandLine like r"%UsrLogon.cmd%"))) or Process.CommandLine like r"%UserInitMprLogonScript%")

[ActivityMonitoringRule]
# Detects activity that could be related to Baby Shark malware
RuleName = Baby Shark Activity
EventType = Process.Start
Tag = proc-start-baby-shark-activity
RiskScore = 75
Query = (Process.CommandLine like r"reg query \"HKEY\_CURRENT\_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" or Process.CommandLine like r"powershell.exe mshta.exe http%" or Process.CommandLine like r"cmd.exe /c taskkill /im cmd.exe")

[ActivityMonitoringRule]
# Detects Hurricane Panda Activity
RuleName = Hurricane Panda Activity
EventType = Process.Start
Tag = proc-start-hurricane-panda-activity
RiskScore = 75
Query = (Process.CommandLine like r"% localgroup administrators admin /add" or Process.CommandLine like r"%\\Win64.exe%")

[ActivityMonitoringRule]
# Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
RuleName = Lazarus Session Highjacker
EventType = Process.Start
Tag = proc-start-lazarus-session-highjacker
RiskScore = 75
Query = ((Process.Path like r"%\\mstdc.exe" or Process.Path like r"%\\gpvc.exe") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")))

[ActivityMonitoringRule]
# Detects specific process parameters as used by Mustang Panda droppers
RuleName = Mustang Panda Dropper
EventType = Process.Start
Tag = proc-start-mustang-panda-dropper
RiskScore = 75
Query = ((Process.CommandLine like r"%Temp\\wtask.exe /create%" or Process.CommandLine like r"%\%windir:~-3,1\%\%PUBLIC:~-9,1\%%" or Process.CommandLine like r"%/E:vbscript % C:\\Users\\%.txt\" /F" or Process.CommandLine like r"%/tn \"Security Script %" or Process.CommandLine like r"%\%windir:~-1,1\%%") or (Process.Path like r"%Temp\\winwsh.exe"))

[ActivityMonitoringRule]
# Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
RuleName = Ps.exe Renamed SysInternals Tool
EventType = Process.Start
Tag = proc-start-ps.exe-renamed-sysinternals-tool
RiskScore = 75
Query = Process.CommandLine == "ps.exe -accepteula"

[ActivityMonitoringRule]
# Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
RuleName = TropicTrooper Campaign November 2018
EventType = Process.Start
Tag = proc-start-tropictrooper-campaign-november-2018
RiskScore = 75
Query = Process.CommandLine like r"%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%"

[ActivityMonitoringRule]
# A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
RuleName = Unidentified Attacker November 2018
EventType = Process.Start
Tag = proc-start-unidentified-attacker-november-2018
RiskScore = 75
Query = Process.CommandLine like r"%cyzfc.dat, PointFunctionCall"

[ActivityMonitoringRule]
# Detects activity mentioned in Operation Wocao report
RuleName = Operation Wocao Activity
EventType = Process.Start
Tag = proc-start-operation-wocao-activity
RiskScore = 75
Query = (Process.CommandLine like r"%checkadmin.exe 127.0.0.1 -all%" or Process.CommandLine like r"%netsh advfirewall firewall add rule name=powershell dir=in%" or Process.CommandLine like r"%cmd /c powershell.exe -ep bypass -file c:\\s.ps1%" or Process.CommandLine like r"%/tn win32times /f%" or Process.CommandLine like r"%create win32times binPath=%" or Process.CommandLine like r"%\\c$\\windows\\system32\\devmgr.dll%" or Process.CommandLine like r"% -exec bypass -enc JgAg%" or Process.CommandLine like r"%type %keepass\\KeePass.config.xml%" or Process.CommandLine like r"%iie.exe iie.txt%" or Process.CommandLine like r"%reg query HKEY\_CURRENT\_USER\\Software\\%\\PuTTY\\Sessions\\%")

[ActivityMonitoringRule]
# Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
RuleName = Modification of Boot Configuration
EventType = Process.Start
Tag = proc-start-modification-of-boot-configuration
RiskScore = 75
Query = ((Process.Path like r"%\\bcdedit.exe" and Process.CommandLine like r"%set%") and ((Process.CommandLine like r"%bootstatuspolicy%" and Process.CommandLine like r"%ignoreallfailures%") or (Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%")))

[ActivityMonitoringRule]
# Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects
RuleName = CMSTP UAC Bypass via COM Object Access
EventType = Process.Start
Tag = proc-start-cmstp-uac-bypass-via-com-object-access
RiskScore = 75
Query = (Parent.CommandLine like r"%\\DllHost.exe %" and (Parent.CommandLine like r"%{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or Parent.CommandLine like r"%{3E000D72-A845-4CD9-BD83-80C07C3B881F}"))

[ActivityMonitoringRule]
# detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking
RuleName = Cmd.exe CommandLine Path Traversal
EventType = Process.Start
Tag = proc-start-cmd.exe-commandline-path-traversal
RiskScore = 75
Query = (Parent.CommandLine like r"%cmd%/c%" and Process.CommandLine like r"%/../../%")

[ActivityMonitoringRule]
# Files with well-known filenames (sensitive files with credential data) copying
RuleName = Copying Sensitive Files with Credential Data
EventType = Process.Start
Tag = proc-start-copying-sensitive-files-with-credential-data
RiskScore = 75
Query = ((Process.Path like r"%\\esentutl.exe" and (Process.CommandLine like r"%vss%" or Process.CommandLine like r"% /m %" or Process.CommandLine like r"% /y %")) or (Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%" or Process.CommandLine like r"%\\config\\sam%" or Process.CommandLine like r"%\\config\\security%" or Process.CommandLine like r"%\\config\\system %" or Process.CommandLine like r"%\\repair\\sam%" or Process.CommandLine like r"%\\repair\\system%" or Process.CommandLine like r"%\\repair\\security%" or Process.CommandLine like r"%\\config\\RegBack\\sam%" or Process.CommandLine like r"%\\config\\RegBack\\system%" or Process.CommandLine like r"%\\config\\RegBack\\security%"))

[ActivityMonitoringRule]
# Detects Archer malware invocation via rundll32
RuleName = Fireball Archer Install
EventType = Process.Start
Tag = proc-start-fireball-archer-install
RiskScore = 75
Query = Process.CommandLine like r"%\\rundll32.exe %,InstallArcherSvc"

[ActivityMonitoringRule]
# Well-known DNS Exfiltration tools execution
RuleName = DNS Exfiltration and Tunneling Tools Execution
EventType = Process.Start
Tag = proc-start-dns-exfiltration-and-tunneling-tools-execution
RiskScore = 75
Query = (Process.Path like r"%\\iodine.exe" or Process.Path like r"%\\dnscat2%")

[ActivityMonitoringRule]
# Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
RuleName = Disable of ETW Trace
EventType = Process.Start
Tag = proc-start-disable-of-etw-trace
RiskScore = 75
Query = (Process.CommandLine like r"% cl %/Trace%" or Process.CommandLine like r"% clear-log %/Trace%" or Process.CommandLine like r"% sl% /e:false%" or Process.CommandLine like r"% set-log% /e:false%")

