Skip to main content

uberAgent-ESA-am-sigma-high.conf

The following is the uberAgent-ESA-am-sigma-high.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: high
#

[ActivityMonitoringRule]
# Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
RuleId = aff715fa-4dd5-497a-8db3-910bea555566
RuleName = DNS Query to External Service Interaction Domains
EventType = Dns.Query
Tag = dns-query-to-external-service-interaction-domains
RiskScore = 75
Annotation = {"mitre_attack": ["T1190", "T1595.002"]}
Query = (Dns.QueryRequest like r"%.interact.sh%" or Dns.QueryRequest like r"%.oast.pro%" or Dns.QueryRequest like r"%.oast.live%" or Dns.QueryRequest like r"%.oast.site%" or Dns.QueryRequest like r"%.oast.online%" or Dns.QueryRequest like r"%.oast.fun%" or Dns.QueryRequest like r"%.oast.me%" or Dns.QueryRequest like r"%.burpcollaborator.net%" or Dns.QueryRequest like r"%.oastify.com%" or Dns.QueryRequest like r"%.canarytokens.com%" or Dns.QueryRequest like r"%.requestbin.net%" or Dns.QueryRequest like r"%.dnslog.cn%")
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects connections to the host used in a big repository compromise discovered in August 2022
RuleId = 6b0dd2e4-13ff-4eff-b79b-4444fad43644
RuleName = DNS Lookup Github Repo Compromise Domain MyJino RU
EventType = Dns.Query
Tag = dns-lookup-github-repo-compromise-domain-myjino-ru
RiskScore = 75
Query = Dns.QueryRequest == "ovz1.j19544519.pr46m.vps.myjino.ru"
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects suspicious DNS queries to Monero mining pools
RuleId = b593fd50-7335-4682-a36c-4edcb68e4641
RuleName = Monero Crypto Coin Mining Pool Lookup
EventType = Dns.Query
Tag = monero-crypto-coin-mining-pool-lookup
RiskScore = 75
Annotation = {"mitre_attack": ["T1496", "T1567"]}
Query = (Dns.QueryRequest like r"%pool.minexmr.com%" or Dns.QueryRequest like r"%fr.minexmr.com%" or Dns.QueryRequest like r"%de.minexmr.com%" or Dns.QueryRequest like r"%sg.minexmr.com%" or Dns.QueryRequest like r"%ca.minexmr.com%" or Dns.QueryRequest like r"%us-west.minexmr.com%" or Dns.QueryRequest like r"%pool.supportxmr.com%" or Dns.QueryRequest like r"%mine.c3pool.com%" or Dns.QueryRequest like r"%xmr-eu1.nanopool.org%" or Dns.QueryRequest like r"%xmr-eu2.nanopool.org%" or Dns.QueryRequest like r"%xmr-us-east1.nanopool.org%" or Dns.QueryRequest like r"%xmr-us-west1.nanopool.org%" or Dns.QueryRequest like r"%xmr-asia1.nanopool.org%" or Dns.QueryRequest like r"%xmr-jp1.nanopool.org%" or Dns.QueryRequest like r"%xmr-au1.nanopool.org%" or Dns.QueryRequest like r"%xmr.2miners.com%" or Dns.QueryRequest like r"%xmr.hashcity.org%" or Dns.QueryRequest like r"%xmr.f2pool.com%" or Dns.QueryRequest like r"%xmrpool.eu%" or Dns.QueryRequest like r"%pool.hashvault.pro%")
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects wannacry killswitch domain dns queries
RuleId = 3eaf6218-3bed-4d8a-8707-274096f12a18
RuleName = Wannacry Killswitch Domain
EventType = Dns.Query
Tag = wannacry-killswitch-domain
RiskScore = 75
Annotation = {"mitre_attack": ["T1071.001"]}
Query = Dns.QueryRequest in ["ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing", "ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test", "ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com", "ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com", "iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com"]
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
RuleId = 881834a4-6659-4773-821e-1c151789d873
RuleName = Equation Group C2 Communication
EventType = Net.Any
Tag = equation-group-c2-communication
RiskScore = 75
Annotation = {"mitre_attack": ["T1041"]}
Query = (Net.Target.Ip in ["69.42.98.86", "89.185.234.145"] or Net.Source.Ip in ["69.42.98.86", "89.185.234.145"])
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Source.Ip

[ActivityMonitoringRule]
# Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
RuleId = 970823b7-273b-460a-8afc-3a6811998529
RuleName = Uncommon Scheduled Task Once 00:00
EventType = Process.Start
Tag = proc-start-uncommon-scheduled-task-once-00:00
RiskScore = 75
Query = ((Process.Path like r"%\\schtasks.exe%" and (Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%wmic %" or Process.CommandLine like r"%wmic.exe%" or Process.CommandLine like r"%regsvr32.exe%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%\\AppData\\%")) and ((Process.CommandLine like r"%once%" and Process.CommandLine like r"%00:00%") or Process.CommandLine like r"%Joke%"))

[ActivityMonitoringRule]
# Detects a remote thread creation in suspicious taregt images
RuleId = a1a144b7-5c9b-4853-a559-2172be8d4a03
RuleName = Remote Thread Creation in Suspicious Targets
EventType = Process.CreateRemoteThread
Tag = remote-thread-creation-in-suspicious-targets
RiskScore = 75
Annotation = {"mitre_attack": ["T1055.003"]}
Query = (Process.Path like r"%\\mspaint.exe" or Process.Path like r"%\\calc.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\sethc.exe" or Process.Path like r"%\\write.exe" or Process.Path like r"%\\wordpad.exe")

[ActivityMonitoringRule]
# Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
RuleId = 052ec6f6-1adc-41e6-907a-f1c813478bee
RuleName = CreateRemoteThread API and LoadLibrary
EventType = Process.CreateRemoteThread
Tag = createremotethread-api-and-loadlibrary
RiskScore = 75
Annotation = {"mitre_attack": ["T1055.001"]}
Query = (Thread.StartModule like r"%\\kernel32.dll" and Thread.StartFunctionName == "LoadLibraryA")
GenericProperty1 = Thread.StartModule
GenericProperty2 = Thread.StartFunctionName

[ActivityMonitoringRule]
# Detects remote thread creation in KeePass.exe indicating password dumping activity
RuleId = 77564cc2-7382-438b-a7f6-395c2ae53b9a
RuleName = KeePass Password Dumping
EventType = Process.CreateRemoteThread
Tag = keepass-password-dumping
RiskScore = 75
Annotation = {"mitre_attack": ["T1555.005"]}
Query = Process.Path like r"%\\KeePass.exe"

[ActivityMonitoringRule]
# Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
RuleId = f239b326-2f41-4d6b-9dfa-c846a60ef505
RuleName = Password Dumper Remote Thread in LSASS
EventType = Process.CreateRemoteThread
Tag = password-dumper-remote-thread-in-lsass
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.001"]}
Query = (Process.Path like r"%\\lsass.exe" and Thread.StartModule == "")
GenericProperty1 = Thread.StartModule

[ActivityMonitoringRule]
# Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
RuleId = 065cceea-77ec-4030-9052-fc0affea7110
RuleName = DNS Query for Anonfiles.com Domain
EventType = Dns.Query
Tag = dns-query-for-anonfiles.com-domain
RiskScore = 75
Annotation = {"mitre_attack": ["T1567.002"]}
Query = Dns.QueryRequest like r"%.anonfiles.com%"
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects Azure Hybrid Connection Manager services querying the Azure service bus service
RuleId = 7bd3902d-8b8b-4dd4-838a-c6862d40150d
RuleName = DNS HybridConnectionManager Service Bus
EventType = Dns.Query
Tag = dns-hybridconnectionmanager-service-bus
RiskScore = 75
Annotation = {"mitre_attack": ["T1554"]}
Query = (Dns.QueryRequest like r"%servicebus.windows.net%" and Process.Path like r"%HybridConnectionManager%")
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects DNS queries for subdomains used for upload to MEGA.io
RuleId = 613c03ba-0779-4a53-8a1f-47f914a4ded3
RuleName = DNS Query for MEGA.io Upload Domain
EventType = Dns.Query
Tag = dns-query-for-mega.io-upload-domain
RiskScore = 75
Annotation = {"mitre_attack": ["T1567.002"]}
Query = Dns.QueryRequest like r"%userstorage.mega.co.nz%"
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects network connections and DNS queries initiated by Regsvr32.exe
RuleId = 36e037c4-c228-4866-b6a3-48eb292b9955
RuleName = Regsvr32 Network Activity
EventType = Dns.Query
Tag = regsvr32-network-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1559.001", "T1218.010"]}
Query = Process.Path like r"%\\regsvr32.exe"

