Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.


This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

uberAgent-ESA-am-sigma-high.conf

The following is the uberAgent-ESA-am-sigma-high.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: high
#

[ActivityMonitoringRule]
# Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
RuleName = Equation Group C2 Communication
EventType = Net.Any
Tag = equation-group-c2-communication
RiskScore = 75
Query = (Net.Target.Ip in ["69.42.98.86", "89.185.234.145"] or Net.Source.Ip in ["69.42.98.86", "89.185.234.145"])
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol
GenericProperty5 = Net.Source.Ip
GenericProperty6 = Net.Source.Port

[ActivityMonitoringRule]
# Detects suspicious DNS queries to Monero mining pools
RuleName = Monero Crypto Coin Mining Pool Lookup
EventType = Dns.Query
Tag = monero-crypto-coin-mining-pool-lookup
RiskScore = 75
Query = (Dns.QueryRequest like r"%pool.minexmr.com%" or Dns.QueryRequest like r"%fr.minexmr.com%" or Dns.QueryRequest like r"%de.minexmr.com%" or Dns.QueryRequest like r"%sg.minexmr.com%" or Dns.QueryRequest like r"%ca.minexmr.com%" or Dns.QueryRequest like r"%us-west.minexmr.com%" or Dns.QueryRequest like r"%pool.supportxmr.com%" or Dns.QueryRequest like r"%mine.c3pool.com%" or Dns.QueryRequest like r"%xmr-eu1.nanopool.org%" or Dns.QueryRequest like r"%xmr-eu2.nanopool.org%" or Dns.QueryRequest like r"%xmr-us-east1.nanopool.org%" or Dns.QueryRequest like r"%xmr-us-west1.nanopool.org%" or Dns.QueryRequest like r"%xmr-asia1.nanopool.org%" or Dns.QueryRequest like r"%xmr-jp1.nanopool.org%" or Dns.QueryRequest like r"%xmr-au1.nanopool.org%" or Dns.QueryRequest like r"%xmr.2miners.com%" or Dns.QueryRequest like r"%xmr.hashcity.org%" or Dns.QueryRequest like r"%xmr.f2pool.com%" or Dns.QueryRequest like r"%xmrpool.eu%" or Dns.QueryRequest like r"%pool.hashvault.pro%")
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects wannacry killswitch domain dns queries
RuleName = Wannacry Killswitch Domain
EventType = Dns.Query
Tag = wannacry-killswitch-domain
RiskScore = 75
Query = Dns.QueryRequest in ["ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing", "ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test", "ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com", "ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com", "iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com", ""]
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM
RuleName = Exchange PowerShell Snap-Ins Used by HAFNIUM
EventType = Process.Start
Tag = proc-start-exchange-powershell-snap-ins-used-by-hafnium
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%add-pssnapin microsoft.exchange.powershell.snapin%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
RuleName = MMC20 Lateral Movement
EventType = Process.Start
Tag = proc-start-mmc20-lateral-movement
RiskScore = 75
Query = (Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mmc.exe" and Process.CommandLine like r"%-Embedding%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
RuleName = MSHTA Suspicious Execution 01
EventType = Process.Start
Tag = proc-start-mshta-suspicious-execution-01
RiskScore = 75
Query = (Process.Path like r"%\\mshta.exe" and (Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.lnk%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.zip%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
RuleName = Password Dumper Remote Thread in LSASS
EventType = Process.CreateRemoteThread
Tag = password-dumper-remote-thread-in-lsass
RiskScore = 75
Query = (Process.Path like r"%\\lsass.exe" and Thread.StartModule == "")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
RuleName = Suspicious Esentutl Use
EventType = Process.Start
Tag = proc-start-suspicious-esentutl-use
RiskScore = 75
Query = (Process.CommandLine like r"% /vss %" and Process.CommandLine like r"% /y %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
RuleName = Activity Related to NTDS.dit Domain Hash Retrieval
EventType = Process.Start
Tag = proc-start-activity-related-to-ntds.dit-domain-hash-retrieval
RiskScore = 75
Query = (Process.CommandLine like r"vssadmin.exe Delete Shadows" or Process.CommandLine like r"vssadmin create shadow /for=C:" or Process.CommandLine like r"copy \\_\\GLOBALROOT\\Device\\%\\windows\\ntds\\ntds.dit" or Process.CommandLine like r"copy \\_\\GLOBALROOT\\Device\\%\\config\\SAM" or Process.CommandLine like r"vssadmin delete shadows /for=C:" or Process.CommandLine like r"reg SAVE HKLM\\SYSTEM " or Process.CommandLine like r"esentutl.exe /y /vss %\\ntds.dit%" or Process.CommandLine like r"esentutl.exe /y /vss %\\SAM" or Process.CommandLine like r"esentutl.exe /y /vss %\\SYSTEM")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Azure Hybrid Connection Manager services querying the Azure service bus service
RuleName = DNS HybridConnectionManager Service Bus
EventType = Dns.Query
Tag = dns-hybridconnectionmanager-service-bus
RiskScore = 75
Query = (Dns.QueryRequest like r"%servicebus.windows.net%" and Process.Path like r"%HybridConnectionManager%")
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects DNS queries for subdomains used for upload to MEGA.io
RuleName = DNS Query for MEGA.io Upload Domain
EventType = Dns.Query
Tag = dns-query-for-mega.io-upload-domain
RiskScore = 75
Query = Dns.QueryRequest like r"%userstorage.mega.co.nz%"
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects network connections and DNS queries initiated by Regsvr32.exe
RuleName = Regsvr32 Network Activity
EventType = Dns.Query
Tag = regsvr32-network-activity
RiskScore = 75
Query = Process.Path like r"%\\regsvr32.exe"
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
RuleName = Pingback Backdoor
EventType = Image.Load
Tag = pingback-backdoor
RiskScore = 75
Query = (Process.Path like r"%msdtc.exe" and Image.Path like r"C:\\Windows\\oci.dll")
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
RuleName = Time Travel Debugging Utility Usage
EventType = Process.Start
Tag = proc-start-time-travel-debugging-utility-usage
RiskScore = 75
Query = Parent.Path like r"%\\tttracer.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
RuleName = Abusing Azure Browser SSO
EventType = Image.Load
Tag = abusing-azure-browser-sso
RiskScore = 75
Query = (Image.Path like r"%MicrosoftAccountTokenProvider.dll" and not ((Process.Path like r"%BackgroundTaskHost.exe" or Process.Path like r"%devenv.exe" or Process.Path like r"%iexplore.exe" or Process.Path like r"%MicrosoftEdge.exe")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
RuleName = In-memory PowerShell
EventType = Image.Load
Tag = in-memory-powershell
RiskScore = 75
Query = ((Image.Path like r"%\\System.Management.Automation.Dll" or Image.Path like r"%\\System.Management.Automation.ni.Dll") and not ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\WINDOWS\\System32\\sdiagnhost.exe" or Process.Path like r"%\\mscorsvw.exe" or Process.Path like r"%\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe" or Process.Path like r"%\\sqlps.exe" or Process.Path like r"%\\wsmprovhost.exe" or Process.Path like r"%\\winrshost.exe" or Process.Path like r"%\\syncappvpublishingserver.exe" or Process.Path like r"%\\runscripthelper.exe" or Process.Path like r"%\\ServerManager.exe")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects processes loading modules related to PCRE.NET package
RuleName = PCRE.NET Package Image Load
EventType = Image.Load
Tag = pcre.net-package-image-load
RiskScore = 75
Query = Image.Path like r"%\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\%"
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
RuleName = WMI Script Host Process Image Loaded
EventType = Image.Load
Tag = wmi-script-host-process-image-loaded
RiskScore = 75
Query = (Process.Path like r"%\\scrcons.exe" and (Image.Path like r"%\\vbscript.dll" or Image.Path like r"%\\wbemdisp.dll" or Image.Path like r"%\\wshom.ocx" or Image.Path like r"%\\scrrun.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
RuleName = Fax Service DLL Search Order Hijack
EventType = Image.Load
Tag = fax-service-dll-search-order-hijack
RiskScore = 75
Query = (((Process.Path like r"%fxssvc.exe") and (Image.Path like r"%ualapi.dll")) and not ((Image.Path like r"C:\\Windows\\WinSxS\\%")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
RuleName = Possible Process Hollowing Image Loading
EventType = Image.Load
Tag = possible-process-hollowing-image-loading
RiskScore = 75
Query = ((Process.Path like r"%\\notepad.exe") and (Image.Path like r"%\\samlib.dll" or Image.Path like r"%\\WinSCard.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects any assembly DLL being loaded by an Office Product
RuleName = dotNET DLL Loaded Via Office Applications
EventType = Image.Load
Tag = dotnet-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"C:\\Windows\\assembly\\%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects CLR DLL being loaded by an Office Product
RuleName = CLR DLL Loaded Via Office Applications
EventType = Image.Load
Tag = clr-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\clr.dll%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects any GAC DLL being loaded by an Office Product
RuleName = GAC DLL Loaded Via Office Applications
EventType = Image.Load
Tag = gac-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"C:\\Windows\\Microsoft.NET\\assembly\\GAC\_MSIL%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects DSParse DLL being loaded by an Office Product
RuleName = Active Directory Parsing DLL Loaded Via Office Applications
EventType = Image.Load
Tag = active-directory-parsing-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\dsparse.dll%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects Kerberos DLL being loaded by an Office Product
RuleName = Active Directory Kerberos DLL Loaded Via Office Applications
EventType = Image.Load
Tag = active-directory-kerberos-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\kerberos.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects CLR DLL being loaded by an scripting applications
RuleName = CLR DLL Loaded Via Scripting Applications
EventType = Image.Load
Tag = clr-dll-loaded-via-scripting-applications
RiskScore = 75
Query = ((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe") and (Image.Path like r"%\\clr.dll" or Image.Path like r"%\\mscoree.dll" or Image.Path like r"%\\mscorlib.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects DLL's Loaded Via Word Containing VBA Macros
RuleName = VBA DLL Loaded Via Microsoft Word
EventType = Image.Load
Tag = vba-dll-loaded-via-microsoft-word
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\VBE7.DLL" or Image.Path like r"%\\VBEUI.DLL" or Image.Path like r"%\\VBE7INTL.DLL"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
RuleName = Windows Management Instrumentation DLL Loaded Via Microsoft Word
EventType = Image.Load
Tag = windows-management-instrumentation-dll-loaded-via-microsoft-word
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\wmiutils.dll" or Image.Path like r"%\\wbemcomn.dll" or Image.Path like r"%\\wbemprox.dll" or Image.Path like r"%\\wbemdisp.dll" or Image.Path like r"%\\wbemsvc.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
RuleName = Svchost DLL Search Order Hijack
EventType = Image.Load
Tag = svchost-dll-search-order-hijack
RiskScore = 75
Query = (((Process.Path like r"%\\svchost.exe") and (Image.Path like r"%\\tsmsisrv.dll" or Image.Path like r"%\\tsvipsrv.dll" or Image.Path like r"%\\wlbsctrl.dll")) and not ((Image.Path like r"C:\\Windows\\WinSxS\\%")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
RuleName = Time Travel Debugging Utility Usage
EventType = Image.Load
Tag = time-travel-debugging-utility-usage
RiskScore = 75
Query = (Image.Path like r"%\\ttdrecord.dll" or Image.Path like r"%\\ttdwriter.dll" or Image.Path like r"%\\ttdloader.dll")
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Attempts to load dismcore.dll after dropping it
RuleName = UAC Bypass With Fake DLL
EventType = Image.Load
Tag = uac-bypass-with-fake-dll
RiskScore = 75
Query = ((Process.Path like r"%\\dism.exe") and (Image.Path like r"%\\dismcore.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
RuleName = WMIC Loading Scripting Libraries
EventType = Image.Load
Tag = wmic-loading-scripting-libraries
RiskScore = 75
Query = (Process.Path like r"%\\wmic.exe" and (Image.Path like r"%\\jscript.dll" or Image.Path like r"%\\vbscript.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects non wmiprvse loading WMI modules
RuleName = WMI Modules Loaded
EventType = Image.Load
Tag = wmi-modules-loaded
RiskScore = 75
Query = ((Image.Path like r"%\\wmiclnt.dll" or Image.Path like r"%\\WmiApRpl.dll" or Image.Path like r"%\\wmiprov.dll" or Image.Path like r"%\\wmiutils.dll" or Image.Path like r"%\\wbemcomn.dll" or Image.Path like r"%\\wbemprox.dll" or Image.Path like r"%\\WMINet\_Utils.dll" or Image.Path like r"%\\wbemsvc.dll" or Image.Path like r"%\\fastprox.dll") and not ((Process.Path like r"%\\WmiPrvSE.exe" or Process.Path like r"%\\WmiApSrv.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\DeviceCensus.exe" or Process.Path like r"%\\CompatTelRunner.exe" or Process.Path like r"%\\sdiagnhost.exe" or Process.Path like r"%\\SIHClient.exe" or Process.Path like r"%\\ngentask.exe" or Process.Path like r"%\\windows\\system32\\taskhostw.exe" or Process.Path like r"%\\windows\\system32\\MoUsoCoreWorker.exe" or Process.Path like r"%\\windows\\system32\\wbem\\WMIADAP.exe")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI command line event consumers
RuleName = WMI Persistence - Command Line Event Consumer
EventType = Image.Load
Tag = wmi-persistence-command-line-event-consumer
RiskScore = 75
Query = (Process.Path like r"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and Image.Path like r"%\\wbemcons.dll")
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
RuleName = Image Load of VSS_PS.dll by Uncommon Executable
EventType = Image.Load
Tag = image-load-of-vss_ps.dll-by-uncommon-executable
RiskScore = 75
Query = ((Image.Path like r"%\\vss\_ps.dll") and not ((Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\vssvc.exe" or Process.Path like r"%\\srtasks.exe" or Process.Path like r"%\\tiworker.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\searchindexer.exe" or Process.Path like r"%dismhost.exe" or Process.Path like r"%taskhostw.exe" or Process.Path like r"%\\clussvc.exe") and Process.Path like r"%c:\\windows\\%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
RuleName = APT PRIVATELOG Image Load Pattern
EventType = Image.Load
Tag = apt-privatelog-image-load-pattern
RiskScore = 75
Query = (Process.Path like r"%\\svchost.exe" and Image.Path like r"%\\clfsw32.dll")
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Attempts to detect system changes made by Blue Mockingbird
RuleName = Blue Mockingbird
EventType = Process.Start
Tag = proc-start-blue-mockingbird
RiskScore = 75
Query = ((Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%sc config%" and Process.CommandLine like r"%wercplsupporte.dll%") or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%COR\_PROFILER"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Attempts to detect system changes made by Blue Mockingbird
RuleName = Blue Mockingbird
EventType = Reg.Any
Tag = blue-mockingbird
RiskScore = 75
Query = Reg.Key.Target like r"%\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
RuleName = NetWire RAT Registry Key
EventType = Reg.Any
Tag = netwire-rat-registry-key
RiskScore = 75
Query = Reg.Key.Target like r"%\\software\\NetWire%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects suspicious network connection by Notepad
RuleName = Notepad Making Network Connection
EventType = Net.Any
Tag = notepad-making-network-connection
RiskScore = 75
Query = (Process.Path like r"%\\notepad.exe" and not (Net.Target.Port == "9100"))
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol
GenericProperty5 = Net.Source.Ip
GenericProperty6 = Net.Source.Port

[ActivityMonitoringRule]
# Detects network connections and DNS queries initiated by Regsvr32.exe
RuleName = Regsvr32 Network Activity
EventType = Net.Any
Tag = regsvr32-network-activity
RiskScore = 75
Query = Process.Path like r"%\\regsvr32.exe"
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol
GenericProperty5 = Net.Source.Ip
GenericProperty6 = Net.Source.Port

[ActivityMonitoringRule]
# Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.