[ActivityMonitoringRule]
# Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378
RuleName = Exploiting SetupComplete.cmd CVE-2019-1378
EventType = Process.Start
Tag = proc-start-exploiting-setupcomplete.cmd-cve-2019-1378
RiskScore = 75
Query = ((Parent.CommandLine like r"%\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd" or Parent.CommandLine like r"%\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\Windows\\Setup\\%")))

[ActivityMonitoringRule]
# Detects new commands that add new printer port which point to suspicious file
RuleName = Suspicious PrinterPorts Creation (CVE-2020-1048)
EventType = Process.Start
Tag = proc-start-suspicious-printerports-creation-(cve-2020-1048)
RiskScore = 75
Query = (((Process.CommandLine like r"%Add-PrinterPort -Name%") and (Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.bat%")) or (Process.CommandLine like r"%Generic / Text Only%"))

[ActivityMonitoringRule]
# Detects command line parameters used by Bloodhound and Sharphound hack tools
RuleName = Bloodhound and Sharphound Hack Tool
EventType = Process.Start
Tag = proc-start-bloodhound-and-sharphound-hack-tool
RiskScore = 75
Query = ((Process.Path like r"%\\Bloodhound.exe%" or Process.Path like r"%\\SharpHound.exe%") or (Process.CommandLine like r"% -CollectionMethod All %" or Process.CommandLine like r"%.exe -c All -d %" or Process.CommandLine like r"%Invoke-Bloodhound%" or Process.CommandLine like r"%Get-BloodHoundData%") or (Process.CommandLine like r"% -JsonFolder %" and Process.CommandLine like r"% -ZipFileName %") or (Process.CommandLine like r"% DCOnly %" and Process.CommandLine like r"% --NoSaveCache %"))

[ActivityMonitoringRule]
# Detects command line parameters used by Koadic hack tool
RuleName = Koadic Execution
EventType = Process.Start
Tag = proc-start-koadic-execution
RiskScore = 75
Query = (Process.CommandLine like r"%cmd.exe% /q /c chcp %")

[ActivityMonitoringRule]
# Identifies usage of hh.exe executing recently modified .chm files.
RuleName = HH.exe Execution
EventType = Process.Start
Tag = proc-start-hh.exe-execution
RiskScore = 75
Query = (Process.Path like r"%\\hh.exe" and Process.CommandLine like r"%.chm%")

[ActivityMonitoringRule]
# Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
RuleName = HTML Help Shell Spawn
EventType = Process.Start
Tag = proc-start-html-help-shell-spawn
RiskScore = 75
Query = (Parent.Path like r"C:\\Windows\\hh.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\rundll32.exe"))

[ActivityMonitoringRule]
# Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
RuleName = Suspicious HWP Sub Processes
EventType = Process.Start
Tag = proc-start-suspicious-hwp-sub-processes
RiskScore = 75
Query = (Parent.Path like r"%\\Hwp.exe" and Process.Path like r"%\\gbb.exe")

[ActivityMonitoringRule]
# Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
RuleName = Suspicious Debugger Registration Cmdline
EventType = Process.Start
Tag = proc-start-suspicious-debugger-registration-cmdline
RiskScore = 75
Query = (Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\sethc.exe%" or Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\utilman.exe%" or Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\osk.exe%" or Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\magnify.exe%" or Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\narrator.exe%" or Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\displayswitch.exe%" or Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\atbroker.exe%")

[ActivityMonitoringRule]
# Detect an interactive AT job, which may be used as a form of privilege escalation
RuleName = Interactive AT Job
EventType = Process.Start
Tag = proc-start-interactive-at-job
RiskScore = 75
Query = (Process.Path like r"%\\at.exe" and Process.CommandLine like r"%interactive%")

[ActivityMonitoringRule]
# Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
RuleName = MSHTA Spwaned by SVCHOST
EventType = Process.Start
Tag = proc-start-mshta-spwaned-by-svchost
RiskScore = 75
Query = (Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mshta.exe")

[ActivityMonitoringRule]
# Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
RuleName = LSASS Memory Dumping
EventType = Process.Start
Tag = proc-start-lsass-memory-dumping
RiskScore = 75
Query = (((Process.CommandLine like r"%lsass%" and Process.CommandLine like r"%.dmp%") and not (Process.Path like r"%\\werfault.exe")) or (Process.Path like r"%\\procdump%" and Process.Path like r"%.exe" and Process.CommandLine like r"%lsass%"))

[ActivityMonitoringRule]
# Detects wscript/cscript executions of scripts located in user directories
RuleName = WScript or CScript Dropper
EventType = Process.Start
Tag = proc-start-wscript-or-cscript-dropper
RiskScore = 75
Query = (((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"% C:\\Users\\%.jse %" or Process.CommandLine like r"% C:\\Users\\%.vbe %" or Process.CommandLine like r"% C:\\Users\\%.js %" or Process.CommandLine like r"% C:\\Users\\%.vba %" or Process.CommandLine like r"% C:\\Users\\%.vbs %" or Process.CommandLine like r"% C:\\ProgramData\\%.jse %" or Process.CommandLine like r"% C:\\ProgramData\\%.vbe %" or Process.CommandLine like r"% C:\\ProgramData\\%.js %" or Process.CommandLine like r"% C:\\ProgramData\\%.vba %" or Process.CommandLine like r"% C:\\ProgramData\\%.vbs %")) and not (Parent.Path like r"%\\winzip%"))

[ActivityMonitoringRule]
# Detects javaw.exe in AppData folder as used by Adwind / JRAT
RuleName = Adwind RAT / JRAT
EventType = Process.Start
Tag = proc-start-adwind-rat-/-jrat
RiskScore = 75
Query = (Process.CommandLine like r"%\\AppData\\Roaming\\Oracle%\\java%.exe %" or Process.CommandLine like r"%cscript.exe %Retrive%.vbs %")

[ActivityMonitoringRule]
# Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
RuleName = Meterpreter or Cobalt Strike Getsystem Service Start
EventType = Process.Start
Tag = proc-start-meterpreter-or-cobalt-strike-getsystem-service-start
RiskScore = 75
Query = ((Parent.Path like r"%\\services.exe" and ((Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%\%COMSPEC\%%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%.dll,a%" and Process.CommandLine like r"%/p:%"))) and not (Process.CommandLine like r"%MpCmdRun%"))

[ActivityMonitoringRule]
# Detects a Windows command line executable started from MMC
RuleName = MMC Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mmc-spawning-windows-shell
RiskScore = 75
Query = (Parent.Path like r"%\\mmc.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\BITSADMIN%"))

[ActivityMonitoringRule]
# Identifies suspicious mshta.exe commands
RuleName = Mshta JavaScript Execution
EventType = Process.Start
Tag = proc-start-mshta-javascript-execution
RiskScore = 75
Query = (Process.Path like r"%\\mshta.exe" and Process.CommandLine like r"%javascript%")