[ActivityMonitoringRule]
# Detects DNS resolution of an .onion address related to Tor routing networks
RuleId = b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
RuleName = Query Tor Onion Address
EventType = Dns.Query
Tag = query-tor-onion-address
RiskScore = 75
Annotation = {"mitre_attack": ["T1090.003"]}
Query = Dns.QueryRequest like r"%.onion%"
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects DNS queries for subdomains used for upload to ufile.io
RuleId = 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
RuleName = DNS Query for Ufile.io Upload Domain
EventType = Dns.Query
Tag = dns-query-for-ufile.io-upload-domain
RiskScore = 75
Annotation = {"mitre_attack": ["T1567.002"]}
Query = Dns.QueryRequest like r"%ufile.io%"
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
RuleId = 50f852e6-af22-4c78-9ede-42ef36aa3453
RuleName = Abusing Azure Browser SSO
EventType = Image.Load
Tag = abusing-azure-browser-sso
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (Image.Path like r"%MicrosoftAccountTokenProvider.dll" and not ((Process.Path like r"%\\BackgroundTaskHost.exe" or Process.Path like r"%\\devenv.exe" or Process.Path like r"%\\iexplore.exe" or Process.Path like r"%\\MicrosoftEdge.exe" or Process.Path like r"%\\Microsoft\\Edge\\Application\\msedge.exe" or Process.Path like r"%\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" or Process.Path like r"%\\msedgewebview2.exe" or Process.Path like r"%\\OneDrive.exe") or (Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\%")))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitary DLL
RuleId = 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
RuleName = Microsoft Defender Loading DLL from Nondefault Path
EventType = Image.Load
Tag = microsoft-defender-loading-dll-from-nondefault-path
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (((Process.Path like r"%\\MpCmdRun.exe" or Process.Path like r"%\\NisSrv.exe") and Image.Path like r"%\\mpclient.dll") and not ((Image.Path like r"C:\\Program Files\\Windows Defender\\%" or Image.Path like r"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%")))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary
RuleId = ec8c4047-fad9-416a-8c81-0f479353d7f6
RuleName = MSDT.exe Loading Diagnostic Library
EventType = Image.Load
Tag = msdt.exe-loading-diagnostic-library
RiskScore = 75
Annotation = {"mitre_attack": ["T1202"]}
Query = (Process.Path like r"%\\msdt.exe" and Image.Path like r"%\\sdiageng.dll")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects processes loading modules related to PCRE.NET package
RuleId = 84b0a8f3-680b-4096-a45b-e9a89221727c
RuleName = PCRE.NET Package Image Load
EventType = Image.Load
Tag = pcre.net-package-image-load
RiskScore = 75
Annotation = {"mitre_attack": ["T1059"]}
Query = Image.Path like r"%\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\%"
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
RuleId = 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
RuleName = Pingback Backdoor
EventType = Image.Load
Tag = pingback-backdoor
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.001"]}
Query = (Process.Path like r"%msdtc.exe" and Image.Path like r"C:\\Windows\\oci.dll")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
RuleId = b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
RuleName = WMI Script Host Process Image Loaded
EventType = Image.Load
Tag = wmi-script-host-process-image-loaded
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.003"]}
Query = (Process.Path like r"%\\scrcons.exe" and (Image.Path like r"%\\vbscript.dll" or Image.Path like r"%\\wbemdisp.dll" or Image.Path like r"%\\wshom.ocx" or Image.Path like r"%\\scrrun.dll"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%
RuleId = 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
RuleName = DLL Load By System Process From Suspicious Locations
EventType = Image.Load
Tag = dll-load-by-system-process-from-suspicious-locations
RiskScore = 75
Annotation = {"mitre_attack": ["T1070"]}
Query = (Process.Path like r"C:\\Windows\\%" and (Image.Path like r"%\\Users\\Public\\%" or Image.Path like r"%\\Desktop\\%" or Image.Path like r"%\\Downloads\\%" or Image.Path like r"%\\AppData\\Local\\Temp\\%"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
RuleId = 828af599-4c53-4ed2-ba4a-a9f835c434ea
RuleName = Fax Service DLL Search Order Hijack
EventType = Image.Load
Tag = fax-service-dll-search-order-hijack
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.001", "T1574.002"]}
Query = ((Process.Path like r"%\\fxssvc.exe" and Image.Path like r"%ualapi.dll") and not (Image.Path like r"C:\\Windows\\WinSxS\\%"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
RuleId = e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
RuleName = Possible Process Hollowing Image Loading
EventType = Image.Load
Tag = possible-process-hollowing-image-loading
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (Process.Path like r"%\\notepad.exe" and (Image.Path like r"%\\samlib.dll" or Image.Path like r"%\\WinSCard.dll"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects any assembly DLL being loaded by an Office Product
RuleId = ff0f2b05-09db-4095-b96d-1b75ca24894a
RuleName = dotNET DLL Loaded Via Office Applications
EventType = Image.Load
Tag = dotnet-dll-loaded-via-office-applications
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and Image.Path like r"C:\\Windows\\assembly\\%")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects CLR DLL being loaded by an Office Product
RuleId = d13c43f0-f66b-4279-8b2c-5912077c1780
RuleName = CLR DLL Loaded Via Office Applications
EventType = Image.Load
Tag = clr-dll-loaded-via-office-applications
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and Image.Path like r"%\\clr.dll%")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects any GAC DLL being loaded by an Office Product
RuleId = 90217a70-13fc-48e4-b3db-0d836c5824ac
RuleName = GAC DLL Loaded Via Office Applications
EventType = Image.Load
Tag = gac-dll-loaded-via-office-applications
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and Image.Path like r"C:\\Windows\\Microsoft.NET\\assembly\\GAC\_MSIL%")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects DSParse DLL being loaded by an Office Product
RuleId = a2a3b925-7bb0-433b-b508-db9003263cc4
RuleName = Active Directory Parsing DLL Loaded Via Office Applications
EventType = Image.Load
Tag = active-directory-parsing-dll-loaded-via-office-applications
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and Image.Path like r"%\\dsparse.dll%")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects Kerberos DLL being loaded by an Office Product
RuleId = 7417e29e-c2e7-4cf6-a2e8-767228c64837
RuleName = Active Directory Kerberos DLL Loaded Via Office Applications
EventType = Image.Load
Tag = active-directory-kerberos-dll-loaded-via-office-applications
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and Image.Path like r"%\\kerberos.dll")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects CLR DLL being loaded by an scripting applications
RuleId = 4508a70e-97ef-4300-b62b-ff27992990ea
RuleName = CLR DLL Loaded Via Scripting Applications
EventType = Image.Load
Tag = clr-dll-loaded-via-scripting-applications
RiskScore = 75
Annotation = {"mitre_attack": ["T1055"]}
Query = ((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe") and (Image.Path like r"%\\clr.dll" or Image.Path like r"%\\mscoree.dll" or Image.Path like r"%\\mscorlib.dll"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
RuleId = 333cdbe8-27bb-4246-bf82-b41a0dca4b70
RuleName = Image Load of VSS_PS.dll by Uncommon Executable
EventType = Image.Load
Tag = image-load-of-vss_ps.dll-by-uncommon-executable
RiskScore = 75
Annotation = {"mitre_attack": ["T1490"]}
Query = (Image.Path like r"%\\vss\_ps.dll" and not (((Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\vssvc.exe" or Process.Path like r"%\\srtasks.exe" or Process.Path like r"%\\tiworker.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\searchindexer.exe" or Process.Path like r"%\\dismhost.exe" or Process.Path like r"%\\taskhostw.exe" or Process.Path like r"%\\clussvc.exe" or Process.Path like r"%\\thor64.exe" or Process.Path like r"%\\thor.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\inetsrv\\iissetup.exe" or Process.Path like r"%\\inetsrv\\appcmd.exe") and Process.Path like r"%c:\\windows\\%") or (Process.CommandLine like r"C:\\$WinREAgent\\Scratch\\%" and Process.CommandLine like r"%\\dismhost.exe {%")))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects DLL's Loaded Via Word Containing VBA Macros
RuleId = e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
RuleName = VBA DLL Loaded Via Microsoft Word
EventType = Image.Load
Tag = vba-dll-loaded-via-microsoft-word
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\VBE7.DLL" or Image.Path like r"%\\VBEUI.DLL" or Image.Path like r"%\\VBE7INTL.DLL"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
RuleId = 602a1f13-c640-4d73-b053-be9a2fa58b77
RuleName = Svchost DLL Search Order Hijack
EventType = Image.Load
Tag = svchost-dll-search-order-hijack
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002", "T1574.001"]}
Query = ((Process.Path like r"%\\svchost.exe" and (Image.Path like r"%\\tsmsisrv.dll" or Image.Path like r"%\\tsvipsrv.dll" or Image.Path like r"%\\wlbsctrl.dll")) and not (Image.Path like r"C:\\Windows\\WinSxS\\%"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
RuleId = e76c8240-d68f-4773-8880-5c6f63595aaf
RuleName = Time Travel Debugging Utility Usage
EventType = Image.Load
Tag = time-travel-debugging-utility-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1218", "T1003.001"]}
Query = (Image.Path like r"%\\ttdrecord.dll" or Image.Path like r"%\\ttdwriter.dll" or Image.Path like r"%\\ttdloader.dll")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
RuleId = 9ed5959a-c43c-4c59-84e3-d28628429456
RuleName = UAC Bypass Using Iscsicpl - ImageLoad
EventType = Image.Load
Tag = uac-bypass-using-iscsicpl-imageload
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002"]}
Query = ((Process.Path like r"C:\\Windows\\SysWOW64\\iscsicpl.exe" and Image.Path like r"%\\iscsiexe.dll") and not (Image.Path like r"%C:\\Windows\\%" and Image.Path like r"%iscsiexe.dll%"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Attempts to load dismcore.dll after dropping it
RuleId = a5ea83a7-05a5-44c1-be2e-addccbbd8c03
RuleName = UAC Bypass With Fake DLL
EventType = Image.Load
Tag = uac-bypass-with-fake-dll
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002", "T1574.002"]}
Query = ((Process.Path like r"%\\dism.exe" and Image.Path like r"%\\dismcore.dll") and not (Image.Path like r"C:\\Windows\\System32\\Dism\\dismcore.dll"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
RuleId = 33a2d1dd-f3b0-40bd-8baf-7974468927cc
RuleName = APT PRIVATELOG Image Load Pattern
EventType = Image.Load
Tag = apt-privatelog-image-load-pattern
RiskScore = 75
Annotation = {"mitre_attack": ["T1055"]}
Query = (Process.Path like r"%\\svchost.exe" and Image.Path like r"%\\clfsw32.dll")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
RuleId = 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
RuleName = WMIC Loading Scripting Libraries
EventType = Image.Load
Tag = wmic-loading-scripting-libraries
RiskScore = 75
Annotation = {"mitre_attack": ["T1220"]}
Query = (Process.Path like r"%\\wmic.exe" and (Image.Path like r"%\\jscript.dll" or Image.Path like r"%\\vbscript.dll"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
RuleId = 7707a579-e0d8-4886-a853-ce47e4575aaa
RuleName = Wmiprvse Wbemcomn DLL Hijack
EventType = Image.Load
Tag = wmiprvse-wbemcomn-dll-hijack
RiskScore = 75
Annotation = {"mitre_attack": ["T1047", "T1021.002"]}
Query = (Process.Path like r"%\\wmiprvse.exe" and Image.Path like r"%\\wbem\\wbemcomn.dll")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects WMI command line event consumers
RuleId = 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
RuleName = WMI Persistence - Command Line Event Consumer
EventType = Image.Load
Tag = wmi-persistence-command-line-event-consumer
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.003"]}
Query = (Process.Path like r"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and Image.Path like r"%\\wbemcons.dll")
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects process connections to a Monero crypto mining pool
RuleId = fa5b1358-b040-4403-9868-15f7d9ab6329
RuleName = Windows Crypto Mining Pool Connections
EventType = Net.Any
Tag = windows-crypto-mining-pool-connections
RiskScore = 75
Annotation = {"mitre_attack": ["T1496"]}
Query = Net.Target.Name in ["pool.minexmr.com", "fr.minexmr.com", "de.minexmr.com", "sg.minexmr.com", "ca.minexmr.com", "us-west.minexmr.com", "pool.supportxmr.com", "mine.c3pool.com", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-asia1.nanopool.org", "xmr-jp1.nanopool.org", "xmr-au1.nanopool.org", "xmr.2miners.com", "xmr.hashcity.org", "xmr.f2pool.com", "xmrpool.eu", "pool.hashvault.pro", "moneroocean.stream", "monerocean.stream"]
GenericProperty1 = Net.Target.Name

[ActivityMonitoringRule]
# Detects network connections from Equation Editor
RuleId = a66bc059-c370-472c-a0d7-f8fd1bf9d583
RuleName = Equation Editor Network Connection
EventType = Net.Any
Tag = equation-editor-network-connection
RiskScore = 75
Annotation = {"mitre_attack": ["T1203"]}
Query = Process.Path like r"%\\eqnedt32.exe"

[ActivityMonitoringRule]
# Detects suspicious network connection by Notepad
RuleId = e81528db-fc02-45e8-8e98-4e84aba1f10b
RuleName = Notepad Making Network Connection
EventType = Net.Any
Tag = notepad-making-network-connection
RiskScore = 75
Annotation = {"mitre_attack": ["T1055"]}
Query = (Process.Path like r"%\\notepad.exe" and not (Net.Target.Port == "9100"))
GenericProperty1 = Net.Target.Port

[ActivityMonitoringRule]
# Detects network connections and DNS queries initiated by Regsvr32.exe
RuleId = c7e91a02-d771-4a6d-a700-42587e0b1095
RuleName = Regsvr32 Network Activity
EventType = Net.Any
Tag = regsvr32-network-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1559.001", "T1218.010"]}
Query = Process.Path like r"%\\regsvr32.exe"

[ActivityMonitoringRule]
# Detects programs with network connections running in suspicious files system locations
RuleId = 7b434893-c57d-4f41-908d-6a17bf1ae98f
RuleName = Suspicious Program Location with Network Connections
EventType = Net.Any
Tag = suspicious-program-location-with-network-connections
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = (((Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\Users\\Contacts\\%" or Process.Path like r"%\\Users\\Searches\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%") or (Process.Path like r"%\\$Recycle.bin") or (Process.Path like r"C:\\Perflogs\\%")) and not ((Process.Path like r"C:\\Users\\Public\\IBM\\ClientSolutions\\Start\_Programs\\%")))

[ActivityMonitoringRule]
# 7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.
RuleId = 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
RuleName = Suspicious 7zip Subprocess
EventType = Process.Start
Tag = proc-start-suspicious-7zip-subprocess
RiskScore = 75
Query = ((Process.Path like r"%\\cmd.exe" and Parent.Path like r"%\\7zFM.exe") and not ((Process.CommandLine like r"% /c %") or (Process.CommandLine == '')))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detection of unusual child processes by different system processes
RuleId = d522eca2-2973-4391-a3e0-ef0374321dae
RuleName = Abused Debug Privilege by Arbitrary Parent Processes
EventType = Process.Start
Tag = proc-start-abused-debug-privilege-by-arbitrary-parent-processes
RiskScore = 75
Annotation = {"mitre_attack": ["T1548"]}
Query = (((Parent.Path like r"%\\winlogon.exe" or Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\lsass.exe" or Parent.Path like r"%\\csrss.exe" or Parent.Path like r"%\\smss.exe" or Parent.Path like r"%\\wininit.exe" or Parent.Path like r"%\\spoolsv.exe" or Parent.Path like r"%\\searchindexer.exe") and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe") and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%")) and not (Process.CommandLine like r"% route %" and Process.CommandLine like r"% ADD %"))
GenericProperty1 = Parent.Path
GenericProperty2 = Process.User

[ActivityMonitoringRule]
# Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
RuleId = f548a603-c9f2-4c89-b511-b089f7e94549
RuleName = Abusing Windows Telemetry For Persistence
EventType = Process.Start
Tag = proc-start-abusing-windows-telemetry-for-persistence
RiskScore = 75
Annotation = {"mitre_attack": ["T1112", "T1053"]}
Query = (Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%\\Application Experience\\Microsoft Compatibility Appraiser%")