RuleName = Remote PowerShell Session
EventType = Net.Any
Tag = remote-powershell-session
RiskScore = 75
Query = (Net.Target.Port in ["5985", "5986"] and not (Process.User like r"NT AUTHORITY\\NETWORK SERVICE"))
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol
GenericProperty5 = Net.Source.Ip
GenericProperty6 = Net.Source.Port

[ActivityMonitoringRule]
# Detects programs with network connections running in suspicious files system locations
RuleName = Suspicious Program Location with Network Connections
EventType = Net.Any
Tag = suspicious-program-location-with-network-connections
RiskScore = 75
Query = ((Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\Users\\Contacts\\%" or Process.Path like r"%\\Users\\Searches\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%") or (Process.Path like r"%\\$Recycle.bin") or (Process.Path like r"C:\\Perflogs\\%"))
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol
GenericProperty5 = Net.Source.Ip
GenericProperty6 = Net.Source.Port

[ActivityMonitoringRule]
# Detects process connections to a Monero crypto mining pool
RuleName = Windows Crypto Mining Pool Connections
EventType = Net.Any
Tag = windows-crypto-mining-pool-connections
RiskScore = 75
Query = Net.Target.Name in ["pool.minexmr.com", "fr.minexmr.com", "de.minexmr.com", "sg.minexmr.com", "ca.minexmr.com", "us-west.minexmr.com", "pool.supportxmr.com", "mine.c3pool.com", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-asia1.nanopool.org", "xmr-jp1.nanopool.org", "xmr-au1.nanopool.org", "xmr.2miners.com", "xmr.hashcity.org", "xmr.f2pool.com", "xmrpool.eu", "pool.hashvault.pro", "moneroocean.stream", "monerocean.stream"]
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol
GenericProperty5 = Net.Source.Ip
GenericProperty6 = Net.Source.Port

[ActivityMonitoringRule]
# Detects suspicious shell spawn from WinRM host process
RuleName = Suspicious Shells Spawn by WinRM
EventType = Process.Start
Tag = proc-start-suspicious-shells-spawn-by-winrm
RiskScore = 75
Query = (Parent.Path like r"%\\wsmprovhost.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
RuleName = GALLIUM Artefacts
EventType = Process.Start
Tag = proc-start-gallium-artefacts
RiskScore = 75
Query = ((Process.Hash.SHA1 like r"e570585edc69f9074cb5e8a790708336bd45ca0f") and not ((Process.Path like r"%:\\Program Files(x86)\\%" or Process.Path like r"%:\\Program Files\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
RuleName = GALLIUM Artefacts
EventType = Process.Start
Tag = proc-start-gallium-artefacts
RiskScore = 75
Query = Process.Hash.SHA1 in ["53a44c2396d15c3a03723fa5e5db54cafd527635", "9c5e496921e3bc882dc40694f1dcc3746a75db19", "aeb573accfd95758550cf30bf04f389a92922844", "79ef78a797403a4ed1a616c68e07fff868a8650a", "4f6f38b4cec35e895d91c052b1f5a83d665c2196", "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d", "e841a63e47361a572db9a7334af459ddca11347a", "c28f606df28a9bc8df75a4d5e5837fc5522dd34d", "2e94b305d6812a9f96e6781c888e48c7fb157b6b", "dd44133716b8a241957b912fa6a02efde3ce3025", "8793bf166cb89eb55f0593404e4e933ab605e803", "a39b57032dbb2335499a51e13470a7cd5d86b138", "41cc2b15c662bc001c0eb92f6cc222934f0beeea", "d209430d6af54792371174e70e27dd11d3def7a7", "1c6452026c56efd2c94cea7e0f671eb55515edb0", "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a", "4923d460e22fbbf165bbbaba168e5a46b8157d9f", "f201504bd96e81d0d350c3a8332593ee1c9e09de", "ddd2db1127632a2a52943a2fe516a2e7d05d70d2"]
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects activity mentioned in Operation Wocao report
RuleName = Operation Wocao Activity
EventType = Process.Start
Tag = proc-start-operation-wocao-activity
RiskScore = 75
Query = (Process.CommandLine like r"%checkadmin.exe 127.0.0.1 -all%" or Process.CommandLine like r"%netsh advfirewall firewall add rule name=powershell dir=in%" or Process.CommandLine like r"%cmd /c powershell.exe -ep bypass -file c:\\s.ps1%" or Process.CommandLine like r"%/tn win32times /f%" or Process.CommandLine like r"%create win32times binPath=%" or Process.CommandLine like r"%\\c$\\windows\\system32\\devmgr.dll%" or Process.CommandLine like r"% -exec bypass -enc JgAg%" or Process.CommandLine like r"%type %keepass\\KeePass.config.xml%" or Process.CommandLine like r"%iie.exe iie.txt%" or Process.CommandLine like r"%reg query HKEY\_CURRENT\_USER\\Software\\%\\PuTTY\\Sessions\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command used by conti to dump database
RuleName = Conti Backup Database
EventType = Process.Start
Tag = proc-start-conti-backup-database
RiskScore = 75
Query = ((Process.CommandLine like r"%sqlcmd %" or Process.CommandLine like r"%sqlcmd.exe%") and Process.CommandLine like r"% -S localhost %" and (Process.CommandLine like r"%sys.sysprocesses%" or Process.CommandLine like r"%master.dbo.sysdatabases%" or Process.CommandLine like r"%BACKUP DATABASE%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
RuleName = DNS ServerLevelPluginDll Install
EventType = Process.Start
Tag = proc-start-dns-serverlevelplugindll-install
RiskScore = 75
Query = (Process.Path like r"%\\dnscmd.exe" and Process.CommandLine like r"%/config%" and Process.CommandLine like r"%/serverlevelplugindll%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
RuleName = New Lolbin Process by Office Applications
EventType = Process.Start
Tag = proc-start-new-lolbin-process-by-office-applications
RiskScore = 75
Query = ((Process.Path like r"%regsvr32" or Process.Path like r"%rundll32" or Process.Path like r"%msiexec" or Process.Path like r"%mshta" or Process.Path like r"%verclsid") and (Parent.Path like r"%winword.exe" or Parent.Path like r"%excel.exe" or Parent.Path like r"%powerpnt.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.
RuleName = Lolbins Process Creation with WmiPrvse
EventType = Process.Start
Tag = proc-start-lolbins-process-creation-with-wmiprvse
RiskScore = 75
Query = ((Process.Path like r"%regsvr32" or Process.Path like r"%rundll32" or Process.Path like r"%msiexec" or Process.Path like r"%mshta" or Process.Path like r"%verclsid") and Parent.Path like r"%\\wbem\\WmiPrvSE.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
RuleName = Excel Proxy Executing Regsvr32 With Payload
EventType = Process.Start
Tag = proc-start-excel-proxy-executing-regsvr32-with-payload
RiskScore = 75
Query = ((Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%msiexec%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%verclsid%") and (Process.Path like r"%\\wbem\\WMIC.exe" or Process.CommandLine like r"%wmic %") and (Parent.Path like r"%winword.exe" or Parent.Path like r"%excel.exe" or Parent.Path like r"%powerpnt.exe") and Process.CommandLine like r"%process%" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%call%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Initial execution of malicious document calls wmic to execute the file with regsvr32
RuleName = Office Applications Spawning Wmi Cli
EventType = Process.Start
Tag = proc-start-office-applications-spawning-wmi-cli
RiskScore = 75
Query = ((Process.Path like r"%\\wbem\\WMIC.exe" or Process.CommandLine like r"%wmic %") and Parent.Path in ["winword.exe", "excel.exe", "powerpnt.exe"])
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
RuleName = Pingback Backdoor
EventType = Process.Start
Tag = proc-start-pingback-backdoor
RiskScore = 75
Query = (Parent.Path like r"%updata.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%msdtc%" and Process.CommandLine like r"%start%" and Process.CommandLine like r"%auto%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
RuleName = Execution via stordiag.exe
EventType = Process.Start
Tag = proc-start-execution-via-stordiag.exe
RiskScore = 75
Query = ((Parent.Path like r"%\\stordiag.exe" and (Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\fltmc.exe")) and not ((Parent.Path like r"c:\\windows\\system32\\%" or Parent.Path like r"c:\\windows\\syswow64\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detection of unusual child processes by different system processes
RuleName = Abused Debug Privilege by Arbitrary Parent Processes
EventType = Process.Start
Tag = proc-start-abused-debug-privilege-by-arbitrary-parent-processes
RiskScore = 75
Query = (((Parent.Path like r"%\\winlogon.exe" or Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\lsass.exe" or Parent.Path like r"%\\csrss.exe" or Parent.Path like r"%\\smss.exe" or Parent.Path like r"%\\wininit.exe" or Parent.Path like r"%\\spoolsv.exe" or Parent.Path like r"%\\searchindexer.exe") and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\cmd.exe") and (Process.User like r"NT AUTHORITY\\SYSTEM%" or Process.User like r"AUTORITE NT\\Sys%")) and not (Process.CommandLine like r"% route %" and Process.CommandLine like r"% ADD %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
RuleName = SOURGUM Actor Behaviours
EventType = Process.Start
Tag = proc-start-sourgum-actor-behaviours
RiskScore = 75
Query = ((Process.Path like r"%windows\\system32\\Physmem.sys%" or (Process.Path like r"%Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini%" or Process.Path like r"%Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini%" or Process.Path like r"%Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini%")) or ((Process.Path like r"%windows\\system32\\filepath2%" or Process.Path like r"%windows\\system32\\ime%") and (Process.CommandLine like r"%reg add%") and (Process.CommandLine like r"%HKEY\_LOCAL\_MACHINE\\software\\classes\\clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32%" or Process.CommandLine like r"%HKEY\_LOCAL\_MACHINE\\software\\classes\\clsid\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\inprocserver32%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
RuleName = Atlassian Confluence CVE-2021-26084
EventType = Process.Start
Tag = proc-start-atlassian-confluence-cve-2021-26084
RiskScore = 75
Query = (Parent.Path like r"%\\Atlassian\\Confluence\\jre\\bin\\java.exe" and (Process.CommandLine like r"%cmd /c%" or Process.CommandLine like r"%cmd /k%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%curl%" or Process.CommandLine like r"%whoami%" or Process.CommandLine like r"%ipconfig%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects various indicators of Microsoft Connection Manager Profile Installer execution
RuleName = CMSTP Execution Process Creation
EventType = Process.Start
Tag = proc-start-cmstp-execution-process-creation
RiskScore = 75
Query = Parent.Path like r"%\\cmstp.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects creation or execution of UserInitMprLogonScript persistence method
RuleName = Logon Scripts (UserInitMprLogonScript)
EventType = Process.Start
Tag = proc-start-logon-scripts-(userinitmprlogonscript)
RiskScore = 75
Query = (((Parent.Path like r"%\\userinit.exe" and not (Process.Path like r"%\\explorer.exe")) and not ((Process.CommandLine like r"%netlogon.bat%" or Process.CommandLine like r"%UsrLogon.cmd%"))) or Process.CommandLine like r"%UserInitMprLogonScript%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
RuleName = Ncat Execution
EventType = Process.Start
Tag = proc-start-ncat-execution
RiskScore = 75
Query = ((Process.Path like r"%\\ncat.exe") or (Process.CommandLine like r"% -lvp %" or Process.CommandLine like r"% -l --proxy-type http %" or Process.CommandLine like r"% --exec cmd.exe %" or Process.CommandLine like r"% -vnl --exec %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
RuleName = VMToolsd Suspicious Child Process
EventType = Process.Start
Tag = proc-start-vmtoolsd-suspicious-child-process
RiskScore = 75
Query = ((Parent.Path like r"%\\vmtoolsd.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe")) and not ((Process.CommandLine like r"%\\VMware\\VMware Tools\\poweron-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\poweroff-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\resume-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\suspend-vm-default.bat%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
RuleName = AdFind Usage Detection
EventType = Process.Start
Tag = proc-start-adfind-usage-detection
RiskScore = 75
Query = (Process.CommandLine like r"%domainlist%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%adinfo%" or Process.CommandLine like r"% dclist %" or Process.CommandLine like r"%computer\_pwdnotreqd%" or Process.CommandLine like r"%objectcategory=%" or Process.CommandLine like r"%-subnets -f%" or Process.CommandLine like r"%name=\"Domain Admins\"%" or Process.CommandLine like r"%-sc u:%" or Process.CommandLine like r"%domainncs%" or Process.CommandLine like r"%dompol%" or Process.CommandLine like r"% oudmp %" or Process.CommandLine like r"%subnetdmp%" or Process.CommandLine like r"%gpodmp%" or Process.CommandLine like r"%fspdmp%" or Process.CommandLine like r"%users\_noexpire%" or Process.CommandLine like r"%computers\_active%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# AnyDesk Remote Desktop silent installation can be used by attacker to gain remote access.