[ActivityMonitoringRule]
# Detects a Windows command line executable started from MSHTA
RuleName = MSHTA Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mshta-spawning-windows-shell
RiskScore = 75
Query = (Parent.Path like r"%\\mshta.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\BITSADMIN%"))

[ActivityMonitoringRule]
# Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
RuleName = Netsh RDP Port Opening
EventType = Process.Start
Tag = proc-start-netsh-rdp-port-opening
RiskScore = 75
Query = (Process.CommandLine like r"%netsh%" and ((Process.CommandLine like r"%firewall add portopening%" and Process.CommandLine like r"%tcp 3389%") or (Process.CommandLine like r"%advfirewall firewall add rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%protocol=TCP%" and Process.CommandLine like r"%localport=3389%")))

[ActivityMonitoringRule]
# Detects Netsh commands that allows a suspcious application location on Windows Firewall
RuleName = Netsh Program Allowed with Suspcious Location
EventType = Process.Start
Tag = proc-start-netsh-program-allowed-with-suspcious-location
RiskScore = 75
Query = (Process.CommandLine like r"%netsh%" and (Process.CommandLine like r"%firewall add allowedprogram%" or (Process.CommandLine like r"%advfirewall firewall add rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%program=%")) and (Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%:\\RECYCLER\\%" or Process.CommandLine like r"%C:\\$Recycle.bin\\%" or Process.CommandLine like r"%:\\SystemVolumeInformation\\%" or Process.CommandLine like r"%C:\\Windows\\Tasks\\%" or Process.CommandLine like r"%C:\\Windows\\debug\\%" or Process.CommandLine like r"%C:\\Windows\\fonts\\%" or Process.CommandLine like r"%C:\\Windows\\help\\%" or Process.CommandLine like r"%C:\\Windows\\drivers\\%" or Process.CommandLine like r"%C:\\Windows\\addins\\%" or Process.CommandLine like r"%C:\\Windows\\cursors\\%" or Process.CommandLine like r"%C:\\Windows\\system32\\tasks\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%" or Process.CommandLine like r"%C:\\Temp\\%" or Process.CommandLine like r"%C:\\Users\\Public\\%" or Process.CommandLine like r"%\%Public\%\\%" or Process.CommandLine like r"%C:\\Users\\Default\\%" or Process.CommandLine like r"%C:\\Users\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.CommandLine like r"%\\Local Settings\\Temporary Internet Files\\%"))

[ActivityMonitoringRule]
# Detects netsh commands that configure a port forwarding of port 3389 used for RDP
RuleName = Netsh RDP Port Forwarding
EventType = Process.Start
Tag = proc-start-netsh-rdp-port-forwarding
RiskScore = 75
Query = (Process.CommandLine like r"netsh i% p%=3389 c%")

[ActivityMonitoringRule]
# Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
RuleName = Microsoft Office Product Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-microsoft-office-product-spawning-windows-shell
RiskScore = 75
Query = ((Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\OUTLOOK.EXE") and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\svchost.exe"))

[ActivityMonitoringRule]
# Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
RuleName = MS Office Product Spawning Exe in User Dir
EventType = Process.Start
Tag = proc-start-ms-office-product-spawning-exe-in-user-dir
RiskScore = 75
Query = ((Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\OUTLOOK.EXE") and (Process.Path like r"C:\\users\\%.exe"))

[ActivityMonitoringRule]
# Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
RuleName = Executable Used by PlugX in Uncommon Location
EventType = Process.Start
Tag = proc-start-executable-used-by-plugx-in-uncommon-location
RiskScore = 75
Query = ((((((((((((Process.Path like r"%\\CamMute.exe" and not (Process.Path like r"%\\Lenovo\\Communication Utility\\%")) or (Process.Path like r"%\\chrome\_frame\_helper.exe" and not (Process.Path like r"%\\Google\\Chrome\\application\\%"))) or (Process.Path like r"%\\dvcemumanager.exe" and not (Process.Path like r"%\\Microsoft Device Emulator\\%"))) or (Process.Path like r"%\\Gadget.exe" and not (Process.Path like r"%\\Windows Media Player\\%"))) or (Process.Path like r"%\\hcc.exe" and not (Process.Path like r"%\\HTML Help Workshop\\%"))) or (Process.Path like r"%\\hkcmd.exe" and not ((Process.Path like r"%\\System32\\%" or Process.Path like r"%\\SysNative\\%" or Process.Path like r"%\\SysWowo64\\%")))) or (Process.Path like r"%\\Mc.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%")))) or (Process.Path like r"%\\MsMpEng.exe" and not ((Process.Path like r"%\\Microsoft Security Client\\%" or Process.Path like r"%\\Windows Defender\\%" or Process.Path like r"%\\AntiMalware\\%")))) or (Process.Path like r"%\\msseces.exe" and not ((Process.Path like r"%\\Microsoft Security Center\\%" or Process.Path like r"%\\Microsoft Security Client\\%" or Process.Path like r"%\\Microsoft Security Essentials\\%")))) or (Process.Path like r"%\\OInfoP11.exe" and not (Process.Path like r"%\\Common Files\\Microsoft Shared\\%"))) or (Process.Path like r"%\\OleView.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%" or Process.Path like r"%\\Windows Resource Kit\\%")))) or (Process.Path like r"%\\rc.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%" or Process.Path like r"%\\Windows Resource Kit\\%" or Process.Path like r"%\\Microsoft.NET\\%"))))

[ActivityMonitoringRule]
# Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
RuleName = Powershell AMSI Bypass via .NET Reflection
EventType = Process.Start
Tag = proc-start-powershell-amsi-bypass-via-.net-reflection
RiskScore = 75
Query = ((Process.CommandLine like r"%System.Management.Automation.AmsiUtils%") and (Process.CommandLine like r"%amsiInitFailed%"))

[ActivityMonitoringRule]
# Detects suspicious FromBase64String expressions in command line arguments
RuleName = FromBase64String Command Line
EventType = Process.Start
Tag = proc-start-frombase64string-command-line
RiskScore = 75
Query = Process.CommandLine like r"%::FromBase64String(%"