[ActivityMonitoringRule]
# AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
RuleId = 9a132afa-654e-11eb-ae93-0242ac130002
RuleName = AdFind Usage Detection
EventType = Process.Start
Tag = proc-start-adfind-usage-detection
RiskScore = 75
Annotation = {"mitre_attack": ["T1482", "T1018"]}
Query = (Process.CommandLine like r"%domainlist%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%adinfo%" or Process.CommandLine like r"% dclist %" or Process.CommandLine like r"%computer\_pwdnotreqd%" or Process.CommandLine like r"%objectcategory=%" or Process.CommandLine like r"%-subnets -f%" or Process.CommandLine like r"%name=\"Domain Admins\"%" or Process.CommandLine like r"%-sc u:%" or Process.CommandLine like r"%domainncs%" or Process.CommandLine like r"%dompol%" or Process.CommandLine like r"% oudmp %" or Process.CommandLine like r"%subnetdmp%" or Process.CommandLine like r"%gpodmp%" or Process.CommandLine like r"%fspdmp%" or Process.CommandLine like r"%users\_noexpire%" or Process.CommandLine like r"%computers\_active%")

[ActivityMonitoringRule]
# AnyDesk Remote Desktop silent installation can be used by attacker to gain remote access.
RuleId = 114e7f1c-f137-48c8-8f54-3088c24ce4b9
RuleName = AnyDesk Silent Installation
EventType = Process.Start
Tag = proc-start-anydesk-silent-installation
RiskScore = 75
Annotation = {"mitre_attack": ["T1219"]}
Query = (Process.CommandLine like r"%--install%" and Process.CommandLine like r"%--start-with-win%" and Process.CommandLine like r"%--silent%")

[ActivityMonitoringRule]
# Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
RuleId = e1118a8f-82f5-44b3-bb6b-8a284e5df602
RuleName = Scheduled Task WScript VBScript
EventType = Process.Start
Tag = proc-start-scheduled-task-wscript-vbscript
RiskScore = 75
Annotation = {"mitre_attack": ["T1053", "T1053.005"]}
Query = (Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%wscript%" and Process.CommandLine like r"%e:vbscript%")

[ActivityMonitoringRule]
# This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
RuleId = 033fe7d6-66d1-4240-ac6b-28908009c71f
RuleName = APT29
EventType = Process.Start
Tag = proc-start-apt29
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = (Process.CommandLine like r"%-noni%" and Process.CommandLine like r"%-ep%" and Process.CommandLine like r"%bypass%" and Process.CommandLine like r"%$%")

[ActivityMonitoringRule]
# Detects activity that could be related to Baby Shark malware
RuleId = 2b30fa36-3a18-402f-a22d-bf4ce2189f35
RuleName = Baby Shark Activity
EventType = Process.Start
Tag = proc-start-baby-shark-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.003", "T1059.001", "T1012", "T1218.005"]}
Query = (Process.CommandLine like r"reg query \"HKEY\_CURRENT\_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" or Process.CommandLine like r"powershell.exe mshta.exe http%" or Process.CommandLine like r"cmd.exe /c taskkill /im cmd.exe")

[ActivityMonitoringRule]
# Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
RuleId = ce6e34ca-966d-41c9-8d93-5b06c8b97a06
RuleName = Chafer Activity
EventType = Process.Start
Tag = proc-start-chafer-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005", "T1543.003", "T1112", "T1071.004"]}
Query = ((Process.CommandLine like r"%\\Service.exe%" and (Process.CommandLine like r"%i" or Process.CommandLine like r"%u")) or (Process.CommandLine like r"%\\microsoft\\Taskbar\\autoit3.exe" or Process.CommandLine like r"C:\\wsc.exe%") or (Process.Path like r"%\\Windows\\Temp\\DB\\%" and Process.Path like r"%.exe") or (Process.CommandLine like r"%\\nslookup.exe%" and Process.CommandLine like r"%-q=TXT%" and Parent.Path like r"%\\Autoit%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious file execution by wscript and cscript
RuleId = 966e4016-627f-44f7-8341-f394905c361f
RuleName = WMIExec VBS Script
EventType = Process.Start
Tag = proc-start-wmiexec-vbs-script
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.005"]}
Query = (Process.Path like r"%\\cscript.exe" and Process.CommandLine like r"%.vbs%" and Process.CommandLine like r"%/shell%")

[ActivityMonitoringRule]
# Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
RuleId = 18739897-21b1-41da-8ee4-5b786915a676
RuleName = GALLIUM Artefacts
EventType = Process.Start
Tag = proc-start-gallium-artefacts
RiskScore = 75
Annotation = {"mitre_attack": ["T1212", "T1071"]}
Query = (Process.Hash.SHA1 == "e570585edc69f9074cb5e8a790708336bd45ca0f" and not ((Process.Path like r"%:\\Program Files(x86)\\%" or Process.Path like r"%:\\Program Files\\%")))
GenericProperty1 = Process.Hash.SHA1

[ActivityMonitoringRule]
# Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
RuleId = 440a56bf-7873-4439-940a-1c8a671073c2
RuleName = GALLIUM Artefacts
EventType = Process.Start
Tag = proc-start-gallium-artefacts
RiskScore = 75
Annotation = {"mitre_attack": ["T1212", "T1071"]}
Query = Process.Hash.SHA1 in ["53a44c2396d15c3a03723fa5e5db54cafd527635", "9c5e496921e3bc882dc40694f1dcc3746a75db19", "aeb573accfd95758550cf30bf04f389a92922844", "79ef78a797403a4ed1a616c68e07fff868a8650a", "4f6f38b4cec35e895d91c052b1f5a83d665c2196", "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d", "e841a63e47361a572db9a7334af459ddca11347a", "c28f606df28a9bc8df75a4d5e5837fc5522dd34d", "2e94b305d6812a9f96e6781c888e48c7fb157b6b", "dd44133716b8a241957b912fa6a02efde3ce3025", "8793bf166cb89eb55f0593404e4e933ab605e803", "a39b57032dbb2335499a51e13470a7cd5d86b138", "41cc2b15c662bc001c0eb92f6cc222934f0beeea", "d209430d6af54792371174e70e27dd11d3def7a7", "1c6452026c56efd2c94cea7e0f671eb55515edb0", "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a", "4923d460e22fbbf165bbbaba168e5a46b8157d9f", "f201504bd96e81d0d350c3a8332593ee1c9e09de", "ddd2db1127632a2a52943a2fe516a2e7d05d70d2"]
GenericProperty1 = Process.Hash.SHA1

[ActivityMonitoringRule]
# Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
RuleId = 871b9555-69ca-4993-99d3-35a59f9f3599
RuleName = Suspicious UltraVNC Execution
EventType = Process.Start
Tag = proc-start-suspicious-ultravnc-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1021.005"]}
Query = (Process.CommandLine like r"%-autoreconnect %" and Process.CommandLine like r"%-connect %" and Process.CommandLine like r"%-id:%")

[ActivityMonitoringRule]
# Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
RuleId = bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
RuleName = Exchange Exploitation Activity
EventType = Process.Start
Tag = proc-start-exchange-exploitation-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1546", "T1053"]}
Query = ((Process.CommandLine like r"%attrib%" and Process.CommandLine like r"% +h %" and Process.CommandLine like r"% +s %" and Process.CommandLine like r"% +r %" and Process.CommandLine like r"%.aspx%") or (Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%VSPerfMon%") or (Process.CommandLine like r"%vssadmin list shadows%" and Process.CommandLine like r"%Temp\\\_\_output%") or Process.CommandLine like r"%\%TEMP\%\\execute.bat%" or Process.Path like r"%Users\\Public\\opera\\Opera\_browser.exe" or (Process.Path like r"%Opera\_browser.exe" and (Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\svchost.exe")) or Process.Path like r"%\\ProgramData\\VSPerfMon\\%" or (Process.CommandLine like r"% -t7z %" and Process.CommandLine like r"%C:\\Programdata\\pst%" and Process.CommandLine like r"%\\it.zip%") or (Process.Path like r"%\\makecab.exe" and (Process.CommandLine like r"%Microsoft\\Exchange Server\\%" or Process.CommandLine like r"%inetpub\\wwwroot%")) or (Process.CommandLine like r"%\\Temp\\xx.bat%" or Process.CommandLine like r"%Windows\\WwanSvcdcs%" or Process.CommandLine like r"%Windows\\Temp\\cw.exe%") or (Process.CommandLine like r"%\\comsvcs.dll%" and Process.CommandLine like r"%Minidump%" and Process.CommandLine like r"%\\inetpub\\wwwroot%") or (Process.CommandLine like r"%dsquery%" and Process.CommandLine like r"% -uco %" and Process.CommandLine like r"%\\inetpub\\wwwroot%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects Hurricane Panda Activity
RuleId = 0eb2107b-a596-422e-b123-b389d5594ed7
RuleName = Hurricane Panda Activity
EventType = Process.Start
Tag = proc-start-hurricane-panda-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1068"]}
Query = ((Process.CommandLine like r"%localgroup%" and Process.CommandLine like r"%admin%" and Process.CommandLine like r"%/add%") or (Process.CommandLine like r"%\\Win64.exe%"))

[ActivityMonitoringRule]
# Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
RuleId = 4a12fa47-c735-4032-a214-6fab5b120670
RuleName = Lazarus Activity
EventType = Process.Start
Tag = proc-start-lazarus-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1106"]}
Query = ((Process.CommandLine like r"%mshta%" and Process.CommandLine like r"%.zip%") or (Parent.Path like r"C:\\Windows\\System32\\wbem\\wmiprvse.exe" and Process.Path like r"C:\\Windows\\System32\\mshta.exe") or (Parent.Path like r"%:\\Users\\Public\\%" and Process.Path like r"C:\\Windows\\System32\\rundll32.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
RuleId = 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
RuleName = Lazarus Session Highjacker
EventType = Process.Start
Tag = proc-start-lazarus-session-highjacker
RiskScore = 75
Annotation = {"mitre_attack": ["T1036.005"]}
Query = ((Process.Path like r"%\\msdtc.exe" or Process.Path like r"%\\gpvc.exe") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")))

[ActivityMonitoringRule]
# Detects specific process parameters as used by Mustang Panda droppers
RuleId = 2d87d610-d760-45ee-a7e6-7a6f2a65de00
RuleName = Mustang Panda Dropper
EventType = Process.Start
Tag = proc-start-mustang-panda-dropper
RiskScore = 75
Annotation = {"mitre_attack": ["T1587.001"]}
Query = ((Process.CommandLine like r"%Temp\\wtask.exe /create%" or Process.CommandLine like r"%\%windir:~-3,1\%\%PUBLIC:~-9,1\%%" or Process.CommandLine like r"%/tn \"Security Script %" or Process.CommandLine like r"%\%windir:~-1,1\%%") or (Process.CommandLine like r"%/E:vbscript%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%.txt%" and Process.CommandLine like r"%/F%") or Process.Path like r"%Temp\\winwsh.exe")

[ActivityMonitoringRule]
# Detects Trojan loader activity as used by APT28
RuleId = ba778144-5e3d-40cf-8af9-e28fb1df1e20
RuleName = Sofacy Trojan Loader Activity
EventType = Process.Start
Tag = proc-start-sofacy-trojan-loader-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.003", "T1218.011"]}
Query = ((Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%\%APPDATA\%\\%") and (Process.CommandLine like r"%.dat\",%" or (Process.CommandLine like r"%.dll\",#1" or Process.CommandLine like r"%.dll #1" or Process.CommandLine like r"%.dll\" #1")))

[ActivityMonitoringRule]
# Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
RuleId = 7ba08e95-1e0b-40cd-9db5-b980555e42fd
RuleName = SOURGUM Actor Behaviours
EventType = Process.Start
Tag = proc-start-sourgum-actor-behaviours
RiskScore = 75
Annotation = {"mitre_attack": ["T1546", "T1546.015"]}
Query = ((Process.Path like r"%windows\\system32\\Physmem.sys%" or Process.Path like r"%Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini%" or Process.Path like r"%Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini%" or Process.Path like r"%Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini%") or ((Process.Path like r"%windows\\system32\\filepath2%" or Process.Path like r"%windows\\system32\\ime%") and Process.CommandLine like r"%reg add%" and (Process.CommandLine like r"%HKEY\_LOCAL\_MACHINE\\software\\classes\\clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32%" or Process.CommandLine like r"%HKEY\_LOCAL\_MACHINE\\software\\classes\\clsid\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\inprocserver32%")))

[ActivityMonitoringRule]
# Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
RuleId = 18da1007-3f26-470f-875d-f77faf1cab31
RuleName = Ps.exe Renamed SysInternals Tool
EventType = Process.Start
Tag = proc-start-ps.exe-renamed-sysinternals-tool
RiskScore = 75
Annotation = {"mitre_attack": ["T1036.003"]}
Query = Process.CommandLine == "ps.exe -accepteula"

[ActivityMonitoringRule]
# Detects specific process characteristics of Chinese TAIDOOR RAT malware load
RuleId = d1aa3382-abab-446f-96ea-4de52908210b
RuleName = TAIDOOR RAT DLL Load
EventType = Process.Start
Tag = proc-start-taidoor-rat-dll-load
RiskScore = 75
Annotation = {"mitre_attack": ["T1055.001"]}
Query = ((Process.CommandLine like r"%dll,MyStart%" or Process.CommandLine like r"%dll MyStart%") or (Process.CommandLine like r"% MyStart" and Process.CommandLine like r"%rundll32.exe%"))