RuleName = AnyDesk Silent Installation
EventType = Process.Start
Tag = proc-start-anydesk-silent-installation
RiskScore = 75
Query = (Process.CommandLine like r"%--install%" and Process.CommandLine like r"%--start-with-win%" and Process.CommandLine like r"%--silent%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects activity that could be related to Baby Shark malware
RuleName = Baby Shark Activity
EventType = Process.Start
Tag = proc-start-baby-shark-activity
RiskScore = 75
Query = (Process.CommandLine like r"reg query \"HKEY\_CURRENT\_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" or Process.CommandLine like r"powershell.exe mshta.exe http%" or Process.CommandLine like r"cmd.exe /c taskkill /im cmd.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
RuleName = Exchange Exploitation Activity
EventType = Process.Start
Tag = proc-start-exchange-exploitation-activity
RiskScore = 75
Query = ((Process.CommandLine like r"%attrib%" and Process.CommandLine like r"% +h %" and Process.CommandLine like r"% +s %" and Process.CommandLine like r"% +r %" and Process.CommandLine like r"%.aspx%") or (Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%VSPerfMon%") or (Process.CommandLine like r"%vssadmin list shadows%" and Process.CommandLine like r"%Temp\\\_\_output%") or Process.CommandLine like r"%\%TEMP\%\\execute.bat%" or Process.Path like r"%Users\\Public\\opera\\Opera\_browser.exe" or (Process.Path like r"%Opera\_browser.exe" and (Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\svchost.exe")) or Process.Path like r"%\\ProgramData\\VSPerfMon\\%" or (Process.CommandLine like r"% -t7z %" and Process.CommandLine like r"%C:\\Programdata\\pst%" and Process.CommandLine like r"%\\it.zip%") or (Process.Path like r"%\\makecab.exe" and (Process.CommandLine like r"%Microsoft\\Exchange Server\\%" or Process.CommandLine like r"%inetpub\\wwwroot%")) or (Process.CommandLine like r"%\\Temp\\xx.bat%" or Process.CommandLine like r"%Windows\\WwanSvcdcs%" or Process.CommandLine like r"%Windows\\Temp\\cw.exe%") or (Process.CommandLine like r"%\\comsvcs.dll%" and Process.CommandLine like r"%Minidump%" and Process.CommandLine like r"%\\inetpub\\wwwroot%") or (Process.CommandLine like r"%dsquery%" and Process.CommandLine like r"% -uco %" and Process.CommandLine like r"%\\inetpub\\wwwroot%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Hurricane Panda Activity
RuleName = Hurricane Panda Activity
EventType = Process.Start
Tag = proc-start-hurricane-panda-activity
RiskScore = 75
Query = ((Process.CommandLine like r"%localgroup%" and Process.CommandLine like r"%admin%" and Process.CommandLine like r"%/add%") or (Process.CommandLine like r"%\\Win64.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
RuleName = Lazarus Session Highjacker
EventType = Process.Start
Tag = proc-start-lazarus-session-highjacker
RiskScore = 75
Query = ((Process.Path like r"%\\msdtc.exe" or Process.Path like r"%\\gpvc.exe") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process parameters as used by Mustang Panda droppers
RuleName = Mustang Panda Dropper
EventType = Process.Start
Tag = proc-start-mustang-panda-dropper
RiskScore = 75
Query = ((Process.CommandLine like r"%Temp\\wtask.exe /create%" or Process.CommandLine like r"%\%windir:~-3,1\%\%PUBLIC:~-9,1\%%" or Process.CommandLine like r"%/tn \"Security Script %" or Process.CommandLine like r"%\%windir:~-1,1\%%") or (Process.CommandLine like r"%/E:vbscript%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%.txt%" and Process.CommandLine like r"%/F%") or Process.Path like r"%Temp\\winwsh.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
RuleName = Ps.exe Renamed SysInternals Tool
EventType = Process.Start
Tag = proc-start-ps.exe-renamed-sysinternals-tool
RiskScore = 75
Query = Process.CommandLine == "ps.exe -accepteula"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
RuleName = TropicTrooper Campaign November 2018
EventType = Process.Start
Tag = proc-start-tropictrooper-campaign-november-2018
RiskScore = 75
Query = Process.CommandLine like r"%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
RuleName = Unidentified Attacker November 2018
EventType = Process.Start
Tag = proc-start-unidentified-attacker-november-2018
RiskScore = 75
Query = (Process.CommandLine like r"%cyzfc.dat,%" and Process.CommandLine like r"%PointFunctionCall")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
RuleName = Bad Opsec Defaults Sacrificial Processes With Improper Arguments
EventType = Process.Start
Tag = proc-start-bad-opsec-defaults-sacrificial-processes-with-improper-arguments
RiskScore = 75
Query = ((Process.Path like r"%\\WerFault.exe" and Process.CommandLine like r"%\\WerFault.exe") or (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%\\rundll32.exe") or (Process.Path like r"%\\regsvcs.exe" and Process.CommandLine like r"%\\regsvcs.exe") or (Process.Path like r"%\\regasm.exe" and Process.CommandLine like r"%\\regasm.exe") or (Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%\\regsvr32.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
RuleName = Modification of Boot Configuration
EventType = Process.Start
Tag = proc-start-modification-of-boot-configuration
RiskScore = 75
Query = ((Process.Path like r"%\\bcdedit.exe" and Process.CommandLine like r"%set%") and ((Process.CommandLine like r"%bootstatuspolicy%" and Process.CommandLine like r"%ignoreallfailures%") or (Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Execution via SyncInvoke in CL_Invocation.ps1 module
RuleName = Execution via CL_Invocation.ps1
EventType = Process.Start
Tag = proc-start-execution-via-cl_invocation.ps1
RiskScore = 75
Query = (Process.CommandLine like r"%CL\_Invocation.ps1%" and Process.CommandLine like r"%SyncInvoke%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
RuleName = Execution via CL_Mutexverifiers.ps1
EventType = Process.Start
Tag = proc-start-execution-via-cl_mutexverifiers.ps1
RiskScore = 75
Query = (Process.CommandLine like r"%CL\_Mutexverifiers.ps1%" and Process.CommandLine like r"%runAfterCancelProcess%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects process patterns found in Cobalt Strike beacon activity (see reference for more details)
RuleName = CobaltStrike Process Patterns
EventType = Process.Start
Tag = proc-start-cobaltstrike-process-patterns
RiskScore = 75
Query = ((Process.CommandLine like r"%\\cmd.exe /C whoami%" and Parent.Path like r"C:\\Temp%") or (Process.CommandLine like r"%conhost.exe 0xffffffff -ForceV1%" and (Parent.CommandLine like r"%/C whoami%" or Parent.CommandLine like r"%cmd.exe /C echo%" or Parent.CommandLine like r"% > \\.\\pipe%")) or ((Process.CommandLine like r"%cmd.exe /c echo%" or Process.CommandLine like r"%> \\.\\pipe%" or Process.CommandLine like r"%\\whoami.exe%") and Parent.Path like r"%\\dllhost.exe") or (Process.Path like r"%\\cmd.exe" and Parent.Path like r"%\\runonce.exe" and Parent.CommandLine like r"%\\runonce.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking
RuleName = Cmd.exe CommandLine Path Traversal
EventType = Process.Start
Tag = proc-start-cmd.exe-commandline-path-traversal
RiskScore = 75
Query = (Parent.CommandLine like r"%cmd%" and Parent.CommandLine like r"%/c%" and Process.CommandLine like r"%/../../%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal
RuleName = Command Line Path Traversial Evasion
EventType = Process.Start
Tag = proc-start-command-line-path-traversial-evasion
RiskScore = 75
Query = ((Process.Path like r"%\\Windows\\%" and (Process.CommandLine like r"%\\..\\Windows\\%" or Process.CommandLine like r"%\\..\\System32\\%" or Process.CommandLine like r"%\\..\\..\\%")) or Process.CommandLine like r"%.exe\\..\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Files with well-known filenames (sensitive files with credential data) copying
RuleName = Copying Sensitive Files with Credential Data
EventType = Process.Start
Tag = proc-start-copying-sensitive-files-with-credential-data
RiskScore = 75
Query = ((Process.Path like r"%\\esentutl.exe" and (Process.CommandLine like r"%vss%" or Process.CommandLine like r"% /m %" or Process.CommandLine like r"% /y %")) or (Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%" or Process.CommandLine like r"%\\config\\sam%" or Process.CommandLine like r"%\\config\\security%" or Process.CommandLine like r"%\\config\\system %" or Process.CommandLine like r"%\\repair\\sam%" or Process.CommandLine like r"%\\repair\\system%" or Process.CommandLine like r"%\\repair\\security%" or Process.CommandLine like r"%\\config\\RegBack\\sam%" or Process.CommandLine like r"%\\config\\RegBack\\system%" or Process.CommandLine like r"%\\config\\RegBack\\security%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Archer malware invocation via rundll32
RuleName = Fireball Archer Install
EventType = Process.Start
Tag = proc-start-fireball-archer-install
RiskScore = 75
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%InstallArcherSvc%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command line parameters or strings often used by crypto miners
RuleName = Windows Crypto Mining Indicators
EventType = Process.Start
Tag = proc-start-windows-crypto-mining-indicators
RiskScore = 75
Query = (Process.CommandLine like r"% --cpu-priority=%" or Process.CommandLine like r"%--donate-level=0%" or Process.CommandLine like r"% -o pool.%" or Process.CommandLine like r"% --nicehash%" or Process.CommandLine like r"% --algo=rx/0 %" or Process.CommandLine like r"%stratum+tcp://%" or Process.CommandLine like r"%stratum+udp://%" or Process.CommandLine like r"%LS1kb25hdGUtbGV2ZWw9%" or Process.CommandLine like r"%0tZG9uYXRlLWxldmVsP%" or Process.CommandLine like r"%tLWRvbmF0ZS1sZXZlbD%" or Process.CommandLine like r"%c3RyYXR1bSt0Y3A6Ly%" or Process.CommandLine like r"%N0cmF0dW0rdGNwOi8v%" or Process.CommandLine like r"%zdHJhdHVtK3RjcDovL%" or Process.CommandLine like r"%c3RyYXR1bSt1ZHA6Ly%" or Process.CommandLine like r"%N0cmF0dW0rdWRwOi8v%" or Process.CommandLine like r"%zdHJhdHVtK3VkcDovL%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll
RuleName = Xwizard DLL Sideloading
EventType = Process.Start
Tag = proc-start-xwizard-dll-sideloading
RiskScore = 75
Query = (Process.Path like r"%\\xwizard.exe" and not (Process.Path like r"C:\\Windows\\System32\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Well-known DNS Exfiltration tools execution
RuleName = DNS Exfiltration and Tunneling Tools Execution
EventType = Process.Start
Tag = proc-start-dns-exfiltration-and-tunneling-tools-execution
RiskScore = 75
Query = (Process.Path like r"%\\iodine.exe" or Process.Path like r"%\\dnscat2%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
RuleName = Disable of ETW Trace
EventType = Process.Start
Tag = proc-start-disable-of-etw-trace
RiskScore = 75
Query = ((Process.CommandLine like r"%cl%" and Process.CommandLine like r"%/Trace%") or (Process.CommandLine like r"%clear-log%" and Process.CommandLine like r"%/Trace%") or (Process.CommandLine like r"%sl%" and Process.CommandLine like r"%/e:false%") or (Process.CommandLine like r"%set-log%" and Process.CommandLine like r"%/e:false%") or (Process.CommandLine like r"%Remove-EtwTraceProvider%" and Process.CommandLine like r"%EventLog-Microsoft-Windows-WMI-Activity-Trace%" and Process.CommandLine like r"%{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}%") or (Process.CommandLine like r"%Set-EtwTraceProvider%" and Process.CommandLine like r"%{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}%" and Process.CommandLine like r"%EventLog-Microsoft-Windows-WMI-Activity-Trace%" and Process.CommandLine like r"%0x11%") or (Process.CommandLine like r"%logman%" and Process.CommandLine like r"%update%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%--p%" and Process.CommandLine like r"%-ets%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
RuleName = Exploiting SetupComplete.cmd CVE-2019-1378
EventType = Process.Start
Tag = proc-start-exploiting-setupcomplete.cmd-cve-2019-1378
RiskScore = 75
Query = ((Parent.CommandLine like r"%\\cmd.exe%" and Parent.CommandLine like r"%/c%" and Parent.CommandLine like r"%C:\\Windows\\Setup\\Scripts\\%" and (Parent.CommandLine like r"%SetupComplete.cmd" or Parent.CommandLine like r"%PartnerSetupComplete.cmd")) and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\Windows\\Setup\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects new commands that add new printer port which point to suspicious file
RuleName = Suspicious PrinterPorts Creation (CVE-2020-1048)
EventType = Process.Start
Tag = proc-start-suspicious-printerports-creation-(cve-2020-1048)
RiskScore = 75
Query = (((Process.CommandLine like r"%Add-PrinterPort -Name%") and (Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.bat%")) or (Process.CommandLine like r"%Generic / Text Only%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command line parameters used by Bloodhound and Sharphound hack tools
RuleName = Bloodhound and Sharphound Hack Tool
EventType = Process.Start
Tag = proc-start-bloodhound-and-sharphound-hack-tool
RiskScore = 75
Query = ((Process.Path like r"%\\Bloodhound.exe%" or Process.Path like r"%\\SharpHound.exe%") or (Process.CommandLine like r"% -CollectionMethod All %" or Process.CommandLine like r"%.exe -c All -d %" or Process.CommandLine like r"%Invoke-Bloodhound%" or Process.CommandLine like r"%Get-BloodHoundData%") or (Process.CommandLine like r"% -JsonFolder %" and Process.CommandLine like r"% -ZipFileName %") or (Process.CommandLine like r"% DCOnly %" and Process.CommandLine like r"% --NoSaveCache %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command line parameters used by Koadic hack tool
RuleName = Koadic Execution
EventType = Process.Start
Tag = proc-start-koadic-execution
RiskScore = 75
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%/q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%chcp%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies usage of hh.exe executing recently modified .chm files.