[ActivityMonitoringRule]
# Detects suspicious PowerShell invocation with a parameter substring
RuleName = Suspicious PowerShell Parameter Substring
EventType = Process.Start
Tag = proc-start-suspicious-powershell-parameter-substring
RiskScore = 75
Query = ((Process.Path like r"%\\Powershell.exe") and (Process.CommandLine like r"% -windowstyle h %" or Process.CommandLine like r"% -windowstyl h%" or Process.CommandLine like r"% -windowsty h%" or Process.CommandLine like r"% -windowst h%" or Process.CommandLine like r"% -windows h%" or Process.CommandLine like r"% -windo h%" or Process.CommandLine like r"% -wind h%" or Process.CommandLine like r"% -win h%" or Process.CommandLine like r"% -wi h%" or Process.CommandLine like r"% -win h %" or Process.CommandLine like r"% -win hi %" or Process.CommandLine like r"% -win hid %" or Process.CommandLine like r"% -win hidd %" or Process.CommandLine like r"% -win hidde %" or Process.CommandLine like r"% -NoPr %" or Process.CommandLine like r"% -NoPro %" or Process.CommandLine like r"% -NoProf %" or Process.CommandLine like r"% -NoProfi %" or Process.CommandLine like r"% -NoProfil %" or Process.CommandLine like r"% -nonin %" or Process.CommandLine like r"% -nonint %" or Process.CommandLine like r"% -noninte %" or Process.CommandLine like r"% -noninter %" or Process.CommandLine like r"% -nonintera %" or Process.CommandLine like r"% -noninterac %" or Process.CommandLine like r"% -noninteract %" or Process.CommandLine like r"% -noninteracti %" or Process.CommandLine like r"% -noninteractiv %" or Process.CommandLine like r"% -ec %" or Process.CommandLine like r"% -encodedComman %" or Process.CommandLine like r"% -encodedComma %" or Process.CommandLine like r"% -encodedComm %" or Process.CommandLine like r"% -encodedCom %" or Process.CommandLine like r"% -encodedCo %" or Process.CommandLine like r"% -encodedC %" or Process.CommandLine like r"% -encoded %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% -encod %" or Process.CommandLine like r"% -enco %" or Process.CommandLine like r"% -en %"))

[ActivityMonitoringRule]
# Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
RuleName = Default PowerSploit and Empire Schtasks Persistence
EventType = Process.Start
Tag = proc-start-default-powersploit-and-empire-schtasks-persistence
RiskScore = 75
Query = ((Parent.Path like r"%\\powershell.exe") and (Process.CommandLine like r"%schtasks%/Create%/SC %ONLOGON%/TN %Updater%/TR %powershell%" or Process.CommandLine like r"%schtasks%/Create%/SC %DAILY%/TN %Updater%/TR %powershell%" or Process.CommandLine like r"%schtasks%/Create%/SC %ONIDLE%/TN %Updater%/TR %powershell%" or Process.CommandLine like r"%schtasks%/Create%/SC %Updater%/TN %Updater%/TR %powershell%"))

[ActivityMonitoringRule]
# Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
RuleName = Process Dump via Rundll32 and Comsvcs.dll
EventType = Process.Start
Tag = proc-start-process-dump-via-rundll32-and-comsvcs.dll
RiskScore = 75
Query = (Process.CommandLine like r"%comsvcs.dll,#24%" or Process.CommandLine like r"%comsvcs.dll,MiniDump%")

[ActivityMonitoringRule]
# Detects RDP session hijacking by using MSTSC shadowing
RuleName = MSTSC Shadowing
EventType = Process.Start
Tag = proc-start-mstsc-shadowing
RiskScore = 75
Query = (Process.CommandLine like r"%noconsentprompt%" and Process.CommandLine like r"%shadow:%")

[ActivityMonitoringRule]
# Detects actions caused by the RedMimicry Winnti playbook
RuleName = RedMimicry Winnti Playbook Execute
EventType = Process.Start
Tag = proc-start-redmimicry-winnti-playbook-execute
RiskScore = 75
Query = ((Process.Path like r"%rundll32.exe%" or Process.Path like r"%cmd.exe%") and (Process.CommandLine like r"%gthread-3.6.dll%" or Process.CommandLine like r"%\\Windows\\Temp\\tmp.bat%" or Process.CommandLine like r"%sigcmm-2.4.dll%"))

[ActivityMonitoringRule]
# Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
RuleName = Highly Relevant Renamed Binary
EventType = Process.Start
Tag = proc-start-highly-relevant-renamed-binary
RiskScore = 75
Query = ((Process.Name like r"powershell.exe" or Process.Name like r"powershell\_ise.exe" or Process.Name like r"psexec.exe" or Process.Name like r"psexec.c" or Process.Name like r"cscript.exe" or Process.Name like r"wscript.exe" or Process.Name like r"mshta.exe" or Process.Name like r"regsvr32.exe" or Process.Name like r"wmic.exe" or Process.Name like r"certutil.exe" or Process.Name like r"rundll32.exe" or Process.Name like r"cmstp.exe" or Process.Name like r"msiexec.exe") and not ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\psexec.exe" or Process.Path like r"%\\psexec64.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\msiexec.exe")))

[ActivityMonitoringRule]
# Detects PowerShell script execution from Alternate Data Stream (ADS)
RuleName = Run PowerShell Script from ADS
EventType = Process.Start
Tag = proc-start-run-powershell-script-from-ads
RiskScore = 75
Query = (Parent.Path like r"%\\powershell.exe" and Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Get-Content%" and Process.CommandLine like r"%-Stream%")

[ActivityMonitoringRule]
# Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
RuleName = Possible Shim Database Persistence via sdbinst.exe
EventType = Process.Start
Tag = proc-start-possible-shim-database-persistence-via-sdbinst.exe
RiskScore = 75
Query = ((Process.Path like r"%\\sdbinst.exe") and (Process.CommandLine like r"%.sdb%"))

[ActivityMonitoringRule]
# Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
RuleName = Suspicious Calculator Usage
EventType = Process.Start
Tag = proc-start-suspicious-calculator-usage
RiskScore = 75
Query = (Process.CommandLine like r"%\\calc.exe %" or (Process.Path like r"%\\calc.exe" and not (Process.Path like r"%\\Windows\\Sys%")))

[ActivityMonitoringRule]
# Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
RuleName = Suspicious Certutil Command
EventType = Process.Start
Tag = proc-start-suspicious-certutil-command
RiskScore = 75
Query = (Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% /decode %" or Process.CommandLine like r"% -decodehex %" or Process.CommandLine like r"% /decodehex %" or Process.CommandLine like r"% -urlcache %" or Process.CommandLine like r"% /urlcache %" or Process.CommandLine like r"% -verifyctl %" or Process.CommandLine like r"% /verifyctl %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% /encode %" or Process.CommandLine like r"%certutil% -URL%" or Process.CommandLine like r"%certutil% /URL%" or Process.CommandLine like r"%certutil% -ping%" or Process.CommandLine like r"%certutil% /ping%")

[ActivityMonitoringRule]
# Detects suspicious command line arguments of common data compression tools
RuleName = Suspicious Compression Tool Parameters
EventType = Process.Start
Tag = proc-start-suspicious-compression-tool-parameters
RiskScore = 75
Query = (((Process.Name like r"7z%.exe" or Process.Name like r"%rar.exe" or Process.Name like r"%Command%Line%RAR%") and (Process.CommandLine like r"% -p%" or Process.CommandLine like r"% -ta%" or Process.CommandLine like r"% -tb%" or Process.CommandLine like r"% -sdel%" or Process.CommandLine like r"% -dw%" or Process.CommandLine like r"% -hp%")) and not (Parent.Path like r"C:\\Program%"))