[ActivityMonitoringRule]
# Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
RuleId = 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
RuleName = TropicTrooper Campaign November 2018
EventType = Process.Start
Tag = proc-start-tropictrooper-campaign-november-2018
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = Process.CommandLine like r"%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%"

[ActivityMonitoringRule]
# Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
RuleId = 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
RuleName = UNC2452 Process Creation Patterns
EventType = Process.Start
Tag = proc-start-unc2452-process-creation-patterns
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((((Process.CommandLine like r"%7z.exe a -v500m -mx9 -r0 -p%" or (Parent.CommandLine like r"%wscript.exe%" and Parent.CommandLine like r"%.vbs%" and Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%C:\\Windows%" and Process.CommandLine like r"%.dll,Tk\_%")) or (Parent.Path like r"%\\rundll32.exe" and Parent.CommandLine like r"%C:\\Windows%" and Process.CommandLine like r"%cmd.exe /C %")) or (Process.CommandLine like r"%rundll32 c:\\windows\\%" and Process.CommandLine like r"%.dll %")) or ((Parent.Path like r"%\\rundll32.exe" and Process.Path like r"%\\dllhost.exe") and not (Process.CommandLine in [" ", ""])))
GenericProperty1 = Parent.CommandLine
GenericProperty2 = Parent.Path

[ActivityMonitoringRule]
# A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
RuleId = 7453575c-a747-40b9-839b-125a0aae324b
RuleName = Unidentified Attacker November 2018
EventType = Process.Start
Tag = proc-start-unidentified-attacker-november-2018
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.CommandLine like r"%cyzfc.dat,%" and Process.CommandLine like r"%PointFunctionCall")

[ActivityMonitoringRule]
# Detects activity mentioned in Operation Wocao report
RuleId = 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
RuleName = Operation Wocao Activity
EventType = Process.Start
Tag = proc-start-operation-wocao-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1012", "T1036.004", "T1027", "T1053.005", "T1059.001"]}
Query = (Process.CommandLine like r"%checkadmin.exe 127.0.0.1 -all%" or Process.CommandLine like r"%netsh advfirewall firewall add rule name=powershell dir=in%" or Process.CommandLine like r"%cmd /c powershell.exe -ep bypass -file c:\\s.ps1%" or Process.CommandLine like r"%/tn win32times /f%" or Process.CommandLine like r"%create win32times binPath=%" or Process.CommandLine like r"%\\c$\\windows\\system32\\devmgr.dll%" or Process.CommandLine like r"% -exec bypass -enc JgAg%" or Process.CommandLine like r"%type %keepass\\KeePass.config.xml%" or Process.CommandLine like r"%iie.exe iie.txt%" or Process.CommandLine like r"%reg query HKEY\_CURRENT\_USER\\Software\\%\\PuTTY\\Sessions\\%")

[ActivityMonitoringRule]
# Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is open a signa of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
RuleId = fcdf69e5-a3d3-452a-9724-26f2308bf2b1
RuleName = Phishing Pattern ISO in Archive
EventType = Process.Start
Tag = proc-start-phishing-pattern-iso-in-archive
RiskScore = 75
Annotation = {"mitre_attack": ["T1566"]}
Query = ((Parent.Path like r"%\\Winrar.exe" or Parent.Path like r"%\\7zFM.exe" or Parent.Path like r"%\\peazip.exe") and (Process.Path like r"%\\isoburn.exe" or Process.Path like r"%\\PowerISO.exe" or Process.Path like r"%\\ImgBurn.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
RuleId = 245f92e3-c4da-45f1-9070-bc552e06db11
RuleName = Atlassian Confluence CVE-2021-26084
EventType = Process.Start
Tag = proc-start-atlassian-confluence-cve-2021-26084
RiskScore = 75
Annotation = {"mitre_attack": ["T1190", "T1059"]}
Query = (Parent.Path like r"%\\Atlassian\\Confluence\\jre\\bin\\java.exe" and (Process.CommandLine like r"%cmd /c%" or Process.CommandLine like r"%cmd /k%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%curl%" or Process.CommandLine like r"%whoami%" or Process.CommandLine like r"%ipconfig%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects usage of attrib with "+s" option to set suspcious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to sepcific extensions and directories to avoid FP's
RuleId = efec536f-72e8-4656-8960-5e85d091345b
RuleName = Set Suspicious Files as System Files Using Attrib
EventType = Process.Start
Tag = proc-start-set-suspicious-files-as-system-files-using-attrib
RiskScore = 75
Annotation = {"mitre_attack": ["T1564.001"]}
Query = ((Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"% +s%" and (Process.CommandLine like r"% \%%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%\\ProgramData\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%") and (Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.ps1%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.vbs%" or Process.CommandLine like r"%.exe%")) and not (Process.CommandLine like r"%\\Windows\\TEMP\\%" and Process.CommandLine like r"%.exe%"))

[ActivityMonitoringRule]
# Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
RuleId = a7c3d773-caef-227e-a7e7-c2f13c622329
RuleName = Bad Opsec Defaults Sacrificial Processes With Improper Arguments
EventType = Process.Start
Tag = proc-start-bad-opsec-defaults-sacrificial-processes-with-improper-arguments
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = ((Process.Path like r"%\\WerFault.exe" and Process.CommandLine like r"%\\WerFault.exe") or (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%\\rundll32.exe") or (Process.Path like r"%\\regsvcs.exe" and Process.CommandLine like r"%\\regsvcs.exe") or (Process.Path like r"%\\regasm.exe" and Process.CommandLine like r"%\\regasm.exe") or (Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%\\regsvr32.exe"))

[ActivityMonitoringRule]
# Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
RuleId = fd6e2919-3936-40c9-99db-0aa922c356f7
RuleName = Malicious Base64 Encoded Powershell Invoke Cmdlets
EventType = Process.Start
Tag = proc-start-malicious-base64-encoded-powershell-invoke-cmdlets
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1027"]}
Query = (Process.CommandLine like r"%SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA%" or Process.CommandLine like r"%SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg%" or Process.CommandLine like r"%SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA%")

[ActivityMonitoringRule]
# Detects base64 encoded listing Win32_Shadowcopy
RuleId = 47688f1b-9f51-4656-b013-3cc49a166a36
RuleName = Base64 Encoded Listing of Shadowcopy
EventType = Process.Start
Tag = proc-start-base64-encoded-listing-of-shadowcopy
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1027"]}
Query = (Process.CommandLine like r"%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA%")

[ActivityMonitoringRule]
# Detects base64 encoded .NET reflective loading of Assembly
RuleId = 62b7ccc9-23b4-471e-aa15-6da3663c4d59
RuleName = Base64 Encoded Reflective Assembly Load
EventType = Process.Start
Tag = proc-start-base64-encoded-reflective-assembly-load
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1027"]}
Query = (Process.CommandLine like r"%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%" or Process.CommandLine like r"%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%" or Process.CommandLine like r"%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%" or Process.CommandLine like r"%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%" or Process.CommandLine like r"%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%" or Process.CommandLine like r"%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%" or Process.CommandLine like r"%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%" or Process.CommandLine like r"%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%" or Process.CommandLine like r"%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%" or Process.CommandLine like r"%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%" or Process.CommandLine like r"%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%" or Process.CommandLine like r"%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%")

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file with a suspicious extension
RuleId = 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
RuleName = Bitsadmin Download File with Suspicious Extension
EventType = Process.Start
Tag = proc-start-bitsadmin-download-file-with-suspicious-extension
RiskScore = 75
Annotation = {"mitre_attack": ["T1197", "T1036.003"]}
Query = (Process.Path like r"%\\bitsadmin.exe" and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%.asax%" or Process.CommandLine like r"%.ashx%" or Process.CommandLine like r"%.asmx%" or Process.CommandLine like r"%.asp%" or Process.CommandLine like r"%.aspx%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cfm%" or Process.CommandLine like r"%.cgi%" or Process.CommandLine like r"%.chm%" or Process.CommandLine like r"%.cmd%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jsp%" or Process.CommandLine like r"%.jspx%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.ps1%" or Process.CommandLine like r"%.psm1%" or Process.CommandLine like r"%.scf%" or Process.CommandLine like r"%.sct%" or Process.CommandLine like r"%.txt%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.vbs%" or Process.CommandLine like r"%.war%" or Process.CommandLine like r"%.wsf%" or Process.CommandLine like r"%.wsh%" or Process.CommandLine like r"%.zip%" or Process.CommandLine like r"%.rar%" or Process.CommandLine like r"%.dll%"))

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file using an URL that contains an IP
RuleId = 99c840f2-2012-46fd-9141-c761987550ef
RuleName = Bitsadmin Download File from IP
EventType = Process.Start
Tag = proc-start-bitsadmin-download-file-from-ip
RiskScore = 75
Annotation = {"mitre_attack": ["T1197", "T1036.003"]}
Query = (Process.Path like r"%\\bitsadmin.exe" and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%http://1%" or Process.CommandLine like r"%http://2%" or Process.CommandLine like r"%http://3%" or Process.CommandLine like r"%http://4%" or Process.CommandLine like r"%http://5%" or Process.CommandLine like r"%http://6%" or Process.CommandLine like r"%http://7%" or Process.CommandLine like r"%http://8%" or Process.CommandLine like r"%http://9%" or Process.CommandLine like r"%https://1%" or Process.CommandLine like r"%https://2%" or Process.CommandLine like r"%https://3%" or Process.CommandLine like r"%https://4%" or Process.CommandLine like r"%https://5%" or Process.CommandLine like r"%https://6%" or Process.CommandLine like r"%https://7%" or Process.CommandLine like r"%https://8%" or Process.CommandLine like r"%https://9%"))

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file to a suspicious target folder
RuleId = 2ddef153-167b-4e89-86b6-757a9e65dcac
RuleName = Bitsadmin Download to Suspicious Target Folder
EventType = Process.Start
Tag = proc-start-bitsadmin-download-to-suspicious-target-folder
RiskScore = 75
Annotation = {"mitre_attack": ["T1197", "T1036.003"]}
Query = (Process.Path like r"%\\bitsadmin.exe" and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%C:\\Users\\Public\\%" or Process.CommandLine like r"%\%public\%%" or Process.CommandLine like r"%\\Desktop\\%"))

[ActivityMonitoringRule]
# Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
RuleId = 1444443e-6757-43e4-9ea4-c8fc705f79a2
RuleName = Modification of Boot Configuration
EventType = Process.Start
Tag = proc-start-modification-of-boot-configuration
RiskScore = 75
Annotation = {"mitre_attack": ["T1490"]}
Query = ((Process.Path like r"%\\bcdedit.exe" and Process.CommandLine like r"%set%") and ((Process.CommandLine like r"%bootstatuspolicy%" and Process.CommandLine like r"%ignoreallfailures%") or (Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%")))

[ActivityMonitoringRule]
# Detects when a program changes the default file association of any extension to an executable
RuleId = ae6f14e6-14de-45b0-9f44-c0986f50dc89
RuleName = Change Default File Association To Executable
EventType = Process.Start
Tag = proc-start-change-default-file-association-to-executable
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.001"]}
Query = ((Process.CommandLine like r"%cmd%" and Process.CommandLine like r"% /c %" and Process.CommandLine like r"%assoc %" and Process.CommandLine like r"%exefile%") and not (Process.CommandLine like r"%.exe=exefile%"))

[ActivityMonitoringRule]
# Detects PowerShell spawning chrome.exe containing load-extension and AppData\Local in the process command line
RuleId = 27ba3207-dd30-4812-abbf-5d20c57d474e
RuleName = Powershell ChromeLoader Browser Hijacker
EventType = Process.Start
Tag = proc-start-powershell-chromeloader-browser-hijacker
RiskScore = 75
Annotation = {"mitre_attack": ["T1176"]}
Query = (Process.Path like r"%\\chrome.exe" and (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%--load-extension=%" and Process.CommandLine like r"%\\AppData\\Local\\%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects usage of cmdkey to look for cached credentials
RuleId = 07f8bdc2-c9b3-472a-9817-5a670b872f53
RuleName = Cmdkey Cached Credentials Recon
EventType = Process.Start
Tag = proc-start-cmdkey-cached-credentials-recon
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.005"]}
Query = ((Process.Path like r"%\\cmdkey.exe" or Process.Name == "cmdkey.exe") and (Process.CommandLine like r"% /l%" or Process.CommandLine like r"% -l%"))