RuleName = HH.exe Execution
EventType = Process.Start
Tag = proc-start-hh.exe-execution
RiskScore = 75
Query = (Process.Path like r"%\\hh.exe" and Process.CommandLine like r"%.chm%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
RuleName = CreateMiniDump Hacktool
EventType = Process.Start
Tag = proc-start-createminidump-hacktool
RiskScore = 75
Query = (Process.Path like r"%\\CreateMiniDump.exe%" or Process.Hash.IMP == "4a07f944a83e8a7c2525efa35dd30e2f")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
RuleName = HTML Help Shell Spawn
EventType = Process.Start
Tag = proc-start-html-help-shell-spawn
RiskScore = 75
Query = (Parent.Path like r"C:\\Windows\\hh.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\rundll32.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
RuleName = Suspicious HWP Sub Processes
EventType = Process.Start
Tag = proc-start-suspicious-hwp-sub-processes
RiskScore = 75
Query = (Parent.Path like r"%\\Hwp.exe" and Process.Path like r"%\\gbb.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
RuleName = Impacket Tool Execution
EventType = Process.Start
Tag = proc-start-impacket-tool-execution
RiskScore = 75
Query = ((Process.Path like r"%\\goldenPac%" or Process.Path like r"%\\karmaSMB%" or Process.Path like r"%\\kintercept%" or Process.Path like r"%\\ntlmrelayx%" or Process.Path like r"%\\rpcdump%" or Process.Path like r"%\\samrdump%" or Process.Path like r"%\\secretsdump%" or Process.Path like r"%\\smbexec%" or Process.Path like r"%\\smbrelayx%" or Process.Path like r"%\\wmiexec%" or Process.Path like r"%\\wmipersist%") or (Process.Path like r"%\\atexec\_windows.exe" or Process.Path like r"%\\dcomexec\_windows.exe" or Process.Path like r"%\\dpapi\_windows.exe" or Process.Path like r"%\\findDelegation\_windows.exe" or Process.Path like r"%\\GetADUsers\_windows.exe" or Process.Path like r"%\\GetNPUsers\_windows.exe" or Process.Path like r"%\\getPac\_windows.exe" or Process.Path like r"%\\getST\_windows.exe" or Process.Path like r"%\\getTGT\_windows.exe" or Process.Path like r"%\\GetUserSPNs\_windows.exe" or Process.Path like r"%\\ifmap\_windows.exe" or Process.Path like r"%\\mimikatz\_windows.exe" or Process.Path like r"%\\netview\_windows.exe" or Process.Path like r"%\\nmapAnswerMachine\_windows.exe" or Process.Path like r"%\\opdump\_windows.exe" or Process.Path like r"%\\psexec\_windows.exe" or Process.Path like r"%\\rdp\_check\_windows.exe" or Process.Path like r"%\\sambaPipe\_windows.exe" or Process.Path like r"%\\smbclient\_windows.exe" or Process.Path like r"%\\smbserver\_windows.exe" or Process.Path like r"%\\sniffer\_windows.exe" or Process.Path like r"%\\sniff\_windows.exe" or Process.Path like r"%\\split\_windows.exe" or Process.Path like r"%\\ticketer\_windows.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
RuleName = Suspicious Debugger Registration Cmdline
EventType = Process.Start
Tag = proc-start-suspicious-debugger-registration-cmdline
RiskScore = 75
Query = (Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\%" and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%magnify.exe%" or Process.CommandLine like r"%narrator.exe%" or Process.CommandLine like r"%displayswitch.exe%" or Process.CommandLine like r"%atbroker.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect an interactive AT job, which may be used as a form of privilege escalation.
RuleName = Interactive AT Job
EventType = Process.Start
Tag = proc-start-interactive-at-job
RiskScore = 75
Query = (Process.Path like r"%\\at.exe" and Process.CommandLine like r"%interactive%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
RuleName = MSHTA Spwaned by SVCHOST
EventType = Process.Start
Tag = proc-start-mshta-spwaned-by-svchost
RiskScore = 75
Query = (Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mshta.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
RuleName = LSASS Memory Dumping
EventType = Process.Start
Tag = proc-start-lsass-memory-dumping
RiskScore = 75
Query = (((Process.CommandLine like r"%lsass%" and Process.CommandLine like r"%.dmp%") and not (Process.Path like r"%\\werfault.exe")) or (Process.Path like r"%\\procdump%" and Process.Path like r"%.exe" and Process.CommandLine like r"%lsass%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command used by conti to find volume shadow backups
RuleName = Conti Volume Shadow Listing
EventType = Process.Start
Tag = proc-start-conti-volume-shadow-listing
RiskScore = 75
Query = (Process.CommandLine like r"%vssadmin list shadows%" and Process.CommandLine like r"%log.txt%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command used by conti to exfiltrate NTDS
RuleName = Conti Volume Shadow Listing
EventType = Process.Start
Tag = proc-start-conti-volume-shadow-listing
RiskScore = 75
Query = (Process.CommandLine like r"%7za.exe%" and Process.CommandLine like r"%\\C$\\temp\\log.zip%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects wscript/cscript executions of scripts located in user directories
RuleName = WScript or CScript Dropper
EventType = Process.Start
Tag = proc-start-wscript-or-cscript-dropper
RiskScore = 75
Query = (((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%C:\\Users\\%" or Process.CommandLine like r"%C:\\ProgramData\\%") and (Process.CommandLine like r"%.jse%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.vba%" or Process.CommandLine like r"%.vbs%")) and not (Parent.Path like r"%\\winzip%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects javaw.exe in AppData folder as used by Adwind / JRAT
RuleName = Adwind RAT / JRAT
EventType = Process.Start
Tag = proc-start-adwind-rat-/-jrat
RiskScore = 75
Query = ((Process.CommandLine like r"%\\AppData\\Roaming\\Oracle%" and Process.CommandLine like r"%\\java%" and Process.CommandLine like r"%.exe %") or (Process.CommandLine like r"%cscript.exe%" and Process.CommandLine like r"%Retrive%" and Process.CommandLine like r"%.vbs %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
RuleName = Meterpreter or Cobalt Strike Getsystem Service Start
EventType = Process.Start
Tag = proc-start-meterpreter-or-cobalt-strike-getsystem-service-start
RiskScore = 75
Query = ((Parent.Path like r"%\\services.exe" and ((Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%\%COMSPEC\%%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%.dll,a%" and Process.CommandLine like r"%/p:%"))) and not (Process.CommandLine like r"%MpCmdRun%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Windows command line executable started from MMC
RuleName = MMC Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mmc-spawning-windows-shell
RiskScore = 75
Query = (Parent.Path like r"%\\mmc.exe" and ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\BITSADMIN%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies suspicious mshta.exe commands.
RuleName = Mshta JavaScript Execution
EventType = Process.Start
Tag = proc-start-mshta-javascript-execution
RiskScore = 75
Query = (Process.Path like r"%\\mshta.exe" and Process.CommandLine like r"%javascript%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Windows command line executable started from MSHTA
RuleName = MSHTA Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mshta-spawning-windows-shell
RiskScore = 75
Query = (Parent.Path like r"%\\mshta.exe" and ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\BITSADMIN%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
RuleName = Netsh RDP Port Opening
EventType = Process.Start
Tag = proc-start-netsh-rdp-port-opening
RiskScore = 75
Query = (Process.CommandLine like r"%netsh%" and ((Process.CommandLine like r"%firewall add portopening%" and Process.CommandLine like r"%tcp 3389%") or (Process.CommandLine like r"%advfirewall firewall add rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%protocol=TCP%" and Process.CommandLine like r"%localport=3389%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Netsh commands that allows a suspcious application location on Windows Firewall
RuleName = Netsh Program Allowed with Suspcious Location
EventType = Process.Start
Tag = proc-start-netsh-program-allowed-with-suspcious-location
RiskScore = 75
Query = ((Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%" and (Process.CommandLine like r"%allowedprogram%" or (Process.CommandLine like r"%advfirewall%" and Process.CommandLine like r"%rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%program=%"))) and ((Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%:\\RECYCLER\\%" or Process.CommandLine like r"%C:\\$Recycle.bin\\%" or Process.CommandLine like r"%:\\SystemVolumeInformation\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%" or Process.CommandLine like r"%C:\\Temp\\%" or Process.CommandLine like r"%C:\\Users\\Public\\%" or Process.CommandLine like r"%C:\\Users\\Default\\%" or Process.CommandLine like r"%C:\\Users\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.CommandLine like r"%\\Local Settings\\Temporary Internet Files\\%") or (Process.CommandLine like r"C:\\Windows\\Tasks\\%" or Process.CommandLine like r"C:\\Windows\\debug\\%" or Process.CommandLine like r"C:\\Windows\\fonts\\%" or Process.CommandLine like r"C:\\Windows\\help\\%" or Process.CommandLine like r"C:\\Windows\\drivers\\%" or Process.CommandLine like r"C:\\Windows\\addins\\%" or Process.CommandLine like r"C:\\Windows\\cursors\\%" or Process.CommandLine like r"C:\\Windows\\system32\\tasks\\%" or Process.CommandLine like r"\%Public\%\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects netsh commands that configure a port forwarding of port 3389 used for RDP
RuleName = Netsh RDP Port Forwarding
EventType = Process.Start
Tag = proc-start-netsh-rdp-port-forwarding
RiskScore = 75
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%i%" and Process.CommandLine like r"% p%" and Process.CommandLine like r"%=3389%" and Process.CommandLine like r"% c%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
RuleName = Microsoft Office Product Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-microsoft-office-product-spawning-windows-shell
RiskScore = 75
Query = ((Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\OUTLOOK.EXE" or Parent.Path like r"%\\MSACCESS.EXE" or Parent.Path like r"%\\EQNEDT32.EXE") and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\msbuild.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
RuleName = MS Office Product Spawning Exe in User Dir
EventType = Process.Start
Tag = proc-start-ms-office-product-spawning-exe-in-user-dir
RiskScore = 75
Query = (((Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe") and Process.Path like r"C:\\users\\%" and Process.Path like r"%.exe") and not (Process.Path like r"%\\Teams.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
RuleName = Executable Used by PlugX in Uncommon Location
EventType = Process.Start
Tag = proc-start-executable-used-by-plugx-in-uncommon-location
RiskScore = 75
Query = ((((((((((((Process.Path like r"%\\CamMute.exe" and not ((Process.Path like r"%\\Lenovo\\Communication Utility\\%" or Process.Path like r"%\\Lenovo\\Communications Utility\\%"))) or (Process.Path like r"%\\chrome\_frame\_helper.exe" and not (Process.Path like r"%\\Google\\Chrome\\application\\%"))) or (Process.Path like r"%\\dvcemumanager.exe" and not (Process.Path like r"%\\Microsoft Device Emulator\\%"))) or (Process.Path like r"%\\Gadget.exe" and not (Process.Path like r"%\\Windows Media Player\\%"))) or (Process.Path like r"%\\hcc.exe" and not (Process.Path like r"%\\HTML Help Workshop\\%"))) or (Process.Path like r"%\\hkcmd.exe" and not ((Process.Path like r"%\\System32\\%" or Process.Path like r"%\\SysNative\\%" or Process.Path like r"%\\SysWowo64\\%")))) or (Process.Path like r"%\\Mc.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%")))) or (Process.Path like r"%\\MsMpEng.exe" and not ((Process.Path like r"%\\Microsoft Security Client\\%" or Process.Path like r"%\\Windows Defender\\%" or Process.Path like r"%\\AntiMalware\\%")))) or (Process.Path like r"%\\msseces.exe" and not ((Process.Path like r"%\\Microsoft Security Center\\%" or Process.Path like r"%\\Microsoft Security Client\\%" or Process.Path like r"%\\Microsoft Security Essentials\\%")))) or (Process.Path like r"%\\OInfoP11.exe" and not (Process.Path like r"%\\Common Files\\Microsoft Shared\\%"))) or (Process.Path like r"%\\OleView.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%" or Process.Path like r"%\\Windows Resource Kit\\%")))) or (Process.Path like r"%\\rc.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%" or Process.Path like r"%\\Windows Resource Kit\\%" or Process.Path like r"%\\Microsoft.NET\\%"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
RuleName = Powershell AMSI Bypass via .NET Reflection
EventType = Process.Start
Tag = proc-start-powershell-amsi-bypass-via-.net-reflection
RiskScore = 75
Query = ((Process.CommandLine like r"%System.Management.Automation.AmsiUtils%") and (Process.CommandLine like r"%amsiInitFailed%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the PowerShell command lines with reversed strings
RuleName = Suspicious PowerShell Cmdline
EventType = Process.Start
Tag = proc-start-suspicious-powershell-cmdline
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%hctac%" or Process.CommandLine like r"%kearb%" or Process.CommandLine like r"%dnammoc%" or Process.CommandLine like r"%ekovn%" or Process.CommandLine like r"%eliFd%" or Process.CommandLine like r"%rahc%" or Process.CommandLine like r"%etirw%" or Process.CommandLine like r"%golon%" or Process.CommandLine like r"%tninon%" or Process.CommandLine like r"%eddih%" or Process.CommandLine like r"%tpircS%" or Process.CommandLine like r"%ssecorp%" or Process.CommandLine like r"%llehsrewop%" or Process.CommandLine like r"%esnopser%" or Process.CommandLine like r"%daolnwod%" or Process.CommandLine like r"%tneilCbeW%" or Process.CommandLine like r"%tneilc%" or Process.CommandLine like r"%ptth%" or Process.CommandLine like r"%elifotevas%" or Process.CommandLine like r"%46esab%" or Process.CommandLine like r"%htaPpmeTteG%" or Process.CommandLine like r"%tcejbO%" or Process.CommandLine like r"%maerts%" or Process.CommandLine like r"%hcaerof%" or Process.CommandLine like r"%ekovni%" or Process.CommandLine like r"%retupmoc%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
RuleName = Powershell Defender Exclusion
EventType = Process.Start
Tag = proc-start-powershell-defender-exclusion
RiskScore = 75
Query = ((Process.CommandLine like r"%Add-MpPreference %" and (Process.CommandLine like r"% -ExclusionPath %" or Process.CommandLine like r"% -ExclusionExtension %" or Process.CommandLine like r"% -ExclusionProcess %")) or (Process.CommandLine like r"%QWRkLU1wUHJlZmVyZW5jZ%" or Process.CommandLine like r"%FkZC1NcFByZWZlcmVuY2%" or Process.CommandLine like r"%BZGQtTXBQcmVmZXJlbmNl%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects attackers attempting to disable Windows Defender using Powershell