[ActivityMonitoringRule]
# Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
RuleName = Suspicious Control Panel DLL Load
EventType = Process.Start
Tag = proc-start-suspicious-control-panel-dll-load
RiskScore = 75
Query = ((Parent.Path like r"%\\System32\\control.exe" and Process.CommandLine like r"%\\rundll32.exe %") and not (Process.CommandLine like r"%Shell32.dll%"))

[ActivityMonitoringRule]
# Detects a suspicious copy command from a remote C$ or ADMIN$ share
RuleName = Copy from Admin Share
EventType = Process.Start
Tag = proc-start-copy-from-admin-share
RiskScore = 75
Query = (Process.CommandLine like r"%copy %\\c$%" or Process.CommandLine like r"%copy %\\ADMIN$%")

[ActivityMonitoringRule]
# Detects suspicious command lines used in Covenant luanchers
RuleName = Covenant Launcher Indicators
EventType = Process.Start
Tag = proc-start-covenant-launcher-indicators
RiskScore = 75
Query = (Process.CommandLine like r"% -Sta -Nop -Window Hidden -Command %" or Process.CommandLine like r"% -Sta -Nop -Window Hidden -EncodedCommand %" or Process.CommandLine like r"%sv o (New-Object IO.MemorySteam);sv d %" or Process.CommandLine like r"%mshta file.hta%" or Process.CommandLine like r"%GruntHTTP%" or Process.CommandLine like r"%-EncodedCommand cwB2ACAAbwAgA%")

[ActivityMonitoringRule]
# Detect various execution methods of the CrackMapExec pentesting framework
RuleName = CrackMapExec Command Execution
EventType = Process.Start
Tag = proc-start-crackmapexec-command-execution
RiskScore = 75
Query = (Process.CommandLine like r"%cmd.exe /Q /c % 1> \\%\\%\\% 2>&1" or Process.CommandLine like r"%cmd.exe /C % > \\%\\%\\% 2>&1" or Process.CommandLine like r"%cmd.exe /C % > %\\Temp\\% 2>&1" or Process.CommandLine like r"%powershell.exe -exec bypass -noni -nop -w 1 -C \"%" or Process.CommandLine like r"%powershell.exe -noni -nop -w 1 -enc %")

[ActivityMonitoringRule]
# The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
RuleName = CrackMapExec PowerShell Obfuscation
EventType = Process.Start
Tag = proc-start-crackmapexec-powershell-obfuscation
RiskScore = 75
Query = (Process.CommandLine like r"%powershell.exe%" and (Process.CommandLine like r"%join%split%" or Process.CommandLine like r"%( $ShellId[1]+$ShellId[13]+'x')%" or Process.CommandLine like r"%( $PSHome[%]+$PSHOME[%]+%" or Process.CommandLine like r"%( $env:Public[13]+$env:Public[5]+'x')%" or Process.CommandLine like r"%( $env:ComSpec[4,%,25]-Join'')%" or Process.CommandLine like r"%[1,3]+'x'-Join'')%"))

[ActivityMonitoringRule]
# Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
RuleName = Suspicious Parent of Csc.exe
EventType = Process.Start
Tag = proc-start-suspicious-parent-of-csc.exe
RiskScore = 75
Query = (Process.Path like r"%\\csc.exe%" and (Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe"))

[ActivityMonitoringRule]
# Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
RuleName = Suspicious Csc.exe Source File Folder
EventType = Process.Start
Tag = proc-start-suspicious-csc.exe-source-file-folder
RiskScore = 75
Query = ((Process.Path like r"%\\csc.exe" and (Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%")) and not ((Parent.Path like r"C:\\Program Files%" or Parent.Path like r"%\\sdiagnhost.exe" or Parent.Path like r"%\\w3wp.exe")))

[ActivityMonitoringRule]
# Detects suspicious process injection using ZOHO's dctask64.exe
RuleName = ZOHO Dctask64 Process Injection
EventType = Process.Start
Tag = proc-start-zoho-dctask64-process-injection
RiskScore = 75
Query = ((Process.Path like r"%\\dctask64.exe") and not ((Process.CommandLine like r"%DesktopCentral\_Agent\\agent%")))

[ActivityMonitoringRule]
# Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
RuleName = Suspicious Desktopimgdownldr Command
EventType = Process.Start
Tag = proc-start-suspicious-desktopimgdownldr-command
RiskScore = 75
Query = ((Process.CommandLine like r"% /lockscreenurl:%" and not ((Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.png%"))) or (Process.CommandLine like r"%reg delete%" and Process.CommandLine like r"%\\PersonalizationCSP%"))

[ActivityMonitoringRule]
# Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
RuleName = Disabled IE Security Features
EventType = Process.Start
Tag = proc-start-disabled-ie-security-features
RiskScore = 75
Query = ((Process.CommandLine like r"% -name IEHarden %" and Process.CommandLine like r"% -value 0 %") or (Process.CommandLine like r"% -name DEPOff %" and Process.CommandLine like r"% -value 1 %") or (Process.CommandLine like r"% -name DisableFirstRunCustomize %" and Process.CommandLine like r"% -value 2 %"))

[ActivityMonitoringRule]
# Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
RuleName = DIT Snapshot Viewer Use
EventType = Process.Start
Tag = proc-start-dit-snapshot-viewer-use
RiskScore = 75
Query = ((Process.Path like r"%\\ditsnap.exe") or (Process.CommandLine like r"%ditsnap.exe%"))

[ActivityMonitoringRule]
# Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
RuleName = Suspicious Eventlog Clear or Configuration Using Wevtutil
EventType = Process.Start
Tag = proc-start-suspicious-eventlog-clear-or-configuration-using-wevtutil
RiskScore = 75
Query = (((Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%Clear-EventLog%" or Process.CommandLine like r"%Remove-EventLog%" or Process.CommandLine like r"%Limit-EventLog%")) or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"% ClearEventLog %")) or (Process.Path like r"%\\wevtutil.exe" and (Process.CommandLine like r"%clear-log%" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log%" or Process.CommandLine like r"% sl %")))

[ActivityMonitoringRule]
# Detects a suspicious exection from an uncommon folder
RuleName = Execution in Non-Executable Folder
EventType = Process.Start
Tag = proc-start-execution-in-non-executable-folder
RiskScore = 75
Query = (Process.Path like r"%\\$Recycle.bin" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"C:\\Perflogs\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%")

[ActivityMonitoringRule]
# Detects process starts of binaries from a suspicious folder
RuleName = Executables Started in Suspicious Folder
EventType = Process.Start
Tag = proc-start-executables-started-in-suspicious-folder
RiskScore = 75
Query = (Process.Path like r"C:\\PerfLogs\\%" or Process.Path like r"C:\\$Recycle.bin\\%" or Process.Path like r"C:\\Intel\\Logs\\%" or Process.Path like r"C:\\Users\\Default\\%" or Process.Path like r"C:\\Users\\Public\\%" or Process.Path like r"C:\\Users\\NetworkService\\%" or Process.Path like r"C:\\Windows\\Fonts\\%" or Process.Path like r"C:\\Windows\\Debug\\%" or Process.Path like r"C:\\Windows\\Media\\%" or Process.Path like r"C:\\Windows\\Help\\%" or Process.Path like r"C:\\Windows\\addins\\%" or Process.Path like r"C:\\Windows\\repair\\%" or Process.Path like r"C:\\Windows\\security\\%" or Process.Path like r"%\\RSA\\MachineKeys\\%" or Process.Path like r"C:\\Windows\\system32\\config\\systemprofile\\%" or Process.Path like r"C:\\Windows\\Tasks\\%" or Process.Path like r"C:\\Windows\\System32\\Tasks\\%")