[ActivityMonitoringRule]
# Detects various indicators of Microsoft Connection Manager Profile Installer execution
RuleId = 7d4cdc5a-0076-40ca-aac8-f7e714570e47
RuleName = CMSTP Execution Process Creation
EventType = Process.Start
Tag = proc-start-cmstp-execution-process-creation
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.003"]}
Query = Parent.Path like r"%\\cmstp.exe"
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects use of Cobalt Strike commands accidentally entered in the CMD shell
RuleId = 647c7b9e-d784-4fda-b9a0-45c565a7b729
RuleName = Operator Bloopers Cobalt Strike Commands
EventType = Process.Start
Tag = proc-start-operator-bloopers-cobalt-strike-commands
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.003"]}
Query = ((Process.CommandLine like r"cmd.exe%" or Process.CommandLine like r"c:\\windows\\system32\\cmd.exe%") and (Process.CommandLine like r"%psinject%" or Process.CommandLine like r"%spawnas%" or Process.CommandLine like r"%make\_token%" or Process.CommandLine like r"%remote-exec%" or Process.CommandLine like r"%rev2self%" or Process.CommandLine like r"%dcsync%" or Process.CommandLine like r"%logonpasswords%" or Process.CommandLine like r"%execute-assembly%" or Process.CommandLine like r"%getsystem%") and Process.Path like r"%\\cmd.exe")

[ActivityMonitoringRule]
# Detects use of Cobalt Strike module commands accidentally entered in the CMD shell
RuleId = 4f154fb6-27d1-4813-a759-78b93e0b9c48
RuleName = Operator Bloopers Cobalt Strike Modules
EventType = Process.Start
Tag = proc-start-operator-bloopers-cobalt-strike-modules
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.003"]}
Query = ((Process.CommandLine like r"cmd.exe%" or Process.CommandLine like r"c:\\windows\\system32\\cmd.exe%") and (Process.CommandLine like r"%Invoke-UserHunter%" or Process.CommandLine like r"%Invoke-ShareFinder%" or Process.CommandLine like r"%Invoke-Kerberoast%" or Process.CommandLine like r"%Invoke-SMBAutoBrute%" or Process.CommandLine like r"%Invoke-Nightmare%" or Process.CommandLine like r"%zerologon%" or Process.CommandLine like r"%av\_query%") and Process.Path like r"%\\cmd.exe")

[ActivityMonitoringRule]
# Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
RuleId = ae9c6a7c-9521-42a6-915e-5aaa8689d529
RuleName = CobaltStrike Load by Rundll32
EventType = Process.Start
Tag = proc-start-cobaltstrike-load-by-rundll32
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%.dll%" and (Process.CommandLine like r"% StartW" or Process.CommandLine like r"%,StartW"))

[ActivityMonitoringRule]
# Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami
RuleId = f35c5d71-b489-4e22-a115-f003df287317
RuleName = CobaltStrike Process Patterns
EventType = Process.Start
Tag = proc-start-cobaltstrike-process-patterns
RiskScore = 75
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Process.CommandLine like r"%\\cmd.exe /C whoami%" and Parent.Path like r"C:\\Temp%") or (Process.CommandLine like r"%conhost.exe 0xffffffff -ForceV1%" and (Parent.CommandLine like r"%/C whoami%" or Parent.CommandLine like r"%cmd.exe /C echo%" or Parent.CommandLine like r"% > \\\\.\\pipe%")) or ((Process.CommandLine like r"%cmd.exe /c echo%" or Process.CommandLine like r"%> \\\\.\\pipe%" or Process.CommandLine like r"%\\whoami.exe%") and Parent.Path like r"%\\dllhost.exe") or (Process.Path like r"%\\cmd.exe" and Parent.Path like r"%\\runonce.exe" and Parent.CommandLine like r"%\\runonce.exe"))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking
RuleId = 087790e3-3287-436c-bccf-cbd0184a7db1
RuleName = Cmd.exe CommandLine Path Traversal
EventType = Process.Start
Tag = proc-start-cmd.exe-commandline-path-traversal
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.003"]}
Query = ((Parent.CommandLine like r"%cmd%" and Parent.CommandLine like r"%/c%" and Process.CommandLine like r"%/../../%") and not ((Process.CommandLine like r"%\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java%")))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal
RuleId = 1327381e-6ab0-4f38-b583-4c1b8346a56b
RuleName = Command Line Path Traversal Evasion
EventType = Process.Start
Tag = proc-start-command-line-path-traversal-evasion
RiskScore = 75
Annotation = {"mitre_attack": ["T1036"]}
Query = (((Process.Path like r"%\\Windows\\%" and (Process.CommandLine like r"%\\..\\Windows\\%" or Process.CommandLine like r"%\\..\\System32\\%" or Process.CommandLine like r"%\\..\\..\\%")) or Process.CommandLine like r"%.exe\\..\\%") and not (Process.CommandLine like r"%\\Google\\Drive\\googledrivesync.exe\\..\\%"))

[ActivityMonitoringRule]
# detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
RuleId = ee5e119b-1f75-4b34-add8-3be976961e39
RuleName = Conhost.exe CommandLine Path Traversal
EventType = Process.Start
Tag = proc-start-conhost.exe-commandline-path-traversal
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.003"]}
Query = (Parent.CommandLine like r"%conhost%" and Process.CommandLine like r"%/../../%")
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects a command used by conti to dump database
RuleId = 2f47f1fd-0901-466e-a770-3b7092834a1b
RuleName = Conti Backup Database
EventType = Process.Start
Tag = proc-start-conti-backup-database
RiskScore = 75
Annotation = {"mitre_attack": ["T1005"]}
Query = ((Process.CommandLine like r"%sqlcmd %" or Process.CommandLine like r"%sqlcmd.exe%") and Process.CommandLine like r"% -S localhost %" and (Process.CommandLine like r"%sys.sysprocesses%" or Process.CommandLine like r"%master.dbo.sysdatabases%" or Process.CommandLine like r"%BACKUP DATABASE%"))

[ActivityMonitoringRule]
# Detects the malicious use of a control panel item
RuleId = 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
RuleName = Control Panel Items
EventType = Process.Start
Tag = proc-start-control-panel-items
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.002", "T1546"]}
Query = (((Process.CommandLine like r"%.cpl" and not ((Process.CommandLine like r"%\\System32\\%" or Process.CommandLine like r"%\%System\%%"))) and not (Process.CommandLine like r"%regsvr32 %" and Process.CommandLine like r"% /s %" and Process.CommandLine like r"%igfxCPL.cpl%")) or (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%CurrentVersion\\Control Panel\\CPLs%"))

[ActivityMonitoringRule]
# Files with well-known filenames (sensitive files with credential data) copying
RuleId = e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
RuleName = Copying Sensitive Files with Credential Data
EventType = Process.Start
Tag = proc-start-copying-sensitive-files-with-credential-data
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.002", "T1003.003"]}
Query = ((Process.Path like r"%\\esentutl.exe" and (Process.CommandLine like r"%vss%" or Process.CommandLine like r"% /m %" or Process.CommandLine like r"% /y %")) or (Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%" or Process.CommandLine like r"%\\config\\sam%" or Process.CommandLine like r"%\\config\\security%" or Process.CommandLine like r"%\\config\\system %" or Process.CommandLine like r"%\\repair\\sam%" or Process.CommandLine like r"%\\repair\\system%" or Process.CommandLine like r"%\\repair\\security%" or Process.CommandLine like r"%\\config\\RegBack\\sam%" or Process.CommandLine like r"%\\config\\RegBack\\system%" or Process.CommandLine like r"%\\config\\RegBack\\security%"))

[ActivityMonitoringRule]
# Detects suspicious process patterns found in logs when CrackMapExec is used
RuleId = f26307d8-14cd-47e3-a26b-4b4769f24af6
RuleName = CrackMapExec Process Patterns
EventType = Process.Start
Tag = proc-start-crackmapexec-process-patterns
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.001"]}
Query = ((Process.CommandLine like r"%cmd.exe /c %" and Process.CommandLine like r"%tasklist /fi %" and Process.CommandLine like r"%Imagename eq lsass.exe%" and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%")) or (Process.CommandLine like r"%do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump%" and Process.CommandLine like r"%\\Windows\\Temp\\%" and Process.CommandLine like r"% full%" and Process.CommandLine like r"%\%\%B%") or (Process.CommandLine like r"%tasklist /v /fo csv%" and Process.CommandLine like r"%findstr /i \"lsass\"%"))
GenericProperty1 = Process.User

[ActivityMonitoringRule]
# Detects Archer malware invocation via rundll32
RuleId = 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
RuleName = Fireball Archer Install
EventType = Process.Start
Tag = proc-start-fireball-archer-install
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%InstallArcherSvc%")

[ActivityMonitoringRule]
# Detects specific process characteristics of Snatch ransomware word document droppers
RuleId = 5325945e-f1f0-406e-97b8-65104d393fff
RuleName = Snatch Ransomware
EventType = Process.Start
Tag = proc-start-snatch-ransomware
RiskScore = 75
Annotation = {"mitre_attack": ["T1204"]}
Query = (Process.CommandLine like r"%shutdown /r /f /t 00%" or Process.CommandLine like r"%net stop SuperBackupMan%")

[ActivityMonitoringRule]
# Detects command line parameters or strings often used by crypto miners
RuleId = 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
RuleName = Windows Crypto Mining Indicators
EventType = Process.Start
Tag = proc-start-windows-crypto-mining-indicators
RiskScore = 75
Annotation = {"mitre_attack": ["T1496"]}
Query = (Process.CommandLine like r"% --cpu-priority=%" or Process.CommandLine like r"%--donate-level=0%" or Process.CommandLine like r"% -o pool.%" or Process.CommandLine like r"% --nicehash%" or Process.CommandLine like r"% --algo=rx/0 %" or Process.CommandLine like r"%stratum+tcp://%" or Process.CommandLine like r"%stratum+udp://%" or Process.CommandLine like r"%LS1kb25hdGUtbGV2ZWw9%" or Process.CommandLine like r"%0tZG9uYXRlLWxldmVsP%" or Process.CommandLine like r"%tLWRvbmF0ZS1sZXZlbD%" or Process.CommandLine like r"%c3RyYXR1bSt0Y3A6Ly%" or Process.CommandLine like r"%N0cmF0dW0rdGNwOi8v%" or Process.CommandLine like r"%zdHJhdHVtK3RjcDovL%" or Process.CommandLine like r"%c3RyYXR1bSt1ZHA6Ly%" or Process.CommandLine like r"%N0cmF0dW0rdWRwOi8v%" or Process.CommandLine like r"%zdHJhdHVtK3VkcDovL%")

[ActivityMonitoringRule]
# Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
RuleId = cd479ccc-d8f0-4c66-ba7d-e06286f3f887
RuleName = CVE-2021-26857 Exchange Exploitation
EventType = Process.Start
Tag = proc-start-cve-2021-26857-exchange-exploitation
RiskScore = 75
Annotation = {"mitre_attack": ["T1203"]}
Query = (Parent.Path like r"%UMWorkerProcess.exe" and not ((Process.Path like r"%wermgr.exe" or Process.Path like r"%WerFault.exe")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Deletes the Windows systemstatebackup using wbadmin.exe.
# This technique is used by numerous ransomware families.
# This may only be successful on server platforms that have Windows Backup enabled.
RuleId = 89f75308-5b1b-4390-b2d8-d6b2340efaf8
RuleName = Wbadmin Delete Systemstatebackup
EventType = Process.Start
Tag = proc-start-wbadmin-delete-systemstatebackup
RiskScore = 75
Annotation = {"mitre_attack": ["T1490"]}
Query = ((Process.Path like r"%\\wbadmin.exe" or Process.CommandLine like r"%wbadmin%") and (Process.CommandLine like r"%delete %" and Process.CommandLine like r"%systemstatebackup %" and Process.CommandLine like r"%-keepVersions:0%"))

[ActivityMonitoringRule]
# Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitary DLL
RuleId = 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
RuleName = DLL Sideloading by Microsoft Defender
EventType = Process.Start
Tag = proc-start-dll-sideloading-by-microsoft-defender
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (Process.Path like r"%\\MpCmdRun.exe" and not ((Process.Path like r"C:\\Program Files\\Windows Defender\\%" or Process.Path like r"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%")))

[ActivityMonitoringRule]
# Well-known DNS Exfiltration tools execution
RuleId = 98a96a5a-64a0-4c42-92c5-489da3866cb0
RuleName = DNS Exfiltration and Tunneling Tools Execution
EventType = Process.Start
Tag = proc-start-dns-exfiltration-and-tunneling-tools-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1048.001", "T1071.004", "T1132.001"]}
Query = (Process.Path like r"%\\iodine.exe" or Process.Path like r"%\\dnscat2%")