RuleName = Powershell Used To Disable Windows Defender AV Security Monitoring
EventType = Process.Start
Tag = proc-start-powershell-used-to-disable-windows-defender-av-security-monitoring
RiskScore = 75
Query = ((Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%-DisableBehaviorMonitoring $true%" or Process.CommandLine like r"%-DisableRuntimeMonitoring $true%")) or (Process.CommandLine like r"%sc%" and Process.CommandLine like r"%stop%" and Process.CommandLine like r"%WinDefend%") or (Process.CommandLine like r"%sc%" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%WinDefend%" and Process.CommandLine like r"%start=disabled%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious FromBase64String expressions in command line arguments
RuleName = FromBase64String Command Line
EventType = Process.Start
Tag = proc-start-frombase64string-command-line
RiskScore = 75
Query = Process.CommandLine like r"%::FromBase64String(%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
RuleName = Powershell Reverse Shell Connection
EventType = Process.Start
Tag = proc-start-powershell-reverse-shell-connection
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%new-object system.net.sockets.tcpclient%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious PowerShell invocation with a parameter substring
RuleName = Suspicious PowerShell Parameter Substring
EventType = Process.Start
Tag = proc-start-suspicious-powershell-parameter-substring
RiskScore = 75
Query = ((Process.Path like r"%\\Powershell.exe") and (Process.CommandLine like r"% -windowstyle h %" or Process.CommandLine like r"% -windowstyl h%" or Process.CommandLine like r"% -windowsty h%" or Process.CommandLine like r"% -windowst h%" or Process.CommandLine like r"% -windows h%" or Process.CommandLine like r"% -windo h%" or Process.CommandLine like r"% -wind h%" or Process.CommandLine like r"% -win h%" or Process.CommandLine like r"% -wi h%" or Process.CommandLine like r"% -win h %" or Process.CommandLine like r"% -win hi %" or Process.CommandLine like r"% -win hid %" or Process.CommandLine like r"% -win hidd %" or Process.CommandLine like r"% -win hidde %" or Process.CommandLine like r"% -NoPr %" or Process.CommandLine like r"% -NoPro %" or Process.CommandLine like r"% -NoProf %" or Process.CommandLine like r"% -NoProfi %" or Process.CommandLine like r"% -NoProfil %" or Process.CommandLine like r"% -nonin %" or Process.CommandLine like r"% -nonint %" or Process.CommandLine like r"% -noninte %" or Process.CommandLine like r"% -noninter %" or Process.CommandLine like r"% -nonintera %" or Process.CommandLine like r"% -noninterac %" or Process.CommandLine like r"% -noninteract %" or Process.CommandLine like r"% -noninteracti %" or Process.CommandLine like r"% -noninteractiv %" or Process.CommandLine like r"% -ec %" or Process.CommandLine like r"% -encodedComman %" or Process.CommandLine like r"% -encodedComma %" or Process.CommandLine like r"% -encodedComm %" or Process.CommandLine like r"% -encodedCom %" or Process.CommandLine like r"% -encodedCo %" or Process.CommandLine like r"% -encodedC %" or Process.CommandLine like r"% -encoded %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% -encod %" or Process.CommandLine like r"% -enco %" or Process.CommandLine like r"% -en %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
RuleName = Default PowerSploit and Empire Schtasks Persistence
EventType = Process.Start
Tag = proc-start-default-powersploit-and-empire-schtasks-persistence
RiskScore = 75
Query = (Parent.Path like r"%\\powershell.exe" and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%/SC%" and (Process.CommandLine like r"%ONLOGON%" or Process.CommandLine like r"%DAILY%" or Process.CommandLine like r"%ONIDLE%" or Process.CommandLine like r"%Updater%") and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%Updater%" and Process.CommandLine like r"%/TR%" and Process.CommandLine like r"%powershell%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a process memory dump performed by RdrLeakDiag.exe
RuleName = Process Dump via RdrLeakDiag.exe
EventType = Process.Start
Tag = proc-start-process-dump-via-rdrleakdiag.exe
RiskScore = 75
Query = (Process.Name == "RdrLeakDiag.exe" and Process.CommandLine like r"%fullmemdmp%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
RuleName = Process Dump via Rundll32 and Comsvcs.dll
EventType = Process.Start
Tag = proc-start-process-dump-via-rundll32-and-comsvcs.dll
RiskScore = 75
Query = (Process.CommandLine like r"%comsvcs.dll,#24%" or Process.CommandLine like r"%comsvcs.dll,MiniDump%" or Process.CommandLine like r"%comsvcs.dll MiniDump%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects RDP session hijacking by using MSTSC shadowing
RuleName = MSTSC Shadowing
EventType = Process.Start
Tag = proc-start-mstsc-shadowing
RiskScore = 75
Query = (Process.CommandLine like r"%noconsentprompt%" and Process.CommandLine like r"%shadow:%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects actions caused by the RedMimicry Winnti playbook
RuleName = RedMimicry Winnti Playbook Execute
EventType = Process.Start
Tag = proc-start-redmimicry-winnti-playbook-execute
RiskScore = 75
Query = ((Process.Path like r"%rundll32.exe%" or Process.Path like r"%cmd.exe%") and (Process.CommandLine like r"%gthread-3.6.dll%" or Process.CommandLine like r"%\\Windows\\Temp\\tmp.bat%" or Process.CommandLine like r"%sigcmm-2.4.dll%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the export of a crital Registry key to a file.
RuleName = Exports Critical Registry Keys To a File
EventType = Process.Start
Tag = proc-start-exports-critical-registry-keys-to-a-file
RiskScore = 75
Query = (Process.Path like r"%\\regedit.exe" and Process.CommandLine like r"% /E %" and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
RuleName = Highly Relevant Renamed Binary
EventType = Process.Start
Tag = proc-start-highly-relevant-renamed-binary
RiskScore = 75
Query = ((Process.Name like r"powershell.exe" or Process.Name like r"powershell\_ise.exe" or Process.Name like r"psexec.exe" or Process.Name like r"psexec.c" or Process.Name like r"cscript.exe" or Process.Name like r"wscript.exe" or Process.Name like r"mshta.exe" or Process.Name like r"regsvr32.exe" or Process.Name like r"wmic.exe" or Process.Name like r"certutil.exe" or Process.Name like r"rundll32.exe" or Process.Name like r"cmstp.exe" or Process.Name like r"msiexec.exe") and not ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\psexec.exe" or Process.Path like r"%\\psexec64.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\msiexec.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
RuleName = Renamed MegaSync
EventType = Process.Start
Tag = proc-start-renamed-megasync
RiskScore = 75
Query = ((Parent.Path like r"%\\explorer.exe" and Process.CommandLine like r"%C:\\Windows\\Temp\\meg.exe%") or (Process.Name == "meg.exe" and not (Process.Path like r"%\\meg.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
RuleName = Rundll32 Without Parameters
EventType = Process.Start
Tag = proc-start-rundll32-without-parameters
RiskScore = 75
Query = Process.CommandLine == "rundll32.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects PowerShell script execution from Alternate Data Stream (ADS)
RuleName = Run PowerShell Script from ADS
EventType = Process.Start
Tag = proc-start-run-powershell-script-from-ads
RiskScore = 75
Query = (Parent.Path like r"%\\powershell.exe" and Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Get-Content%" and Process.CommandLine like r"%-Stream%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious child process of Script Event Consumer (scrcons.exe).
RuleName = Script Event Consumer Spawning Process
EventType = Process.Start
Tag = proc-start-script-event-consumer-spawning-process
RiskScore = 75
Query = ((Parent.Path like r"%\\scrcons.exe") and (Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msbuild.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
RuleName = Possible Shim Database Persistence via sdbinst.exe
EventType = Process.Start
Tag = proc-start-possible-shim-database-persistence-via-sdbinst.exe
RiskScore = 75
Query = ((Process.Path like r"%\\sdbinst.exe" and Process.CommandLine like r"%.sdb%") and not ((Process.CommandLine like r"%iisexpressshim.sdb%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious child process of a mshta.exe process
RuleName = Mshta Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mshta-spawning-windows-shell
RiskScore = 75
Query = (Parent.Path like r"%\\mshta.exe" and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\WScript.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Atbroker executing non-deafualt Assistive Technology applications
RuleName = Suspicious Atbroker Execution
EventType = Process.Start
Tag = proc-start-suspicious-atbroker-execution
RiskScore = 75
Query = ((Process.Path like r"%AtBroker.exe" and Process.CommandLine like r"%start%") and not ((Process.CommandLine like r"%animations%" or Process.CommandLine like r"%audiodescription%" or Process.CommandLine like r"%caretbrowsing%" or Process.CommandLine like r"%caretwidth%" or Process.CommandLine like r"%colorfiltering%" or Process.CommandLine like r"%cursorscheme%" or Process.CommandLine like r"%filterkeys%" or Process.CommandLine like r"%focusborderheight%" or Process.CommandLine like r"%focusborderwidth%" or Process.CommandLine like r"%highcontrast%" or Process.CommandLine like r"%keyboardcues%" or Process.CommandLine like r"%keyboardpref%" or Process.CommandLine like r"%magnifierpane%" or Process.CommandLine like r"%messageduration%" or Process.CommandLine like r"%minimumhitradius%" or Process.CommandLine like r"%mousekeys%" or Process.CommandLine like r"%Narrator%" or Process.CommandLine like r"%osk%" or Process.CommandLine like r"%overlappedcontent%" or Process.CommandLine like r"%showsounds%" or Process.CommandLine like r"%soundsentry%" or Process.CommandLine like r"%stickykeys%" or Process.CommandLine like r"%togglekeys%" or Process.CommandLine like r"%windowarranging%" or Process.CommandLine like r"%windowtracking%" or Process.CommandLine like r"%windowtrackingtimeout%" or Process.CommandLine like r"%windowtrackingzorder%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
RuleName = Suspicious Calculator Usage
EventType = Process.Start
Tag = proc-start-suspicious-calculator-usage
RiskScore = 75
Query = (Process.CommandLine like r"%\\calc.exe %" or (Process.Path like r"%\\calc.exe" and not (Process.Path like r"%\\Windows\\Sys%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
RuleName = Suspicious Certutil Command
EventType = Process.Start
Tag = proc-start-suspicious-certutil-command
RiskScore = 75
Query = ((Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% -decodehex %" or Process.CommandLine like r"% -urlcache %" or Process.CommandLine like r"% -verifyctl %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% /decode %" or Process.CommandLine like r"% /decodehex %" or Process.CommandLine like r"% /urlcache %" or Process.CommandLine like r"% /verifyctl %" or Process.CommandLine like r"% /encode %") or (Process.Path like r"%\\certutil.exe" and (Process.CommandLine like r"%URL%" or Process.CommandLine like r"%ping%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious command line arguments of common data compression tools
RuleName = Suspicious Compression Tool Parameters
EventType = Process.Start
Tag = proc-start-suspicious-compression-tool-parameters
RiskScore = 75
Query = (((Process.Name like r"7z%.exe" or Process.Name like r"%rar.exe" or Process.Name like r"%Command%Line%RAR%") and (Process.CommandLine like r"% -p%" or Process.CommandLine like r"% -ta%" or Process.CommandLine like r"% -tb%" or Process.CommandLine like r"% -sdel%" or Process.CommandLine like r"% -dw%" or Process.CommandLine like r"% -hp%")) and not (Parent.Path like r"C:\\Program%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
RuleName = Suspicious Control Panel DLL Load
EventType = Process.Start
Tag = proc-start-suspicious-control-panel-dll-load
RiskScore = 75
Query = ((Parent.Path like r"%\\System32\\control.exe" and Process.Path like r"%\\rundll32.exe ") and not (Process.CommandLine like r"%Shell32.dll%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious copy command to or from an Admin share
RuleName = Copy from Admin Share
EventType = Process.Start
Tag = proc-start-copy-from-admin-share
RiskScore = 75
Query = ((((Process.Path like r"%\\robocopy.exe" or Process.Path like r"%\\xcopy.exe") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%copy%")) or (Process.Path like r"%\\powershell%" and (Process.CommandLine like r"%copy-item%" or Process.CommandLine like r"%copy%" or Process.CommandLine like r"%cpi %" or Process.CommandLine like r"% cp %"))) and (Process.CommandLine like r"%\\\\\*" and Process.CommandLine like r"%$%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious command lines used in Covenant luanchers
RuleName = Covenant Launcher Indicators
EventType = Process.Start
Tag = proc-start-covenant-launcher-indicators
RiskScore = 75
Query = ((Process.CommandLine like r"%-Sta%" and Process.CommandLine like r"%-Nop%" and Process.CommandLine like r"%-Window%" and Process.CommandLine like r"%Hidden%" and (Process.CommandLine like r"%-Command%" or Process.CommandLine like r"%-EncodedCommand%")) or (Process.CommandLine like r"%sv o (New-Object IO.MemorySteam);sv d %" or Process.CommandLine like r"%mshta file.hta%" or Process.CommandLine like r"%GruntHTTP%" or Process.CommandLine like r"%-EncodedCommand cwB2ACAAbwAgA%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect various execution methods of the CrackMapExec pentesting framework
RuleName = CrackMapExec Command Execution
EventType = Process.Start
Tag = proc-start-crackmapexec-command-execution
RiskScore = 75
Query = ((Process.CommandLine like r"%cmd.exe /Q /c % 1> \\%\\%\\% 2>&1" or Process.CommandLine like r"%cmd.exe /C % > \\%\\%\\% 2>&1" or Process.CommandLine like r"%cmd.exe /C % > %\\Temp\\% 2>&1") and (Process.CommandLine like r"%powershell.exe -exec bypass -noni -nop -w 1 -C \"%" or Process.CommandLine like r"%powershell.exe -noni -nop -w 1 -enc %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
RuleName = CrackMapExec PowerShell Obfuscation
EventType = Process.Start
Tag = proc-start-crackmapexec-powershell-obfuscation
RiskScore = 75
Query = (Process.CommandLine like r"%powershell.exe%" and (Process.CommandLine like r"%join%split%" or Process.CommandLine like r"%( $ShellId[1]+$ShellId[13]+'x')%" or Process.CommandLine like r"%( $PSHome[%]+$PSHOME[%]+%" or Process.CommandLine like r"%( $env:Public[13]+$env:Public[5]+'x')%" or Process.CommandLine like r"%( $env:ComSpec[4,%,25]-Join'')%" or Process.CommandLine like r"%[1,3]+'x'-Join'')%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