[ActivityMonitoringRule]
# Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
RuleName = Fsutil Suspicious Invocation
EventType = Process.Start
Tag = proc-start-fsutil-suspicious-invocation
RiskScore = 75
Query = ((Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and (Process.CommandLine like r"%deletejournal%" or Process.CommandLine like r"%createjournal%"))

[ActivityMonitoringRule]
# Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
RuleName = Suspicious GUP Usage
EventType = Process.Start
Tag = proc-start-suspicious-gup-usage
RiskScore = 75
Query = (Process.Path like r"%\\GUP.exe" and not ((Process.Path like r"C:\\Users\\%\\AppData\\Local\\Notepad++\\updater\\gup.exe" or Process.Path like r"C:\\Users\\%\\AppData\\Roaming\\Notepad++\\updater\\gup.exe" or Process.Path like r"C:\\Program Files\\Notepad++\\updater\\gup.exe" or Process.Path like r"C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe")))

[ActivityMonitoringRule]
# Detects suspicious msiexec process starts in an uncommon directory
RuleName = Suspicious MsiExec Directory
EventType = Process.Start
Tag = proc-start-suspicious-msiexec-directory
RiskScore = 75
Query = (Process.Path like r"%\\msiexec.exe" and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%")))

[ActivityMonitoringRule]
# Downloads payload from remote server
RuleName = Malicious Payload Download via Office Binaries
EventType = Process.Start
Tag = proc-start-malicious-payload-download-via-office-binaries
RiskScore = 75
Query = ((Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\winword.exe" or Process.Path like r"%\\excel.exe") and Process.CommandLine like r"%http%")

[ActivityMonitoringRule]
# Detects persitence via netsh helper
RuleName = Suspicious Netsh DLL Persistence
EventType = Process.Start
Tag = proc-start-suspicious-netsh-dll-persistence
RiskScore = 75
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%helper%")

[ActivityMonitoringRule]
# Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
RuleName = Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
EventType = Process.Start
Tag = proc-start-invocation-of-active-directory-diagnostic-tool-(ntdsutil.exe)
RiskScore = 75
Query = Process.CommandLine like r"%\\ntdsutil%"

[ActivityMonitoringRule]
# The OpenWith.exe executes other binary
RuleName = OpenWith.exe Executes Specified Binary
EventType = Process.Start
Tag = proc-start-openwith.exe-executes-specified-binary
RiskScore = 75
Query = (Process.Path like r"%\\OpenWith.exe" and Process.CommandLine like r"%/c%")

[ActivityMonitoringRule]
# Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
RuleName = Suspicious Execution from Outlook
EventType = Process.Start
Tag = proc-start-suspicious-execution-from-outlook
RiskScore = 75
Query = (Process.CommandLine like r"%EnableUnsafeClientMailRules%" or (Parent.Path like r"%\\outlook.exe" and Process.CommandLine like r"\\%\\%.exe"))

[ActivityMonitoringRule]
# Detects a suspicious program execution in Outlook temp folder
RuleName = Execution in Outlook Temp Folder
EventType = Process.Start
Tag = proc-start-execution-in-outlook-temp-folder
RiskScore = 75
Query = Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%"

[ActivityMonitoringRule]
# Detects a ping command that uses a hex encoded IP address
RuleName = Ping Hex IP
EventType = Process.Start
Tag = proc-start-ping-hex-ip
RiskScore = 75
Query = ((Process.CommandLine like r"%\\ping.exe 0x%" or Process.CommandLine like r"%\\ping 0x%") and (Process.Path like r"%ping.exe%"))

[ActivityMonitoringRule]
# Detects suspicious encoded character syntax often used for defense evasion
RuleName = PowerShell Encoded Character Syntax
EventType = Process.Start
Tag = proc-start-powershell-encoded-character-syntax
RiskScore = 75
Query = Process.CommandLine like r"%(WCHAR)0x%"

[ActivityMonitoringRule]
# Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
RuleName = Suspicious Encoded PowerShell Command Line
EventType = Process.Start
Tag = proc-start-suspicious-encoded-powershell-command-line
RiskScore = 75
Query = ((Process.CommandLine like r"% -e JAB%" or Process.CommandLine like r"% -e  JAB%" or Process.CommandLine like r"% -e   JAB%" or Process.CommandLine like r"% -e    JAB%" or Process.CommandLine like r"% -e     JAB%" or Process.CommandLine like r"% -e      JAB%" or Process.CommandLine like r"% -en JAB%" or Process.CommandLine like r"% -enc JAB%" or Process.CommandLine like r"% -enc% JAB%" or Process.CommandLine like r"% -w hidden -e% JAB%" or Process.CommandLine like r"% BA^J e-" or Process.CommandLine like r"% -e SUVYI%" or Process.CommandLine like r"% -e aWV4I%" or Process.CommandLine like r"% -e SQBFAFgA%" or Process.CommandLine like r"% -e aQBlAHgA%" or Process.CommandLine like r"% -enc SUVYI%" or Process.CommandLine like r"% -enc aWV4I%" or Process.CommandLine like r"% -enc SQBFAFgA%" or Process.CommandLine like r"% -enc aQBlAHgA%") and not (Process.CommandLine like r"% -ExecutionPolicy remotesigned %"))