[ActivityMonitoringRule]
# Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
RuleId = f63b56ee-3f79-4b8a-97fb-5c48007e8573
RuleName = DNS ServerLevelPluginDll Install
EventType = Process.Start
Tag = proc-start-dns-serverlevelplugindll-install
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002", "T1112"]}
Query = (Process.Path like r"%\\dnscmd.exe" and Process.CommandLine like r"%/config%" and Process.CommandLine like r"%/serverlevelplugindll%")

[ActivityMonitoringRule]
# Detects a base64 encoded FromBase64String keyword in a process command line
RuleId = fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
RuleName = Encoded FromBase64String
EventType = Process.Start
Tag = proc-start-encoded-frombase64string
RiskScore = 75
Annotation = {"mitre_attack": ["T1140", "T1059.001"]}
Query = ((Process.CommandLine like r"%OjpGcm9tQmFzZTY0U3RyaW5n%" or Process.CommandLine like r"%o6RnJvbUJhc2U2NFN0cmluZ%" or Process.CommandLine like r"%6OkZyb21CYXNlNjRTdHJpbm%") or (Process.CommandLine like r"%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%" or Process.CommandLine like r"%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%" or Process.CommandLine like r"%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%"))

[ActivityMonitoringRule]
# Detects a base64 encoded IEX command string in a process command line
RuleId = 88f680b8-070e-402c-ae11-d2914f2257f1
RuleName = Encoded IEX
EventType = Process.Start
Tag = proc-start-encoded-iex
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.CommandLine like r"%SUVYIChb%" or Process.CommandLine like r"%lFWCAoW%" or Process.CommandLine like r"%JRVggKF%" or Process.CommandLine like r"%aWV4IChb%" or Process.CommandLine like r"%lleCAoW%" or Process.CommandLine like r"%pZXggKF%" or Process.CommandLine like r"%aWV4IChOZX%" or Process.CommandLine like r"%lleCAoTmV3%" or Process.CommandLine like r"%pZXggKE5ld%" or Process.CommandLine like r"%SUVYIChOZX%" or Process.CommandLine like r"%lFWCAoTmV3%" or Process.CommandLine like r"%JRVggKE5ld%") or (Process.CommandLine like r"%SQBFAFgAIAAoAFsA%" or Process.CommandLine like r"%kARQBYACAAKABbA%" or Process.CommandLine like r"%JAEUAWAAgACgAWw%" or Process.CommandLine like r"%aQBlAHgAIAAoAFsA%" or Process.CommandLine like r"%kAZQB4ACAAKABbA%" or Process.CommandLine like r"%pAGUAeAAgACgAWw%" or Process.CommandLine like r"%aQBlAHgAIAAoAE4AZQB3A%" or Process.CommandLine like r"%kAZQB4ACAAKABOAGUAdw%" or Process.CommandLine like r"%pAGUAeAAgACgATgBlAHcA%" or Process.CommandLine like r"%SQBFAFgAIAAoAE4AZQB3A%" or Process.CommandLine like r"%kARQBYACAAKABOAGUAdw%" or Process.CommandLine like r"%JAEUAWAAgACgATgBlAHcA%"))

[ActivityMonitoringRule]
# Potential adversaries stopping ETW providers recording loaded .NET assemblies.
RuleId = 41421f44-58f9-455d-838a-c398859841d4
RuleName = COMPlus_ETWEnabled Command Line Arguments
EventType = Process.Start
Tag = proc-start-complus_etwenabled-command-line-arguments
RiskScore = 75
Annotation = {"mitre_attack": ["T1562"]}
Query = Process.CommandLine like r"%COMPlus\_ETWEnabled=0%"

[ActivityMonitoringRule]
# Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
RuleId = a238b5d0-ce2d-4414-a676-7a531b3d13d6
RuleName = Disable of ETW Trace
EventType = Process.Start
Tag = proc-start-disable-of-etw-trace
RiskScore = 75
Annotation = {"mitre_attack": ["T1070", "T1562.006"]}
Query = ((Process.CommandLine like r"%cl%" and Process.CommandLine like r"%/Trace%") or (Process.CommandLine like r"%clear-log%" and Process.CommandLine like r"%/Trace%") or (Process.CommandLine like r"%sl%" and Process.CommandLine like r"%/e:false%") or (Process.CommandLine like r"%set-log%" and Process.CommandLine like r"%/e:false%") or (Process.CommandLine like r"%logman%" and Process.CommandLine like r"%update%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%--p%" and Process.CommandLine like r"%-ets%") or Process.CommandLine like r"%Remove-EtwTraceProvider%" or (Process.CommandLine like r"%Set-EtwTraceProvider%" and Process.CommandLine like r"%0x11%"))

[ActivityMonitoringRule]
# Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
RuleId = 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
RuleName = Exploiting SetupComplete.cmd CVE-2019-1378
EventType = Process.Start
Tag = proc-start-exploiting-setupcomplete.cmd-cve-2019-1378
RiskScore = 75
Annotation = {"mitre_attack": ["T1068", "T1059.003", "T1574"]}
Query = ((Parent.CommandLine like r"%\\cmd.exe%" and Parent.CommandLine like r"%/c%" and Parent.CommandLine like r"%C:\\Windows\\Setup\\Scripts\\%" and (Parent.CommandLine like r"%SetupComplete.cmd" or Parent.CommandLine like r"%PartnerSetupComplete.cmd")) and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\Windows\\Setup\\%")))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
RuleId = 846b866e-2a57-46ee-8e16-85fa92759be7
RuleName = Exploited CVE-2020-10189 Zoho ManageEngine
EventType = Process.Start
Tag = proc-start-exploited-cve-2020-10189-zoho-manageengine
RiskScore = 75
Annotation = {"mitre_attack": ["T1190", "T1059.001", "T1059.003"]}
Query = (Parent.Path like r"%DesktopCentral\_Server\\jre\\bin\\java.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects new commands that add new printer port which point to suspicious file
RuleId = cc08d590-8b90-413a-aff6-31d1a99678d7
RuleName = Suspicious PrinterPorts Creation (CVE-2020-1048)
EventType = Process.Start
Tag = proc-start-suspicious-printerports-creation-(cve-2020-1048)
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.CommandLine like r"%Add-PrinterPort -Name%" and (Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.bat%")) or Process.CommandLine like r"%Generic / Text Only%")

[ActivityMonitoringRule]
# Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
RuleId = 91a2c315-9ee6-4052-a853-6f6a8238f90d
RuleName = Findstr GPP Passwords
EventType = Process.Start
Tag = proc-start-findstr-gpp-passwords
RiskScore = 75
Annotation = {"mitre_attack": ["T1552.006"]}
Query = (Process.Path like r"%\\findstr.exe" and Process.CommandLine like r"%cpassword%" and Process.CommandLine like r"%\\sysvol\\%" and Process.CommandLine like r"%.xml%")

[ActivityMonitoringRule]
# Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
RuleId = cd8c163e-a19b-402e-bdd5-419ff5859f12
RuleName = ADCSPwn Hack Tool
EventType = Process.Start
Tag = proc-start-adcspwn-hack-tool
RiskScore = 75
Annotation = {"mitre_attack": ["T1557.001"]}
Query = (Process.CommandLine like r"% --adcs %" and Process.CommandLine like r"% --port %")

[ActivityMonitoringRule]
# Detects command line parameters used by Bloodhound and Sharphound hack tools
RuleId = f376c8a7-a2d0-4ddc-aa0c-16c17236d962
RuleName = Bloodhound and Sharphound Hack Tool
EventType = Process.Start
Tag = proc-start-bloodhound-and-sharphound-hack-tool
RiskScore = 75
Annotation = {"mitre_attack": ["T1087.001", "T1087.002", "T1482", "T1069.001", "T1069.002", "T1059.001"]}
Query = ((Process.Path like r"%\\Bloodhound.exe%" or Process.Path like r"%\\SharpHound.exe%") or (Process.CommandLine like r"% -CollectionMethod All %" or Process.CommandLine like r"%.exe -c All -d %" or Process.CommandLine like r"%Invoke-Bloodhound%" or Process.CommandLine like r"%Get-BloodHoundData%") or (Process.CommandLine like r"% -JsonFolder %" and Process.CommandLine like r"% -ZipFileName %") or (Process.CommandLine like r"% DCOnly %" and Process.CommandLine like r"% --NoSaveCache %"))

[ActivityMonitoringRule]
# Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)
RuleId = 37c1333a-a0db-48be-b64b-7393b2386e3b
RuleName = Hacktool by Cube0x0
EventType = Process.Start
Tag = proc-start-hacktool-by-cube0x0
RiskScore = 75
Query = Process.Company == "Cube0x0"
GenericProperty1 = Process.Company

[ActivityMonitoringRule]
# Detects command line parameters used by Hydra password guessing hack tool
RuleId = aaafa146-074c-11eb-adc1-0242ac120002
RuleName = Hydra Password Guessing Hack Tool
EventType = Process.Start
Tag = proc-start-hydra-password-guessing-hack-tool
RiskScore = 75
Annotation = {"mitre_attack": ["T1110", "T1110.001"]}
Query = (Process.CommandLine like r"%-u %" and Process.CommandLine like r"%-p %" and (Process.CommandLine like r"%^USER^%" or Process.CommandLine like r"%^PASS^%"))

[ActivityMonitoringRule]
# Detects command line parameters used by Koadic hack tool
RuleId = 5cddf373-ef00-4112-ad72-960ac29bac34
RuleName = Koadic Execution
EventType = Process.Start
Tag = proc-start-koadic-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.003", "T1059.005", "T1059.007"]}
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%/q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%chcp%")

[ActivityMonitoringRule]
# Detects the use of KrbRelay, a Kerberos relaying tool
RuleId = e96253b8-6b3b-4f90-9e59-3b24b99cf9b4
RuleName = KrbRelay Hack Tool
EventType = Process.Start
Tag = proc-start-krbrelay-hack-tool
RiskScore = 75
Annotation = {"mitre_attack": ["T1558.003"]}
Query = (Process.Path like r"%\\KrbRelay.exe" or Process.Name == "KrbRelay.exe" or (Process.CommandLine like r"% -spn %" and Process.CommandLine like r"% -clsid %" and Process.CommandLine like r"% -rbcd %") or (Process.CommandLine like r"%shadowcred%" and Process.CommandLine like r"%clsid%" and Process.CommandLine like r"%spn%") or (Process.CommandLine like r"%spn %" and Process.CommandLine like r"%session %" and Process.CommandLine like r"%clsid %"))

[ActivityMonitoringRule]
# Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced
RuleId = 12827a56-61a4-476a-a9cb-f3068f191073
RuleName = KrbRelayUp Hack Tool
EventType = Process.Start
Tag = proc-start-krbrelayup-hack-tool
RiskScore = 75
Annotation = {"mitre_attack": ["T1558.003", "T1550.003"]}
Query = (Process.Path like r"%\\KrbRelayUp.exe" or Process.Name == "KrbRelayUp.exe" or (Process.CommandLine like r"% relay %" and Process.CommandLine like r"% -Domain %" and Process.CommandLine like r"% -ComputerName %") or (Process.CommandLine like r"% krbscm %" and Process.CommandLine like r"% -sc %") or (Process.CommandLine like r"% spawn %" and Process.CommandLine like r"% -d %" and Process.CommandLine like r"% -cn %" and Process.CommandLine like r"% -cp %"))

[ActivityMonitoringRule]
# Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
RuleId = 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf
RuleName = Password Cracking with Hashcat
EventType = Process.Start
Tag = proc-start-password-cracking-with-hashcat
RiskScore = 75
Annotation = {"mitre_attack": ["T1110.002"]}
Query = (Process.Path like r"%\\hashcat.exe" or (Process.CommandLine like r"%-a %" and Process.CommandLine like r"%-m 1000 %" and Process.CommandLine like r"%-r %"))

[ActivityMonitoringRule]
# This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.
RuleId = 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
RuleName = File Download with Headless Browser
EventType = Process.Start
Tag = proc-start-file-download-with-headless-browser
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = ((Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\chrome.exe") and Process.CommandLine like r"%--headless%" and Process.CommandLine like r"%dump-dom%" and Process.CommandLine like r"%http%")

[ActivityMonitoringRule]
# Identifies usage of hh.exe executing recently modified .chm files.
RuleId = 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
RuleName = HH.exe Execution
EventType = Process.Start
Tag = proc-start-hh.exe-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.001"]}
Query = (Process.Path like r"%\\hh.exe" and Process.CommandLine like r"%.chm%")