RuleName = Suspicious Parent of Csc.exe
EventType = Process.Start
Tag = proc-start-suspicious-parent-of-csc.exe
RiskScore = 75
Query = (Process.Path like r"%\\csc.exe" and (Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
RuleName = Suspicious Csc.exe Source File Folder
EventType = Process.Start
Tag = proc-start-suspicious-csc.exe-source-file-folder
RiskScore = 75
Query = ((Process.Path like r"%\\csc.exe" and (Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%")) and not (Parent.Path like r"C:\\Program Files%" or (Parent.Path like r"%\\sdiagnhost.exe" or Parent.Path like r"%\\w3wp.exe") or (Parent.CommandLine like r"%\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process injection using ZOHO's dctask64.exe
RuleName = ZOHO Dctask64 Process Injection
EventType = Process.Start
Tag = proc-start-zoho-dctask64-process-injection
RiskScore = 75
Query = ((Process.Path like r"%\\dctask64.exe") and not ((Process.CommandLine like r"%DesktopCentral\_Agent\\agent%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
RuleName = Suspicious Desktopimgdownldr Command
EventType = Process.Start
Tag = proc-start-suspicious-desktopimgdownldr-command
RiskScore = 75
Query = ((Process.CommandLine like r"% /lockscreenurl:%" and not ((Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.png%"))) or (Process.CommandLine like r"%reg delete%" and Process.CommandLine like r"%\\PersonalizationCSP%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command that is used to disable or delete Windows eventlog via logman Windows utility
RuleName = Disable or Delete Windows Eventlog
EventType = Process.Start
Tag = proc-start-disable-or-delete-windows-eventlog
RiskScore = 75
Query = ((Process.CommandLine like r"%logman %") and (Process.CommandLine like r"%stop %" or Process.CommandLine like r"%delete %") and (Process.CommandLine like r"%EventLog-System%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
RuleName = Disabled IE Security Features
EventType = Process.Start
Tag = proc-start-disabled-ie-security-features
RiskScore = 75
Query = ((Process.CommandLine like r"% -name IEHarden %" and Process.CommandLine like r"% -value 0 %") or (Process.CommandLine like r"% -name DEPOff %" and Process.CommandLine like r"% -value 1 %") or (Process.CommandLine like r"% -name DisableFirstRunCustomize %" and Process.CommandLine like r"% -value 2 %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
RuleName = Raccine Uninstall
EventType = Process.Start
Tag = proc-start-raccine-uninstall
RiskScore = 75
Query = ((Process.CommandLine like r"%taskkill %" and Process.CommandLine like r"%RaccineSettings.exe%") or (Process.CommandLine like r"%reg.exe%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%Raccine Tray%") or (Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%/DELETE%" and Process.CommandLine like r"%Raccine Rules Updater%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using Diskshadow.exe to execute arbitrary code in text file
RuleName = Execution via Diskshadow.exe
EventType = Process.Start
Tag = proc-start-execution-via-diskshadow.exe
RiskScore = 75
Query = (Process.Path like r"%\\diskshadow.exe" and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%-s%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
RuleName = DIT Snapshot Viewer Use
EventType = Process.Start
Tag = proc-start-dit-snapshot-viewer-use
RiskScore = 75
Query = ((Process.Path like r"%\\ditsnap.exe") or (Process.CommandLine like r"%ditsnap.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
RuleName = Suspicious Eventlog Clear or Configuration Using Wevtutil
EventType = Process.Start
Tag = proc-start-suspicious-eventlog-clear-or-configuration-using-wevtutil
RiskScore = 75
Query = (((Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%Clear-EventLog%" or Process.CommandLine like r"%Remove-EventLog%" or Process.CommandLine like r"%Limit-EventLog%")) or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"% ClearEventLog %")) or (Process.Path like r"%\\wevtutil.exe" and (Process.CommandLine like r"%clear-log%" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log%" or Process.CommandLine like r"% sl %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious execution from an uncommon folder
RuleName = Execution from Suspicious Folder
EventType = Process.Start
Tag = proc-start-execution-from-suspicious-folder
RiskScore = 75
Query = ((Process.Path like r"%\\$Recycle.bin\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Intel\\Logs\\%" or Process.Path like r"%\\RSA\\MachineKeys\\%" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\NetworkService\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\Windows\\addins\\%" or Process.Path like r"%\\Windows\\debug\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\Help\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\Media\\%" or Process.Path like r"%\\Windows\\repair\\%" or Process.Path like r"%\\Windows\\security\\%" or Process.Path like r"%\\Windows\\system32\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%" or Process.Path like r"%\\Windows\\Tasks\\%") or Process.Path like r"C:\\Perflogs\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays
RuleName = Finger.exe Suspicious Invocation
EventType = Process.Start
Tag = proc-start-finger.exe-suspicious-invocation
RiskScore = 75
Query = Process.Path like r"%\\finger.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
RuleName = Fsutil Suspicious Invocation
EventType = Process.Start
Tag = proc-start-fsutil-suspicious-invocation
RiskScore = 75
Query = ((Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and (Process.CommandLine like r"%deletejournal%" or Process.CommandLine like r"%createjournal%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
RuleName = Suspicious GUP Usage
EventType = Process.Start
Tag = proc-start-suspicious-gup-usage
RiskScore = 75
Query = (Process.Path like r"%\\GUP.exe" and not ((Process.Path like r"%\\Users\\%\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Users\\%\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Program Files\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Program Files (x86)\\Notepad++\\updater\\GUP.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious mshta process patterns
RuleName = Suspicious MSHTA Process Patterns
EventType = Process.Start
Tag = proc-start-suspicious-mshta-process-patterns
RiskScore = 75
Query = (Process.Path like r"%\\mshta.exe" and ((((Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe") or (Process.CommandLine like r"%\\AppData\\Local%" or Process.CommandLine like r"%C:\\Windows\\Temp%" or Process.CommandLine like r"%C:\\Users\\Public%")) or not ((Process.Path like r"%C:\\Windows\\System32%" or Process.Path like r"%C:\\Windows\\SysWOW64%"))) or not ((Process.CommandLine like r"%.htm%" or Process.CommandLine like r"%.hta%") and (Process.CommandLine like r"%mshta.exe" or Process.CommandLine like r"%mshta"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious msiexec process starts in an uncommon directory
RuleName = Suspicious MsiExec Directory
EventType = Process.Start
Tag = proc-start-suspicious-msiexec-directory
RiskScore = 75
Query = (Process.Path like r"%\\msiexec.exe" and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Downloads payload from remote server
RuleName = Malicious Payload Download via Office Binaries
EventType = Process.Start
Tag = proc-start-malicious-payload-download-via-office-binaries
RiskScore = 75
Query = ((Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\winword.exe" or Process.Path like r"%\\excel.exe") and Process.CommandLine like r"%http%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects persitence via netsh helper
RuleName = Suspicious Netsh DLL Persistence
EventType = Process.Start
Tag = proc-start-suspicious-netsh-dll-persistence
RiskScore = 75
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%helper%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
RuleName = Ngrok Usage
EventType = Process.Start
Tag = proc-start-ngrok-usage
RiskScore = 75
Query = ((Process.CommandLine like r"% tcp 139%" or Process.CommandLine like r"% tcp 445%" or Process.CommandLine like r"% tcp 3389%" or Process.CommandLine like r"% tcp 5985%" or Process.CommandLine like r"% tcp 5986%") or (Process.CommandLine like r"% start %" and Process.CommandLine like r"%--all%" and Process.CommandLine like r"%--config%" and Process.CommandLine like r"%.yml%") or ((Process.Path like r"%ngrok.exe") and (Process.CommandLine like r"% tcp %" or Process.CommandLine like r"% http %" or Process.CommandLine like r"% authtoken %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# The OpenWith.exe executes other binary
RuleName = OpenWith.exe Executes Specified Binary
EventType = Process.Start
Tag = proc-start-openwith.exe-executes-specified-binary
RiskScore = 75
Query = (Process.Path like r"%\\OpenWith.exe" and Process.CommandLine like r"%/c%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
RuleName = Suspicious Execution from Outlook
EventType = Process.Start
Tag = proc-start-suspicious-execution-from-outlook
RiskScore = 75
Query = (Process.CommandLine like r"%EnableUnsafeClientMailRules%" or (Parent.Path like r"%\\outlook.exe" and Process.CommandLine like r"%\\\\\*" and Process.CommandLine like r"%\\\*" and Process.CommandLine like r"%.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious program execution in Outlook temp folder
RuleName = Execution in Outlook Temp Folder
EventType = Process.Start
Tag = proc-start-execution-in-outlook-temp-folder
RiskScore = 75
Query = Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a ping command that uses a hex encoded IP address
RuleName = Ping Hex IP
EventType = Process.Start
Tag = proc-start-ping-hex-ip
RiskScore = 75
Query = (Process.Path like r"%\\ping.exe" and Process.CommandLine like r"%0x%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious encoded character syntax often used for defense evasion
RuleName = PowerShell Encoded Character Syntax
EventType = Process.Start
Tag = proc-start-powershell-encoded-character-syntax
RiskScore = 75
Query = Process.CommandLine like r"%(WCHAR)0x%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
RuleName = Suspicious Encoded PowerShell Command Line
EventType = Process.Start
Tag = proc-start-suspicious-encoded-powershell-command-line
RiskScore = 75
Query = (((Process.CommandLine like r"% -e%" and Process.CommandLine like r"% JAB%" and Process.CommandLine like r"% -w%" and Process.CommandLine like r"% hidden %") or (Process.CommandLine like r"% -e%" and (Process.CommandLine like r"% BA^J%" or Process.CommandLine like r"% SUVYI%" or Process.CommandLine like r"% SQBFAFgA%" or Process.CommandLine like r"% aQBlAHgA%" or Process.CommandLine like r"% aWV4I%" or Process.CommandLine like r"% IAA%" or Process.CommandLine like r"% IAB%" or Process.CommandLine like r"% UwB%" or Process.CommandLine like r"% cwB%")) or (Process.CommandLine like r"%.exe -ENCOD %")) and not (Process.CommandLine like r"% -ExecutionPolicy%" and Process.CommandLine like r"%remotesigned %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
RuleName = PowerShell Get-Process LSASS
EventType = Process.Start
Tag = proc-start-powershell-get-process-lsass
RiskScore = 75
Query = (Process.CommandLine like r"%Get-Process lsass%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects base64 encoded strings used in hidden malicious PowerShell command lines
RuleName = Malicious Base64 Encoded PowerShell Keywords in Command Lines
EventType = Process.Start
Tag = proc-start-malicious-base64-encoded-powershell-keywords-in-command-lines
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"% hidden %" and (Process.CommandLine like r"%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%" or Process.CommandLine like r"%aXRzYWRtaW4gL3RyYW5zZmVy%" or Process.CommandLine like r"%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%" or Process.CommandLine like r"%JpdHNhZG1pbiAvdHJhbnNmZX%" or Process.CommandLine like r"%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%" or Process.CommandLine like r"%Yml0c2FkbWluIC90cmFuc2Zlc%" or Process.CommandLine like r"%AGMAaAB1AG4AawBfAHMAaQB6AGUA%" or Process.CommandLine like r"%JABjAGgAdQBuAGsAXwBzAGkAegBlA%" or Process.CommandLine like r"%JGNodW5rX3Npem%" or Process.CommandLine like r"%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%" or Process.CommandLine like r"%RjaHVua19zaXpl%" or Process.CommandLine like r"%Y2h1bmtfc2l6Z%" or Process.CommandLine like r"%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%" or Process.CommandLine like r"%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%" or Process.CommandLine like r"%lPLkNvbXByZXNzaW9u%" or Process.CommandLine like r"%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%" or Process.CommandLine like r"%SU8uQ29tcHJlc3Npb2%" or Process.CommandLine like r"%Ty5Db21wcmVzc2lvb%" or Process.CommandLine like r"%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%" or Process.CommandLine like r"%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%" or Process.CommandLine like r"%lPLk1lbW9yeVN0cmVhb%" or Process.CommandLine like r"%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%" or Process.CommandLine like r"%SU8uTWVtb3J5U3RyZWFt%" or Process.CommandLine like r"%Ty5NZW1vcnlTdHJlYW%" or Process.CommandLine like r"%4ARwBlAHQAQwBoAHUAbgBrA%" or Process.CommandLine like r"%5HZXRDaHVua%" or Process.CommandLine like r"%AEcAZQB0AEMAaAB1AG4Aaw%" or Process.CommandLine like r"%LgBHAGUAdABDAGgAdQBuAGsA%" or Process.CommandLine like r"%LkdldENodW5r%" or Process.CommandLine like r"%R2V0Q2h1bm%" or Process.CommandLine like r"%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%" or Process.CommandLine like r"%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%" or Process.CommandLine like r"%RIUkVBRF9JTkZPNj%" or Process.CommandLine like r"%SFJFQURfSU5GTzY0%" or Process.CommandLine like r"%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%" or Process.CommandLine like r"%VEhSRUFEX0lORk82N%" or Process.CommandLine like r"%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%" or Process.CommandLine like r"%cmVhdGVSZW1vdGVUaHJlYW%" or Process.CommandLine like r"%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%" or Process.CommandLine like r"%NyZWF0ZVJlbW90ZVRocmVhZ%" or Process.CommandLine like r"%Q3JlYXRlUmVtb3RlVGhyZWFk%" or Process.CommandLine like r"%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%" or Process.CommandLine like r"%0AZQBtAG0AbwB2AGUA%" or Process.CommandLine like r"%1lbW1vdm%" or Process.CommandLine like r"%AGUAbQBtAG8AdgBlA%" or Process.CommandLine like r"%bQBlAG0AbQBvAHYAZQ%" or Process.CommandLine like r"%bWVtbW92Z%" or Process.CommandLine like r"%ZW1tb3Zl%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious PowerShell scripts accessing SAM hives
RuleName = PowerShell SAM Copy
EventType = Process.Start