[ActivityMonitoringRule]
# Detects base64 encoded strings used in hidden malicious PowerShell command lines
RuleName = Malicious Base64 Encoded PowerShell Keywords in Command Lines
EventType = Process.Start
Tag = proc-start-malicious-base64-encoded-powershell-keywords-in-command-lines
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"% hidden %" and (Process.CommandLine like r"%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%" or Process.CommandLine like r"%aXRzYWRtaW4gL3RyYW5zZmVy%" or Process.CommandLine like r"%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%" or Process.CommandLine like r"%JpdHNhZG1pbiAvdHJhbnNmZX%" or Process.CommandLine like r"%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%" or Process.CommandLine like r"%Yml0c2FkbWluIC90cmFuc2Zlc%" or Process.CommandLine like r"%AGMAaAB1AG4AawBfAHMAaQB6AGUA%" or Process.CommandLine like r"%JABjAGgAdQBuAGsAXwBzAGkAegBlA%" or Process.CommandLine like r"%JGNodW5rX3Npem%" or Process.CommandLine like r"%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%" or Process.CommandLine like r"%RjaHVua19zaXpl%" or Process.CommandLine like r"%Y2h1bmtfc2l6Z%" or Process.CommandLine like r"%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%" or Process.CommandLine like r"%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%" or Process.CommandLine like r"%lPLkNvbXByZXNzaW9u%" or Process.CommandLine like r"%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%" or Process.CommandLine like r"%SU8uQ29tcHJlc3Npb2%" or Process.CommandLine like r"%Ty5Db21wcmVzc2lvb%" or Process.CommandLine like r"%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%" or Process.CommandLine like r"%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%" or Process.CommandLine like r"%lPLk1lbW9yeVN0cmVhb%" or Process.CommandLine like r"%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%" or Process.CommandLine like r"%SU8uTWVtb3J5U3RyZWFt%" or Process.CommandLine like r"%Ty5NZW1vcnlTdHJlYW%" or Process.CommandLine like r"%4ARwBlAHQAQwBoAHUAbgBrA%" or Process.CommandLine like r"%5HZXRDaHVua%" or Process.CommandLine like r"%AEcAZQB0AEMAaAB1AG4Aaw%" or Process.CommandLine like r"%LgBHAGUAdABDAGgAdQBuAGsA%" or Process.CommandLine like r"%LkdldENodW5r%" or Process.CommandLine like r"%R2V0Q2h1bm%" or Process.CommandLine like r"%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%" or Process.CommandLine like r"%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%" or Process.CommandLine like r"%RIUkVBRF9JTkZPNj%" or Process.CommandLine like r"%SFJFQURfSU5GTzY0%" or Process.CommandLine like r"%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%" or Process.CommandLine like r"%VEhSRUFEX0lORk82N%" or Process.CommandLine like r"%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%" or Process.CommandLine like r"%cmVhdGVSZW1vdGVUaHJlYW%" or Process.CommandLine like r"%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%" or Process.CommandLine like r"%NyZWF0ZVJlbW90ZVRocmVhZ%" or Process.CommandLine like r"%Q3JlYXRlUmVtb3RlVGhyZWFk%" or Process.CommandLine like r"%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%" or Process.CommandLine like r"%0AZQBtAG0AbwB2AGUA%" or Process.CommandLine like r"%1lbW1vdm%" or Process.CommandLine like r"%AGUAbQBtAG8AdgBlA%" or Process.CommandLine like r"%bQBlAG0AbQBvAHYAZQ%" or Process.CommandLine like r"%bWVtbW92Z%" or Process.CommandLine like r"%ZW1tb3Zl%"))

[ActivityMonitoringRule]
# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
RuleName = Suspicious Use of Procdump
EventType = Process.Start
Tag = proc-start-suspicious-use-of-procdump
RiskScore = 75
Query = (((Process.CommandLine like r"% -ma %") and (Process.CommandLine like r"% lsass%")) or (Process.CommandLine like r"% -ma ls%"))

[ActivityMonitoringRule]
# Detects programs running in suspicious files system locations
RuleName = Suspicious Program Location Process Starts
EventType = Process.Start
Tag = proc-start-suspicious-program-location-process-starts
RiskScore = 75
Query = (Process.Path like r"%\\$Recycle.bin" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"C:\\Perflogs\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%" or Process.Path like r"%\\Windows\\debug\\%")

[ActivityMonitoringRule]
# Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
RuleName = PowerShell DownloadFile
EventType = Process.Start
Tag = proc-start-powershell-downloadfile
RiskScore = 75
Query = (Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%.DownloadFile%" and Process.CommandLine like r"%System.Net.WebClient%")

[ActivityMonitoringRule]
# Detects various anomalies in relation to regsvr32.exe
RuleName = Regsvr32 Anomaly
EventType = Process.Start
Tag = proc-start-regsvr32-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%\\Temp\\%") or (Process.Path like r"%\\regsvr32.exe" and Parent.Path like r"%\\powershell.exe") or (Process.Path like r"%\\regsvr32.exe" and Parent.Path like r"%\\cmd.exe") or (Process.Path like r"%\\regsvr32.exe" and (Process.CommandLine like r"%/i:http% scrobj.dll" or Process.CommandLine like r"%/i:ftp% scrobj.dll")) or (Process.Path like r"%\\wscript.exe" and Parent.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\EXCEL.EXE" and Process.CommandLine like r"%..\\..\\..\\Windows\\System32\\regsvr32.exe %"))

[ActivityMonitoringRule]
# Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
RuleName = Regsvr32 Flags Anomaly
EventType = Process.Start
Tag = proc-start-regsvr32-flags-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"% /i:%") and not (Process.CommandLine like r"% /n %"))

[ActivityMonitoringRule]
# Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
RuleName = Suspicious Call by Ordinal
EventType = Process.Start
Tag = proc-start-suspicious-call-by-ordinal
RiskScore = 75
Query = Process.CommandLine like r"%\\rundll32.exe %,#%"

[ActivityMonitoringRule]
# Detects service path modification to powershell/cmd
RuleName = Suspicious Service Path Modification
EventType = Process.Start
Tag = proc-start-suspicious-service-path-modification
RiskScore = 75
Query = (Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%binpath%" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%cmd%"))

[ActivityMonitoringRule]
# Detects Possible Squirrel Packages Manager as Lolbin
RuleName = Squirrel Lolbin
EventType = Process.Start
Tag = proc-start-squirrel-lolbin
RiskScore = 75
Query = ((Process.Path like r"%\\update.exe") and (Process.CommandLine like r"%--processStart%.exe%" or Process.CommandLine like r"%--processStartAndWait%.exe%" or Process.CommandLine like r"%--createShortcut%.exe%"))

[ActivityMonitoringRule]
# Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
RuleName = Taskmgr as LOCAL_SYSTEM
EventType = Process.Start
Tag = proc-start-taskmgr-as-local_system
RiskScore = 75
Query = (Process.User like r"NT AUTHORITY\\SYSTEM" and Process.Path like r"%\\taskmgr.exe")

[ActivityMonitoringRule]
# Detects a tscon.exe start as LOCAL SYSTEM
RuleName = Suspicious TSCON Start
EventType = Process.Start
Tag = proc-start-suspicious-tscon-start
RiskScore = 75
Query = (Process.User like r"NT AUTHORITY\\SYSTEM" and Process.Path like r"%\\tscon.exe")

[ActivityMonitoringRule]
# Detects a suspicious RDP session redirect using tscon.exe
RuleName = Suspicious RDP Redirect Using TSCON
EventType = Process.Start
Tag = proc-start-suspicious-rdp-redirect-using-tscon
RiskScore = 75
Query = Process.CommandLine like r"% /dest:rdp-tcp:%"

[ActivityMonitoringRule]
# Detects the execution of CSharp interactive console by PowerShell
RuleName = Suspicious Use of CSharp Interactive Console
EventType = Process.Start
Tag = proc-start-suspicious-use-of-csharp-interactive-console
RiskScore = 75
Query = (Process.Path like r"%\\csi.exe" and Parent.Path like r"%\\powershell.exe" and Process.Name == "csi.exe")