[ActivityMonitoringRule]
# Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
RuleId = 52cad028-0ff0-4854-8f67-d25dfcbc78b4
RuleName = HTML Help Shell Spawn
EventType = Process.Start
Tag = proc-start-html-help-shell-spawn
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.001", "T1218.010", "T1218.011", "T1059.001", "T1059.003", "T1059.005", "T1059.007", "T1047"]}
Query = (Parent.Path like r"C:\\Windows\\hh.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\rundll32.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
RuleId = 023394c4-29d5-46ab-92b8-6a534c6f447b
RuleName = Suspicious HWP Sub Processes
EventType = Process.Start
Tag = proc-start-suspicious-hwp-sub-processes
RiskScore = 75
Annotation = {"mitre_attack": ["T1566.001", "T1203", "T1059.003"]}
Query = (Parent.Path like r"%\\Hwp.exe" and Process.Path like r"%\\gbb.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
RuleId = e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
RuleName = Disable Windows IIS HTTP Logging
EventType = Process.Start
Tag = proc-start-disable-windows-iis-http-logging
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.002"]}
Query = (Process.Path like r"%\\appcmd.exe" and Process.CommandLine like r"%set%" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%/section:httplogging%" and Process.CommandLine like r"%/dontLog:true%")

[ActivityMonitoringRule]
# Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
RuleId = 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
RuleName = Impacket Tool Execution
EventType = Process.Start
Tag = proc-start-impacket-tool-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1557.001"]}
Query = ((Process.Path like r"%\\goldenPac%" or Process.Path like r"%\\karmaSMB%" or Process.Path like r"%\\kintercept%" or Process.Path like r"%\\ntlmrelayx%" or Process.Path like r"%\\rpcdump%" or Process.Path like r"%\\samrdump%" or Process.Path like r"%\\secretsdump%" or Process.Path like r"%\\smbexec%" or Process.Path like r"%\\smbrelayx%" or Process.Path like r"%\\wmiexec%" or Process.Path like r"%\\wmipersist%") or (Process.Path like r"%\\atexec\_windows.exe" or Process.Path like r"%\\dcomexec\_windows.exe" or Process.Path like r"%\\dpapi\_windows.exe" or Process.Path like r"%\\findDelegation\_windows.exe" or Process.Path like r"%\\GetADUsers\_windows.exe" or Process.Path like r"%\\GetNPUsers\_windows.exe" or Process.Path like r"%\\getPac\_windows.exe" or Process.Path like r"%\\getST\_windows.exe" or Process.Path like r"%\\getTGT\_windows.exe" or Process.Path like r"%\\GetUserSPNs\_windows.exe" or Process.Path like r"%\\ifmap\_windows.exe" or Process.Path like r"%\\mimikatz\_windows.exe" or Process.Path like r"%\\netview\_windows.exe" or Process.Path like r"%\\nmapAnswerMachine\_windows.exe" or Process.Path like r"%\\opdump\_windows.exe" or Process.Path like r"%\\psexec\_windows.exe" or Process.Path like r"%\\rdp\_check\_windows.exe" or Process.Path like r"%\\sambaPipe\_windows.exe" or Process.Path like r"%\\smbclient\_windows.exe" or Process.Path like r"%\\smbserver\_windows.exe" or Process.Path like r"%\\sniffer\_windows.exe" or Process.Path like r"%\\sniff\_windows.exe" or Process.Path like r"%\\split\_windows.exe" or Process.Path like r"%\\ticketer\_windows.exe"))

[ActivityMonitoringRule]
# Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
RuleId = 10c14723-61c7-4c75-92ca-9af245723ad2
RuleName = Impacket Lateralization Detection
EventType = Process.Start
Tag = proc-start-impacket-lateralization-detection
RiskScore = 75
Annotation = {"mitre_attack": ["T1047", "T1021.003"]}
Query = (((Parent.Path like r"%\\wmiprvse.exe" or Parent.Path like r"%\\mmc.exe" or Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\services.exe") and Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%/Q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%\\\\127.0.0.1\\%" and Process.CommandLine like r"%&1%") or ((Parent.CommandLine like r"%svchost.exe -k netsvcs%" or Parent.CommandLine like r"%taskeng.exe%") and Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%Windows\\Temp\\%" and Process.CommandLine like r"%&1%"))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects encoded base64 MZ header in the commandline
RuleId = 22e58743-4ac8-4a9f-bf19-00a0428d8c5f
RuleName = Base64 MZ Header In CommandLine
EventType = Process.Start
Tag = proc-start-base64-mz-header-in-commandline
RiskScore = 75
Query = (Process.CommandLine like r"%TVqQAAMAAAAEAAAA%" or Process.CommandLine like r"%TVpQAAIAAAAEAA8A%" or Process.CommandLine like r"%TVqAAAEAAAAEABAA%" or Process.CommandLine like r"%TVoAAAAAAAAAAAAA%" or Process.CommandLine like r"%TVpTAQEAAAAEAAAA%")

[ActivityMonitoringRule]
# Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
RuleId = ae215552-081e-44c7-805f-be16f975c8a2
RuleName = Suspicious Debugger Registration Cmdline
EventType = Process.Start
Tag = proc-start-suspicious-debugger-registration-cmdline
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.008"]}
Query = (Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\%" and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%magnify.exe%" or Process.CommandLine like r"%narrator.exe%" or Process.CommandLine like r"%displayswitch.exe%" or Process.CommandLine like r"%atbroker.exe%"))

[ActivityMonitoringRule]
# Detect an interactive AT job, which may be used as a form of privilege escalation.
RuleId = 60fc936d-2eb0-4543-8a13-911c750a1dfc
RuleName = Interactive AT Job
EventType = Process.Start
Tag = proc-start-interactive-at-job
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.002"]}
Query = (Process.Path like r"%\\at.exe" and Process.CommandLine like r"%interactive%")

[ActivityMonitoringRule]
# Detects Obfuscated Powershell via use MSHTA in Scripts
RuleId = ac20ae82-8758-4f38-958e-b44a3140ca88
RuleName = Invoke-Obfuscation Via Use MSHTA
EventType = Process.Start
Tag = proc-start-invoke-obfuscation-via-use-mshta
RiskScore = 75
Annotation = {"mitre_attack": ["T1027", "T1059.001"]}
Query = (Process.CommandLine like r"%set%" and Process.CommandLine like r"%&&%" and Process.CommandLine like r"%mshta%" and Process.CommandLine like r"%vbscript:createobject%" and Process.CommandLine like r"%.run%" and Process.CommandLine like r"%(window.close)%")

[ActivityMonitoringRule]
# Detects Obfuscated Powershell via use Rundll32 in Scripts
RuleId = 36c5146c-d127-4f85-8e21-01bf62355d5a
RuleName = Invoke-Obfuscation Via Use Rundll32
EventType = Process.Start
Tag = proc-start-invoke-obfuscation-via-use-rundll32
RiskScore = 75
Annotation = {"mitre_attack": ["T1027", "T1059.001"]}
Query = (Process.CommandLine like r"%&&%" and Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%shellexec\_rundll%" and (Process.CommandLine like r"%value%" or Process.CommandLine like r"%invoke%" or Process.CommandLine like r"%comspec%" or Process.CommandLine like r"%iex%"))

[ActivityMonitoringRule]
# Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
RuleId = ed5d72a6-f8f4-479d-ba79-02f6a80d7471
RuleName = MSHTA Spwaned by SVCHOST
EventType = Process.Start
Tag = proc-start-mshta-spwaned-by-svchost
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.005"]}
Query = (Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mshta.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects creation or execution of UserInitMprLogonScript persistence method
RuleId = 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
RuleName = Logon Scripts (UserInitMprLogonScript)
EventType = Process.Start
Tag = proc-start-logon-scripts-(userinitmprlogonscript)
RiskScore = 75
Annotation = {"mitre_attack": ["T1037.001"]}
Query = ((Parent.Path like r"%\\userinit.exe" and not (((Process.Path like r"%explorer.exe" or Process.Path like r"%\\proquota.exe")) or ((Process.CommandLine like r"%netlogon%.bat%" or Process.CommandLine like r"%UsrLogon.cmd%" or Process.CommandLine like r"%C:\\WINDOWS\\Explorer.EXE%")) or (Process.Path like r"%\\Citrix\\System32\\icast.exe"))) or Process.CommandLine like r"%UserInitMprLogonScript%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
RuleId = 23daeb52-e6eb-493c-8607-c4f0246cb7d8
RuleName = New Lolbin Process by Office Applications
EventType = Process.Start
Tag = proc-start-new-lolbin-process-by-office-applications
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1218.010"]}
Query = ((Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\verclsid.exe" or Process.Path like r"%\\msdt.exe" or Process.Path like r"%\\control.exe") and (Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\excel.exe" or Parent.Path like r"%\\powerpnt.exe" or Parent.Path like r"%\\msaccess.exe" or Parent.Path like r"%\\mspub.exe" or Parent.Path like r"%\\eqnedt32.exe" or Parent.Path like r"%\\visio.exe" or Parent.Path like r"%\\wordpad.exe" or Parent.Path like r"%\\wordview.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.
RuleId = 8a582fe2-0882-4b89-a82a-da6b2dc32937
RuleName = Lolbins Process Creation with WmiPrvse
EventType = Process.Start
Tag = proc-start-lolbins-process-creation-with-wmiprvse
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1218.010"]}
Query = ((Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\verclsid.exe") and Parent.Path like r"%\\wbem\\WmiPrvSE.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects when a user downloads file by using CertOC.exe
RuleId = 70ad0861-d1fe-491c-a45f-fa48148a300d
RuleName = Suspicious File Download via CertOC.exe
EventType = Process.Start
Tag = proc-start-suspicious-file-download-via-certoc.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = ((Process.Path like r"%\\certoc.exe" or Process.Name == "CertOC.exe") and Process.CommandLine like r"%-GetCACAPS%")

[ActivityMonitoringRule]
# Detects Execution via SyncInvoke in CL_Invocation.ps1 module
RuleId = a0459f02-ac51-4c09-b511-b8c9203fc429
RuleName = Execution via CL_Invocation.ps1
EventType = Process.Start
Tag = proc-start-execution-via-cl_invocation.ps1
RiskScore = 75
Annotation = {"mitre_attack": ["T1216"]}
Query = (Process.CommandLine like r"%CL\_Invocation.ps1%" and Process.CommandLine like r"%SyncInvoke%")

[ActivityMonitoringRule]
# Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll
RuleId = 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
RuleName = Xwizard DLL Sideloading
EventType = Process.Start
Tag = proc-start-xwizard-dll-sideloading
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (Process.Path like r"%\\xwizard.exe" and not (Process.Path like r"C:\\Windows\\System32\\%"))

[ActivityMonitoringRule]
# Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder
RuleId = 129966c9-de17-4334-a123-8b58172e664d
RuleName = Suspicious Dump64.exe Execution
EventType = Process.Start
Tag = proc-start-suspicious-dump64.exe-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.001"]}
Query = ((Process.Path like r"%\\dump64.exe" and not (Process.Path like r"%\\Installer\\Feedback\\dump64.exe%")) or (Process.Path like r"%\\dump64.exe" and (Process.CommandLine like r"% -ma %" or Process.CommandLine like r"%accpeteula%")))

[ActivityMonitoringRule]
# Detects execution of the IEExec utility to download payloads
RuleId = 9801abb8-e297-4dbf-9fbd-57dde0e830ad
RuleName = Abusing IEExec To Download Payloads
EventType = Process.Start
Tag = proc-start-abusing-ieexec-to-download-payloads
RiskScore = 75
Query = ((Process.Path like r"%\\IEExec.exe" or Process.Name == "IEExec.exe") and (Process.CommandLine like r"%https://%" or Process.CommandLine like r"%http://%"))

[ActivityMonitoringRule]
# Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
RuleId = 9c8c7000-3065-44a8-a555-79bcba5d9955
RuleName = Execute MSDT Via Answer File
EventType = Process.Start
Tag = proc-start-execute-msdt-via-answer-file
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\msdt.exe" and Process.CommandLine like r"%\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml%" and (Process.CommandLine like r"% -af %" or Process.CommandLine like r"% /af %")) and not (Parent.Path like r"%\\pcwrun.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
RuleId = 6004abd0-afa4-4557-ba90-49d172e0a299
RuleName = Execute Pcwrun.EXE To Leverage Follina
EventType = Process.Start
Tag = proc-start-execute-pcwrun.exe-to-leverage-follina
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\pcwrun.exe" and Process.CommandLine like r"%../%")

[ActivityMonitoringRule]
# Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
RuleId = cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
RuleName = PrintBrm ZIP Creation of Extraction
EventType = Process.Start
Tag = proc-start-printbrm-zip-creation-of-extraction
RiskScore = 75
Annotation = {"mitre_attack": ["T1105", "T1564.004"]}
Query = (Process.Path like r"%\\PrintBrm.exe" and Process.CommandLine like r"% -f%" and Process.CommandLine like r"%.zip%")