Tag = proc-start-powershell-sam-copy
RiskScore = 75
Query = (Process.CommandLine like r"%\\HarddiskVolumeShadowCopy%" and Process.CommandLine like r"%ystem32\\config\\sam%" and (Process.CommandLine like r"%Copy-Item%" or Process.CommandLine like r"%cp $\_.%" or Process.CommandLine like r"%cpi $\_.%" or Process.CommandLine like r"%copy $\_.%" or Process.CommandLine like r"%.File]::Copy(%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
RuleName = Suspicious Use of Procdump
EventType = Process.Start
Tag = proc-start-suspicious-use-of-procdump
RiskScore = 75
Query = (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"% -accepteula %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious flags used by PsExec and PAExec but no usual program name in command line
RuleName = PsExec/PAExec Flags
EventType = Process.Start
Tag = proc-start-psexec/paexec-flags
RiskScore = 75
Query = (((Process.CommandLine like r"%\\127.0.0.1%" and Process.CommandLine like r"% -s %" and Process.CommandLine like r"%cmd.exe%") or (Process.CommandLine like r"% /accepteula %" and Process.CommandLine like r"%cmd /c %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %")) and not ((Process.CommandLine like r"%paexec%" or Process.CommandLine like r"%PsExec%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
RuleName = PowerShell DownloadFile
EventType = Process.Start
Tag = proc-start-powershell-downloadfile
RiskScore = 75
Query = (Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%.DownloadFile%" and Process.CommandLine like r"%System.Net.WebClient%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
RuleName = Regedit as Trusted Installer
EventType = Process.Start
Tag = proc-start-regedit-as-trusted-installer
RiskScore = 75
Query = (Process.Path like r"%\\regedit.exe" and (Parent.Path like r"%\\TrustedInstaller.exe" or Parent.Path like r"%\\ProcessHacker.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects various anomalies in relation to regsvr32.exe
RuleName = Regsvr32 Anomaly
EventType = Process.Start
Tag = proc-start-regsvr32-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%\\Temp\\%") or (Process.Path like r"%\\regsvr32.exe" and Parent.Path like r"%\\powershell.exe") or (Process.Path like r"%\\regsvr32.exe" and Parent.Path like r"%\\cmd.exe") or (Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%/i:%" and (Process.CommandLine like r"%http%" or Process.CommandLine like r"%ftp%") and Process.CommandLine like r"%scrobj.dll") or (Process.Path like r"%\\wscript.exe" and Parent.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\EXCEL.EXE" and Process.CommandLine like r"%..\\..\\..\\Windows\\System32\\regsvr32.exe %") or (Parent.Path like r"%\\mshta.exe" and Process.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\regsvr32.exe" and (Process.CommandLine like r"%\\AppData\\Local%" or Process.CommandLine like r"%C:\\Users\\Public%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
RuleName = Regsvr32 Flags Anomaly
EventType = Process.Start
Tag = proc-start-regsvr32-flags-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"% /i:%") and not (Process.CommandLine like r"% /n %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a regsvr.exe execution that doesn't contain a DLL in the command line
RuleName = Regsvr32 Command Line Without DLL
EventType = Process.Start
Tag = proc-start-regsvr32-command-line-without-dll
RiskScore = 75
Query = (((Process.Path like r"%\\regsvr32.exe" and not ((Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.ocx%" or Process.CommandLine like r"%.cpl%" or Process.CommandLine like r"%.ax%" or Process.CommandLine like r"%.bav%" or Process.CommandLine like r"%.ppl%"))) and not (Process.CommandLine == '')) and not (Process.CommandLine == ""))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious reg.exe invocation that looks as if it would disable an important security service
RuleName = Reg Disable Security Service
EventType = Process.Start
Tag = proc-start-reg-disable-security-service
RiskScore = 75
Query = (Process.CommandLine like r"%reg%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"% /d 4%" and Process.CommandLine like r"% /v Start%" and (Process.CommandLine like r"%\\Sense %" or Process.CommandLine like r"%\\WinDefend%" or Process.CommandLine like r"%\\MsMpSvc%" or Process.CommandLine like r"%\\NisSrv%" or Process.CommandLine like r"%\\WdBoot %" or Process.CommandLine like r"%\\WdNisDrv%" or Process.CommandLine like r"%\\WdNisSvc%" or Process.CommandLine like r"%\\wscsvc %" or Process.CommandLine like r"%\\SecurityHealthService%" or Process.CommandLine like r"%\\wuauserv%" or Process.CommandLine like r"%\\UsoSvc %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
RuleName = Renamed ZOHO Dctask64
EventType = Process.Start
Tag = proc-start-renamed-zoho-dctask64
RiskScore = 75
Query = (Process.Hash.IMP == "6834B1B94E49701D77CCB3C0895E1AFD" and not (Process.Path like r"%\\dctask64.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
RuleName = Suspicious Call by Ordinal
EventType = Process.Start
Tag = proc-start-suspicious-call-by-ordinal
RiskScore = 75
Query = ((Process.CommandLine like r"%\\rundll32.exe%" and Process.CommandLine like r"%,#%") and not (Process.CommandLine like r"%EDGEHTML.dll%" and Process.CommandLine like r"%#141%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
RuleName = Suspicious Rundll32 Invoking Inline VBScript
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-invoking-inline-vbscript
RiskScore = 75
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%Execute%" and Process.CommandLine like r"%RegRead%" and Process.CommandLine like r"%window.close%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
RuleName = Suspicious Rundll32 Without Any CommandLine Params
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-without-any-commandline-params
RiskScore = 75
Query = ((Process.CommandLine like r"%\\rundll32.exe" and not (Parent.Path like r"%\\svchost.exe")) and not ((Parent.Path like r"%\\AppData\\Local\\%" or Parent.Path like r"%\\Microsoft\\Edge\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
RuleName = Suspicious Rundll32 Activity Invoking Sys File
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-activity-invoking-sys-file
RiskScore = 75
Query = (Process.CommandLine like r"%rundll32.exe%" and (Process.CommandLine like r"%.sys,%" or Process.CommandLine like r"%.sys %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the creation of scheduled tasks that involves a temporary folder and runs only once
RuleName = Suspicious Scheduled Task Creation Involving Temp Folder
EventType = Process.Start
Tag = proc-start-suspicious-scheduled-task-creation-involving-temp-folder
RiskScore = 75
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and Process.CommandLine like r"% /sc once %" and Process.CommandLine like r"%\\Temp\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)
RuleName = ScreenConnect Remote Access
EventType = Process.Start
Tag = proc-start-screenconnect-remote-access
RiskScore = 75
Query = (Process.CommandLine like r"%e=Access&%" and Process.CommandLine like r"%y=Guest&%" and Process.CommandLine like r"%&p=%" and Process.CommandLine like r"%&c=%" and Process.CommandLine like r"%&k=%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious script executions from temporary folder
RuleName = Suspicious Script Execution From Temp Folder
EventType = Process.Start
Tag = proc-start-suspicious-script-execution-from-temp-folder
RiskScore = 75
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%\\Windows\\Temp%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\Temp%" or Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%\%TMP\%%" or Process.CommandLine like r"%\%LocalAppData\%\\Temp%")) and not ((Process.CommandLine like r"% >%" or Process.CommandLine like r"%Out-File%" or Process.CommandLine like r"%ConvertTo-Json%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious DACL modifications that can  be used to hide services or make them unstopable
RuleName = Suspicious Service DACL Modification
EventType = Process.Start
Tag = proc-start-suspicious-service-dacl-modification
RiskScore = 75
Query = ((Process.Path like r"%\\sc.exe") and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%D;;%" and (Process.CommandLine like r"%;;;IU%" or Process.CommandLine like r"%;;;SU%" or Process.CommandLine like r"%;;;BA%" or Process.CommandLine like r"%;;;SY%" or Process.CommandLine like r"%;;;WD%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a service binary running in a suspicious directory
RuleName = Suspicious Service Binary Directory
EventType = Process.Start
Tag = proc-start-suspicious-service-binary-directory
RiskScore = 75
Query = ((Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\$Recycle.bin%" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\Contacts\\%" or Process.Path like r"%\\Users\\Searches\\%" or Process.Path like r"%C:\\Perflogs\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%") and (Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\svchost.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects service path modification to PowerShell or cmd.
RuleName = Suspicious Service Path Modification
EventType = Process.Start
Tag = proc-start-suspicious-service-path-modification
RiskScore = 75
Query = (Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%binpath%" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%cmd%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious Splwow64.exe process without any command line parameters
RuleName = Suspicious Splwow64 Without Params
EventType = Process.Start
Tag = proc-start-suspicious-splwow64-without-params
RiskScore = 75
Query = (Process.Path like r"%\\splwow64.exe" and not (Process.CommandLine like r"%splwow64.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Possible Squirrel Packages Manager as Lolbin
RuleName = Squirrel Lolbin
EventType = Process.Start
Tag = proc-start-squirrel-lolbin
RiskScore = 75
Query = (Process.Path like r"%\\update.exe" and (Process.CommandLine like r"%--processStart%" or Process.CommandLine like r"%--processStartAndWait%" or Process.CommandLine like r"%--createShortcut%") and Process.CommandLine like r"%.exe%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious svchost process start
RuleName = Suspicious Svchost Process
EventType = Process.Start
Tag = proc-start-suspicious-svchost-process
RiskScore = 75
Query = ((Process.Path like r"%\\svchost.exe" and not ((Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\MsMpEng.exe" or Parent.Path like r"%\\Mrt.exe" or Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\svchost.exe"))) and not (Parent.Path == ''))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
RuleName = Taskmgr as LOCAL_SYSTEM
EventType = Process.Start
Tag = proc-start-taskmgr-as-local_system
RiskScore = 75
Query = ((Process.User like r"NT AUTHORITY\\SYSTEM%" or Process.User like r"AUTORITE NT\\Sys%") and Process.Path like r"%\\taskmgr.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a tscon.exe start as LOCAL SYSTEM
RuleName = Suspicious TSCON Start
EventType = Process.Start
Tag = proc-start-suspicious-tscon-start
RiskScore = 75
Query = ((Process.User like r"NT AUTHORITY\\SYSTEM%" or Process.User like r"AUTORITE NT\\Sys%") and Process.Path like r"%\\tscon.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious RDP session redirect using tscon.exe
RuleName = Suspicious RDP Redirect Using TSCON
EventType = Process.Start
Tag = proc-start-suspicious-rdp-redirect-using-tscon
RiskScore = 75
Query = Process.CommandLine like r"% /dest:rdp-tcp:%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of CSharp interactive console by PowerShell
RuleName = Suspicious Use of CSharp Interactive Console
EventType = Process.Start
Tag = proc-start-suspicious-use-of-csharp-interactive-console
RiskScore = 75
Query = (Process.Path like r"%\\csi.exe" and Parent.Path like r"%\\powershell.exe" and Process.Name == "csi.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious inline VBScript keywords as used by UNC2452
RuleName = Suspicious VBScript UN2452 Pattern
EventType = Process.Start
Tag = proc-start-suspicious-vbscript-un2452-pattern
RiskScore = 75
Query = ((Process.CommandLine like r"%Execute%" and Process.CommandLine like r"%CreateObject%" and Process.CommandLine like r"%RegRead%" and Process.CommandLine like r"%window.close%" and Process.CommandLine like r"%\\Microsoft\\Windows\\CurrentVersion%") and not ((Process.CommandLine like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects commands that temporarily turn off Volume Snapshots
RuleName = Disabled Volume Snapshots
EventType = Process.Start
Tag = proc-start-disabled-volume-snapshots
RiskScore = 75
Query = (Process.CommandLine like r"%reg%" and Process.CommandLine like r"% add %" and Process.CommandLine like r"%\\Services\\VSS\\Diag%" and Process.CommandLine like r"%/d Disabled%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of whoami with suspicious parents or parameters
RuleName = Whoami Execution Anomaly
EventType = Process.Start
Tag = proc-start-whoami-execution-anomaly
RiskScore = 75
Query = ((((Process.Path like r"%\\whoami.exe" and not ((Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe"))) and not ((Parent.Path like r"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe" or Parent.Path like r""))) and not (Parent.Path == '')) or (Process.CommandLine like r"%whoami -all%" or Process.CommandLine like r"%whoami /all%" or Process.CommandLine like r"%whoami.exe -all%" or Process.CommandLine like r"%whoami.exe /all%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMIC executions in which a event consumer gets created in order to establish persistence
RuleName = Suspicious WMIC ActiveScriptEventConsumer Creation
EventType = Process.Start
Tag = proc-start-suspicious-wmic-activescripteventconsumer-creation
RiskScore = 75
Query = (Process.CommandLine like r"%ActiveScriptEventConsumer%" and Process.CommandLine like r"% CREATE %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI executing rundll32
RuleName = Suspicious WMI Execution Using Rundll32
EventType = Process.Start
Tag = proc-start-suspicious-wmi-execution-using-rundll32
RiskScore = 75
Query = (Process.CommandLine like r"%process call create%" and Process.CommandLine like r"%rundll32%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using WorkFolders.exe to execute an arbitrary control.exe
RuleName = Execution via WorkFolders.exe
EventType = Process.Start
Tag = proc-start-execution-via-workfolders.exe
RiskScore = 75
Query = ((Process.Path like r"%\\control.exe" and Parent.Path like r"%\\WorkFolders.exe") and not (Process.Path like r"C:\\Windows\\System32\\control.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects code execution via the Windows Update client (wuauclt)
RuleName = Windows Update Client LOLBIN
EventType = Process.Start