[ActivityMonitoringRule]
# Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators
RuleName = Whoami Execution
EventType = Process.Start
Tag = proc-start-whoami-execution
RiskScore = 75
Query = (Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe")

[ActivityMonitoringRule]
# Detects WMI executing rundll32
RuleName = Suspicious WMI Execution Using Rundll32
EventType = Process.Start
Tag = proc-start-suspicious-wmi-execution-using-rundll32
RiskScore = 75
Query = (Process.CommandLine like r"%process call create%" and Process.CommandLine like r"%rundll32%")

[ActivityMonitoringRule]
# Detect possible Sysmon driver unload
RuleName = Sysmon Driver Unload
EventType = Process.Start
Tag = proc-start-sysmon-driver-unload
RiskScore = 75
Query = (Process.Path like r"%\\fltmc.exe" and Process.CommandLine like r"%unload%" and Process.CommandLine like r"%sys%")

[ActivityMonitoringRule]
# Detects a Windows program executable started in a suspicious folder
RuleName = System File Execution Location Anomaly
EventType = Process.Start
Tag = proc-start-system-file-execution-location-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\spoolsv.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\smss.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\winlogon.exe" or Process.Path like r"%\\explorer.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\Taskmgr.exe" or Process.Path like r"%\\sihost.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\smartscreen.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\audiodg.exe" or Process.Path like r"%\\wlanext.exe") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\system32\\%" or Process.Path like r"C:\\Windows\\SysWow64\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\explorer.exe" or Process.Path like r"C:\\Windows\\winsxs\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"\\SystemRoot\\System32\\%")))

[ActivityMonitoringRule]
# Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
RuleName = Terminal Service Process Spawn
EventType = Process.Start
Tag = proc-start-terminal-service-process-spawn
RiskScore = 75
Query = (Parent.CommandLine like r"%\\svchost.exe%termsvcs" and not (Process.Path like r"%\\rdpclip.exe"))

[ActivityMonitoringRule]
# Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
RuleName = Bypass UAC via CMSTP
EventType = Process.Start
Tag = proc-start-bypass-uac-via-cmstp
RiskScore = 75
Query = (Process.Path like r"%\\cmstp.exe" and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%/au%"))

[ActivityMonitoringRule]
# Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
RuleName = Bypass UAC via Fodhelper.exe
EventType = Process.Start
Tag = proc-start-bypass-uac-via-fodhelper.exe
RiskScore = 75
Query = Parent.Path like r"%\\fodhelper.exe"

[ActivityMonitoringRule]
# Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
RuleName = Bypass UAC via WSReset.exe
EventType = Process.Start
Tag = proc-start-bypass-uac-via-wsreset.exe
RiskScore = 75
Query = (Parent.Path like r"%\\wsreset.exe" and not (Process.Path like r"%\\conhost.exe"))

[ActivityMonitoringRule]
# Detects certain command line parameters often used during reconnaissance activity via web shells
RuleName = Webshell Detection With Command Line Keywords
EventType = Process.Start
Tag = proc-start-webshell-detection-with-command-line-keywords
RiskScore = 75
Query = ((Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe") and (Process.CommandLine like r"%whoami%" or Process.CommandLine like r"%net user %" or Process.CommandLine like r"%ping -n %" or Process.CommandLine like r"%systeminfo" or Process.CommandLine like r"%&cd&echo%" or Process.CommandLine like r"%cd /d%"))

[ActivityMonitoringRule]
# Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
RuleName = Webshell Recon Detection Via CommandLine & Processes
EventType = Process.Start
Tag = proc-start-webshell-recon-detection-via-commandline-&-processes
RiskScore = 75
Query = ((Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%" or Parent.Path like r"%\\w3wp.exe%" or Parent.Path like r"%\\php-cgi.exe%" or Parent.Path like r"%\\nginx.exe%" or Parent.Path like r"%\\httpd.exe%") and (Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%perl --help%" or Process.CommandLine like r"%python --help%" or Process.CommandLine like r"%wget --help%" or Process.CommandLine like r"%perl -h%"))

[ActivityMonitoringRule]
# Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
RuleName = Shells Spawned by Web Servers
EventType = Process.Start
Tag = proc-start-shells-spawned-by-web-servers
RiskScore = 75
Query = ((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\tomcat.exe") and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\bitsadmin.exe"))

[ActivityMonitoringRule]
# Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
RuleName = Run Whoami as SYSTEM
EventType = Process.Start
Tag = proc-start-run-whoami-as-system
RiskScore = 75
Query = (Process.User like r"NT AUTHORITY\\SYSTEM" and Process.Path like r"%\\whoami.exe")

[ActivityMonitoringRule]
# Detects Task Scheduler .job import arbitrary DACL write\par
RuleName = Windows 10 Scheduled Task SandboxEscaper 0-day
EventType = Process.Start
Tag = proc-start-windows-10-scheduled-task-sandboxescaper-0-day
RiskScore = 75
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/change%/TN%/RU%/RP%")

[ActivityMonitoringRule]
# Detects WMI script event consumers
RuleName = WMI Persistence - Script Event Consumer
EventType = Process.Start
Tag = proc-start-wmi-persistence-script-event-consumer
RiskScore = 75
Query = (Process.Path like r"C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and Parent.Path like r"C:\\Windows\\System32\\svchost.exe")

[ActivityMonitoringRule]
# Detects WMI spawning PowerShell
RuleName = WMI Spawning Windows PowerShell
EventType = Process.Start
Tag = proc-start-wmi-spawning-windows-powershell
RiskScore = 75
Query = ((Parent.Path like r"%\\wmiprvse.exe") and (Process.Path like r"%\\powershell.exe"))

[ActivityMonitoringRule]
# Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
RuleName = Microsoft Workflow Compiler
EventType = Process.Start
Tag = proc-start-microsoft-workflow-compiler
RiskScore = 75
Query = Process.Path like r"%\\Microsoft.Workflow.Compiler.exe"

[ActivityMonitoringRule]
# Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
RuleName = Wsreset UAC Bypass
EventType = Process.Start
Tag = proc-start-wsreset-uac-bypass
RiskScore = 75
Query = (Parent.Path like r"%\\WSreset.exe")

[ActivityMonitoringRule]
# Detects various indicators of Microsoft Connection Manager Profile Installer execution
RuleName = CMSTP Execution
EventType = Process.Start
Tag = proc-start-cmstp-execution
RiskScore = 75
Query = Parent.Path like r"%\\cmstp.exe"

[ActivityMonitoringRule]
# Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
RuleName = DNS ServerLevelPluginDll Install
EventType = Process.Start
Tag = proc-start-dns-serverlevelplugindll-install
RiskScore = 75
Query = Process.CommandLine like r"dnscmd.exe /config /serverlevelplugindll %"

[ActivityMonitoringRule]
# Detects various indicators of Microsoft Connection Manager Profile Installer execution
RuleName = CMSTP Execution
EventType = Process.Start
Tag = proc-start-cmstp-execution
RiskScore = 75
Query = Parent.Path like r"%\\cmstp.exe"

Comments

Your email address will not be published. Required fields are marked *