Tag = proc-start-windows-update-client-lolbin
RiskScore = 75
Query = (Process.CommandLine like r"%/UpdateDeploymentProvider%" and Process.CommandLine like r"%/RunHandlerComServer%" and (Process.Path like r"%\\wuauclt.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
RuleName = Suspicious Auditpol Usage
EventType = Process.Start
Tag = proc-start-suspicious-auditpol-usage
RiskScore = 75
Query = (Process.Path like r"%\\auditpol.exe" and (Process.CommandLine like r"%disable%" or Process.CommandLine like r"%clear%" or Process.CommandLine like r"%remove%" or Process.CommandLine like r"%restore%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect possible Sysmon driver unload
RuleName = Sysmon Driver Unload
EventType = Process.Start
Tag = proc-start-sysmon-driver-unload
RiskScore = 75
Query = (Process.Path like r"%\\fltmc.exe" and Process.CommandLine like r"%unload%" and Process.CommandLine like r"%sys%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Windows program executable started in a suspicious folder
RuleName = System File Execution Location Anomaly
EventType = Process.Start
Tag = proc-start-system-file-execution-location-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\spoolsv.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\smss.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\winlogon.exe" or Process.Path like r"%\\explorer.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\Taskmgr.exe" or Process.Path like r"%\\sihost.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\smartscreen.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\audiodg.exe" or Process.Path like r"%\\wlanext.exe") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\system32\\%" or Process.Path like r"C:\\Windows\\SysWow64\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\winsxs\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\avast! sandbox%") or Process.Path like r"%\\SystemRoot\\System32\\%" or Process.Path like r"C:\\Windows\\explorer.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
RuleName = Terminal Service Process Spawn
EventType = Process.Start
Tag = proc-start-terminal-service-process-spawn
RiskScore = 75
Query = ((Parent.CommandLine like r"%\\svchost.exe%" and Parent.CommandLine like r"%termsvcs%") and not (Process.Path like r"%\\rdpclip.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
RuleName = Bypass UAC via CMSTP
EventType = Process.Start
Tag = proc-start-bypass-uac-via-cmstp
RiskScore = 75
Query = (Process.Path like r"%\\cmstp.exe" and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%/au%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
RuleName = Bypass UAC via Fodhelper.exe
EventType = Process.Start
Tag = proc-start-bypass-uac-via-fodhelper.exe
RiskScore = 75
Query = Parent.Path like r"%\\fodhelper.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
RuleName = Bypass UAC via WSReset.exe
EventType = Process.Start
Tag = proc-start-bypass-uac-via-wsreset.exe
RiskScore = 75
Query = (Parent.Path like r"%\\wsreset.exe" and not (Process.Path like r"%\\conhost.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using SettingSyncHost.exe to run hijacked binary
RuleName = Using SettingSyncHost.exe as LOLBin
EventType = Process.Start
Tag = proc-start-using-settingsynchost.exe-as-lolbin
RiskScore = 75
Query = (not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")) and (Parent.CommandLine like r"%cmd.exe /c%" and Parent.CommandLine like r"%RoamDiag.cmd%" and Parent.CommandLine like r"%-outputpath%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
RuleName = Visual Basic Command Line Compiler Usage
EventType = Process.Start
Tag = proc-start-visual-basic-command-line-compiler-usage
RiskScore = 75
Query = (Parent.Path like r"%\\vbc.exe" and Process.Path like r"%\\cvtres.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects certain command line parameters often used during reconnaissance activity via web shells
RuleName = Webshell Detection With Command Line Keywords
EventType = Process.Start
Tag = proc-start-webshell-detection-with-command-line-keywords
RiskScore = 75
Query = (((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe") or (Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%")) and ((((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and (Process.CommandLine like r"% user %" or Process.CommandLine like r"% use %" or Process.CommandLine like r"% group %")) or (Process.Path like r"%\\ping.exe" and Process.CommandLine like r"% -n %") or (Process.CommandLine like r"%&cd&echo%" or Process.CommandLine like r"%cd /d %")) or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"% /node:%") or (Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\quser.exe" or Process.Path like r"%\\ipconfig.exe" or Process.Path like r"%\\pathping.exe" or Process.Path like r"%\\tracert.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\tasklist.exe") or (Process.CommandLine like r"% Test-NetConnection %" or Process.CommandLine like r"%dir \\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
RuleName = Webshell Recon Detection Via CommandLine & Processes
EventType = Process.Start
Tag = proc-start-webshell-recon-detection-via-commandline-&-processes
RiskScore = 75
Query = (((Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe")) and ((Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%perl --help%" or Process.CommandLine like r"%python --help%" or Process.CommandLine like r"%wget --help%" or Process.CommandLine like r"%perl -h%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
RuleName = Shells Spawned by Web Servers
EventType = Process.Start
Tag = proc-start-shells-spawned-by-web-servers
RiskScore = 75
Query = ((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\tomcat.exe" or Parent.Path like r"%\\UMWorkerProcess.exe") and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
RuleName = Run Whoami as SYSTEM
EventType = Process.Start
Tag = proc-start-run-whoami-as-system
RiskScore = 75
Query = ((Process.User like r"NT AUTHORITY\\SYSTEM%" or Process.User like r"AUTORITE NT\\Sys%") and Process.Path like r"%\\whoami.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.
RuleName = Run Whoami Showing Privileges
EventType = Process.Start
Tag = proc-start-run-whoami-showing-privileges
RiskScore = 75
Query = (Process.Path like r"%\\whoami.exe" and Process.CommandLine like r"%/priv%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Task Scheduler .job import arbitrary DACL write\par
RuleName = Windows 10 Scheduled Task SandboxEscaper 0-day
EventType = Process.Start
Tag = proc-start-windows-10-scheduled-task-sandboxescaper-0-day
RiskScore = 75
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/change%" and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%/RU%" and Process.CommandLine like r"%/RP%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI script event consumers
RuleName = WMI Persistence - Script Event Consumer
EventType = Process.Start
Tag = proc-start-wmi-persistence-script-event-consumer
RiskScore = 75
Query = (Process.Path like r"C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and Parent.Path like r"C:\\Windows\\System32\\svchost.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI spawning PowerShell
RuleName = WMI Spawning Windows PowerShell
EventType = Process.Start
Tag = proc-start-wmi-spawning-windows-powershell
RiskScore = 75
Query = ((((Parent.Path like r"%\\wmiprvse.exe") and (Process.Path like r"%\\powershell.exe")) and not (Process.CommandLine == "null")) and not (Process.CommandLine == ''))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
RuleName = Microsoft Workflow Compiler
EventType = Process.Start
Tag = proc-start-microsoft-workflow-compiler
RiskScore = 75
Query = (Process.Path like r"%\\Microsoft.Workflow.Compiler.exe" or (Process.Name == "Microsoft.Workflow.Compiler.exe" and Process.CommandLine like r"%.xml%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
RuleName = Wsreset UAC Bypass
EventType = Process.Start
Tag = proc-start-wsreset-uac-bypass
RiskScore = 75
Query = (Parent.Path like r"%\\WSreset.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
RuleName = DNS ServerLevelPluginDll Install
EventType = Reg.Any
Tag = dns-serverlevelplugindll-install
RiskScore = 75
Query = Reg.Key.Target like r"%\\services\\DNS\\Parameters\\ServerLevelPluginDll"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
RuleName = UAC Bypass Via Wsreset
EventType = Reg.Any
Tag = uac-bypass-via-wsreset
RiskScore = 75
Query = (Reg.Key.Target like r"%\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects various indicators of Microsoft Connection Manager Profile Installer execution
RuleName = CMSTP Execution Registry Event
EventType = Reg.Any
Tag = cmstp-execution-registry-event
RiskScore = 75
Query = Reg.Key.Target like r"%\\cmmgr32.exe%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
RuleName = COM Hijack via Sdclt
EventType = Reg.Any
Tag = com-hijack-via-sdclt
RiskScore = 75
Query = (Reg.Key.Target like r"HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
RuleName = DHCP Callout DLL Installation
EventType = Reg.Any
Tag = dhcp-callout-dll-installation
RiskScore = 75
Query = (Reg.Key.Target like r"%\\Services\\DHCPServer\\Parameters\\CalloutDlls" or Reg.Key.Target like r"%\\Services\\DHCPServer\\Parameters\\CalloutEnabled")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.
RuleName = Enabling COR Profiler Environment Variables
EventType = Reg.Any
Tag = enabling-cor-profiler-environment-variables
RiskScore = 75
Query = (Reg.Key.Target like r"%\\COR\_ENABLE\_PROFILING" or Reg.Key.Target like r"%\\COR\_PROFILER")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects creation or execution of UserInitMprLogonScript persistence method
RuleName = Logon Scripts (UserInitMprLogonScript) Registry
EventType = Reg.Any
Tag = logon-scripts-(userinitmprlogonscript)-registry
RiskScore = 75
Query = Reg.Key.Target like r"%UserInitMprLogonScript%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects changes to RDP terminal service sensitive settings
RuleName = RDP Sensitive Settings Changed
EventType = Reg.Any
Tag = rdp-sensitive-settings-changed
RiskScore = 75
Query = (Reg.Key.Target like r"%\\services\\TermService\\Parameters\\ServiceDll%" or Reg.Key.Target like r"%\\Control\\Terminal Server\\fSingleSessionPerUser%" or Reg.Key.Target like r"%\\Control\\Terminal Server\\fDenyTSConnections%")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects actions caused by the RedMimicry Winnti playbook
RuleName = RedMimicry Winnti Playbook Registry Manipulation
EventType = Reg.Any
Tag = redmimicry-winnti-playbook-registry-manipulation
RiskScore = 75
Query = Reg.Key.Target like r"%HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Sysmon registry detection of a local hidden user account.
RuleName = Creation of a Local Hidden User Account by Registry
EventType = Reg.Any
Tag = creation-of-a-local-hidden-user-account-by-registry
RiskScore = 75
Query = (Reg.Key.Target like r"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\%" and Reg.Key.Target like r"%$" and Process.Path like r"%lsass.exe")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects registry changes to Office macro settings
RuleName = Office Security Settings Changed
EventType = Reg.Any
Tag = office-security-settings-changed
RiskScore = 75
Query = (Reg.Key.Target like r"%\\Security\\Trusted Documents\\TrustRecords" or Reg.Key.Target like r"%\\Security\\AccessVBOM" or Reg.Key.Target like r"%\\Security\\VBAWarnings")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects potential malicious modification of run keys by winekey or team9 backdoor
RuleName = WINEKEY Registry Modification
EventType = Reg.Any
Tag = winekey-registry-modification
RiskScore = 75
Query = (Reg.Key.Target like r"%Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs
RuleName = Atbroker Registry Change
EventType = Reg.Any
Tag = atbroker-registry-change
RiskScore = 75
Query = (Reg.Key.Target like r"%Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs%" or Reg.Key.Target like r"%Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration%")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
RuleName = Suspicious Run Key from Download
EventType = Reg.Any
Tag = suspicious-run-key-from-download
RiskScore = 75
Query = ((Process.Path like r"%\\Downloads\\%" or Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.Path like r"%\\Local Settings\\Temporary Internet Files\\%") and Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\%")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects a method to load DLL via LSASS process using an undocumented Registry key
RuleName = DLL Load via LSASS
EventType = Reg.Any
Tag = dll-load-via-lsass
RiskScore = 75
Query = (Reg.Key.Target like r"%\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt%" or Reg.Key.Target like r"%\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt%")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects Processes accessing the camera and microphone from suspicious folder
RuleName = Suspicious Camera and Microphone Access
EventType = Reg.Any
Tag = suspicious-camera-and-microphone-access
RiskScore = 75
Query = (Reg.Key.Target like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\%" and Reg.Key.Target like r"%\\NonPackaged%" and (Reg.Key.Target like r"%microphone%" or Reg.Key.Target like r"%webcam%") and (Reg.Key.Target like r"%:#Windows#Temp#%" or Reg.Key.Target like r"%:#$Recycle.bin#%" or Reg.Key.Target like r"%:#Temp#%" or Reg.Key.Target like r"%:#Users#Public#%" or Reg.Key.Target like r"%:#Users#Default#%" or Reg.Key.Target like r"%:#Users#Desktop#%"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the volume shadow copy service initialization and processing. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
RuleName = Volume Shadow Copy Service Keys
EventType = Reg.Any
Tag = volume-shadow-copy-service-keys
RiskScore = 75
Query = (Reg.Key.Target like r"%System\\CurrentControlSet\\Services\\VSS%" and not (Reg.Key.Target like r"%System\\CurrentControlSet\\Services\\VSS\\Start%"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
RuleName = Wdigest Enable UseLogonCredential
EventType = Reg.Any
Tag = wdigest-enable-uselogoncredential
RiskScore = 75
Query = Reg.Key.Target like r"%WDigest\\UseLogonCredential"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the manipulation of persistent URLs which can be malicious
RuleName = Persistent Outlook Landing Pages
EventType = Reg.Any
Tag = persistent-outlook-landing-pages
RiskScore = 75
Query = ((Reg.Key.Target like r"%Software\\Microsoft\\Office\\%" or Reg.Key.Target like r"%Outlook\\WebView\\%") and Reg.Key.Target like r"%URL" and (Reg.Key.Target like r"%Calendar%" or Reg.Key.Target like r"%Inbox%"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

Comments

Your email address will not be published. Required fields are marked *