[ActivityMonitoringRule]
# Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL
RuleId = 0f6da907-5854-4be6-859a-e9958747b0aa
RuleName = Suspicious LOLBIN AccCheckConsole
EventType = Process.Start
Tag = proc-start-suspicious-lolbin-acccheckconsole
RiskScore = 75
Query = ((Process.Path like r"%\\AccCheckConsole.exe" or Process.Name == "AccCheckConsole.exe") and (Process.CommandLine like r"% -window %" and Process.CommandLine like r"%.dll%"))

[ActivityMonitoringRule]
# Atbroker executing non-deafualt Assistive Technology applications
RuleId = f24bcaea-0cd1-11eb-adc1-0242ac120002
RuleName = Suspicious Atbroker Execution
EventType = Process.Start
Tag = proc-start-suspicious-atbroker-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%AtBroker.exe" and Process.CommandLine like r"%start%") and not ((Process.CommandLine like r"%animations%" or Process.CommandLine like r"%audiodescription%" or Process.CommandLine like r"%caretbrowsing%" or Process.CommandLine like r"%caretwidth%" or Process.CommandLine like r"%colorfiltering%" or Process.CommandLine like r"%cursorscheme%" or Process.CommandLine like r"%filterkeys%" or Process.CommandLine like r"%focusborderheight%" or Process.CommandLine like r"%focusborderwidth%" or Process.CommandLine like r"%highcontrast%" or Process.CommandLine like r"%keyboardcues%" or Process.CommandLine like r"%keyboardpref%" or Process.CommandLine like r"%magnifierpane%" or Process.CommandLine like r"%messageduration%" or Process.CommandLine like r"%minimumhitradius%" or Process.CommandLine like r"%mousekeys%" or Process.CommandLine like r"%Narrator%" or Process.CommandLine like r"%osk%" or Process.CommandLine like r"%overlappedcontent%" or Process.CommandLine like r"%showsounds%" or Process.CommandLine like r"%soundsentry%" or Process.CommandLine like r"%stickykeys%" or Process.CommandLine like r"%togglekeys%" or Process.CommandLine like r"%windowarranging%" or Process.CommandLine like r"%windowtracking%" or Process.CommandLine like r"%windowtrackingtimeout%" or Process.CommandLine like r"%windowtrackingzorder%")))

[ActivityMonitoringRule]
# Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files
RuleId = 4480827a-9799-4232-b2c4-ccc6c4e9e12b
RuleName = Suspicious Certreq Command to Download
EventType = Process.Start
Tag = proc-start-suspicious-certreq-command-to-download
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = ((Process.Path like r"%\\certreq.exe" or Process.Name == "CertReq.exe") and (Process.CommandLine like r"% -Post %" and Process.CommandLine like r"% -config %" and Process.CommandLine like r"% http%" and Process.CommandLine like r"% C:\\windows\\win.ini %"))

[ActivityMonitoringRule]
# Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
RuleId = f14e169e-9978-4c69-acb3-1cff8200bc36
RuleName = Suspicious GrpConv Execution
EventType = Process.Start
Tag = proc-start-suspicious-grpconv-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1547"]}
Query = (Process.CommandLine like r"%grpconv.exe -o%" or Process.CommandLine like r"%grpconv -o%")

[ActivityMonitoringRule]
# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
RuleId = 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
RuleName = Time Travel Debugging Utility Usage
EventType = Process.Start
Tag = proc-start-time-travel-debugging-utility-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1218", "T1003.001"]}
Query = Parent.Path like r"%\\tttracer.exe"
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
RuleId = 7b10f171-7f04-47c7-9fa2-5be43c76e535
RuleName = Visual Basic Command Line Compiler Usage
EventType = Process.Start
Tag = proc-start-visual-basic-command-line-compiler-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1027.004"]}
Query = (Parent.Path like r"%\\vbc.exe" and Process.Path like r"%\\cvtres.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects Winword process loading custmom dlls via the '/l' switch.
# Winword can be abused as a LOLBIN to download arbitary file or load arbitary DLLs.
RuleId = 4ae3e30b-b03f-43aa-87e3-b622f4048eed
RuleName = Winword LOLBIN Usage
EventType = Process.Start
Tag = proc-start-winword-lolbin-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1202"]}
Query = ((Process.Path like r"%\\WINWORD.exe" or Process.Name == "WinWord.exe") and (Process.CommandLine like r"%/l %" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%"))

[ActivityMonitoringRule]
# Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
RuleId = ffa6861c-4461-4f59-8a41-578c39f3f23e
RuleName = LSASS Memory Dumping
EventType = Process.Start
Tag = proc-start-lsass-memory-dumping
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.001"]}
Query = (((Process.CommandLine like r"%lsass%" and Process.CommandLine like r"%.dmp%") and not (Process.Path like r"%\\werfault.exe")) or (Process.Path like r"%\\procdump%" and Process.Path like r"%.exe" and Process.CommandLine like r"%lsass%"))

[ActivityMonitoringRule]
# Detects a command used by conti to find volume shadow backups
RuleId = 7b30e0a7-c675-4b24-8a46-82fa67e2433d
RuleName = Conti Volume Shadow Listing
EventType = Process.Start
Tag = proc-start-conti-volume-shadow-listing
RiskScore = 75
Annotation = {"mitre_attack": ["T1587.001"]}
Query = (Process.CommandLine like r"%vssadmin list shadows%" and Process.CommandLine like r"%log.txt%")

[ActivityMonitoringRule]
# Detects a command used by conti to exfiltrate NTDS
RuleId = aa92fd02-09f2-48b0-8a93-864813fb8f41
RuleName = Conti NTDS Exfiltration Command
EventType = Process.Start
Tag = proc-start-conti-ntds-exfiltration-command
RiskScore = 75
Annotation = {"mitre_attack": ["T1560"]}
Query = (Process.CommandLine like r"%7za.exe%" and Process.CommandLine like r"%\\C$\\temp\\log.zip%")

[ActivityMonitoringRule]
# Detects all Emotet like process executions that are not covered by the more generic rules
RuleId = d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
RuleName = Emotet Process Creation
EventType = Process.Start
Tag = proc-start-emotet-process-creation
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1027"]}
Query = (Process.CommandLine like r"% -e% PAA%" or Process.CommandLine like r"%JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ%" or Process.CommandLine like r"%QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA%" or Process.CommandLine like r"%kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA%" or Process.CommandLine like r"%IgAoACcAKgAnACkAOwAkA%" or Process.CommandLine like r"%IAKAAnACoAJwApADsAJA%" or Process.CommandLine like r"%iACgAJwAqACcAKQA7ACQA%" or Process.CommandLine like r"%JABGAGwAeAByAGgAYwBmAGQ%" or Process.CommandLine like r"%PQAkAGUAbgB2ADoAdABlAG0AcAArACgA%" or Process.CommandLine like r"%0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA%" or Process.CommandLine like r"%9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA%")

[ActivityMonitoringRule]
# Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
RuleId = 032f5fb3-d959-41a5-9263-4173c802dc2b
RuleName = Formbook Process Creation
EventType = Process.Start
Tag = proc-start-formbook-process-creation
RiskScore = 75
Annotation = {"mitre_attack": ["T1587.001"]}
Query = (((Parent.CommandLine like r"C:\\Windows\\System32\\%" or Parent.CommandLine like r"C:\\Windows\\SysWOW64\\%") and Parent.CommandLine like r"%.exe") and ((Process.CommandLine like r"%/c%" and Process.CommandLine like r"%del%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\AppData\\Local\\Temp\\%") or (Process.CommandLine like r"%/c%" and Process.CommandLine like r"%del%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\Desktop\\%") or (Process.CommandLine like r"%/C%" and Process.CommandLine like r"%type nul >%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\Desktop\\%")) and Process.CommandLine like r"%.exe")
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects Ryuk ransomware activity
RuleId = c37510b8-2107-4b78-aa32-72f251e7a844
RuleName = Ryuk Ransomware
EventType = Process.Start
Tag = proc-start-ryuk-ransomware
RiskScore = 75
Annotation = {"mitre_attack": ["T1547.001"]}
Query = (Process.CommandLine like r"%Microsoft\\Windows\\CurrentVersion\\Run%" and Process.CommandLine like r"%C:\\users\\Public\\%")

[ActivityMonitoringRule]
# Detects wscript/cscript executions of scripts located in user directories
RuleId = cea72823-df4d-4567-950c-0b579eaf0846
RuleName = WScript or CScript Dropper
EventType = Process.Start
Tag = proc-start-wscript-or-cscript-dropper
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.005", "T1059.007"]}
Query = (((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%C:\\Users\\%" or Process.CommandLine like r"%C:\\ProgramData\\%") and (Process.CommandLine like r"%.jse%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.vba%" or Process.CommandLine like r"%.vbs%")) and not (Parent.Path like r"%\\winzip%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe
RuleId = 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
RuleName = Trickbot Malware Activity
EventType = Process.Start
Tag = proc-start-trickbot-malware-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1559"]}
Query = (Process.Path like r"%\\wermgr.exe" and Parent.Path like r"%\\rundll32.exe" and Parent.CommandLine like r"%DllRegisterServer%")
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects javaw.exe in AppData folder as used by Adwind / JRAT
RuleId = 1fac1481-2dbc-48b2-9096-753c49b4ec71
RuleName = Adwind RAT / JRAT
EventType = Process.Start
Tag = proc-start-adwind-rat-/-jrat
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.005", "T1059.007"]}
Query = ((Process.CommandLine like r"%\\AppData\\Roaming\\Oracle%" and Process.CommandLine like r"%\\java%" and Process.CommandLine like r"%.exe %") or (Process.CommandLine like r"%cscript.exe%" and Process.CommandLine like r"%Retrive%" and Process.CommandLine like r"%.vbs %"))

[ActivityMonitoringRule]
# Attempts to detect system changes made by Blue Mockingbird
RuleId = c3198a27-23a0-4c2c-af19-e5328d49680e
RuleName = Blue Mockingbird
EventType = Process.Start
Tag = proc-start-blue-mockingbird
RiskScore = 75
Annotation = {"mitre_attack": ["T1112", "T1047"]}
Query = ((Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%sc config%" and Process.CommandLine like r"%wercplsupporte.dll%") or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%COR\_PROFILER"))

[ActivityMonitoringRule]
# This rule detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
RuleId = 2f974656-6d83-4059-bbdf-68ac5403422f
RuleName = Hermetic Wiper TG Process Patterns
EventType = Process.Start
Tag = proc-start-hermetic-wiper-tg-process-patterns
RiskScore = 75
Query = (Process.Path like r"%\\policydefinitions\\postgresql.exe" or (Process.CommandLine like r"%CSIDL\_SYSTEM\_DRIVE\\temp\\sys.tmp%" or Process.CommandLine like r"% 1> \\127.0.0.1\\ADMIN$\\\_\_16%") or (Process.CommandLine like r"%powershell -c %" and Process.CommandLine like r"%\\comsvcs.dll MiniDump %" and Process.CommandLine like r"%\\winupd.log full%"))

[ActivityMonitoringRule]
# Detects process injection using the signed Windows tool Mavinject32.exe
RuleId = 17eb8e57-9983-420d-ad8a-2c4976c22eb8
RuleName = MavInject Process Injection
EventType = Process.Start
Tag = proc-start-mavinject-process-injection
RiskScore = 75
Annotation = {"mitre_attack": ["T1055.001", "T1218"]}
Query = Process.CommandLine like r"% /INJECTRUNNING %"

[ActivityMonitoringRule]
# Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
RuleId = 15619216-e993-4721-b590-4c520615a67d
RuleName = Meterpreter or Cobalt Strike Getsystem Service Start
EventType = Process.Start
Tag = proc-start-meterpreter-or-cobalt-strike-getsystem-service-start
RiskScore = 75
Annotation = {"mitre_attack": ["T1134.001", "T1134.002"]}
Query = ((Parent.Path like r"%\\services.exe" and ((Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%\%COMSPEC\%%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%.dll,a%" and Process.CommandLine like r"%/p:%"))) and not (Process.CommandLine like r"%MpCmdRun%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
RuleId = f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
RuleName = MMC20 Lateral Movement
EventType = Process.Start
Tag = proc-start-mmc20-lateral-movement
RiskScore = 75
Annotation = {"mitre_attack": ["T1021.003"]}
Query = (Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mmc.exe" and Process.CommandLine like r"%-Embedding%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a Windows command line executable started from MMC
RuleId = 05a2ab7e-ce11-4b63-86db-ab32e763e11d
RuleName = MMC Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mmc-spawning-windows-shell
RiskScore = 75
Annotation = {"mitre_attack": ["T1021.003"]}
Query = (Parent.Path like r"%\\mmc.exe" and ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\BITSADMIN%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
RuleId = 258fc8ce-8352-443a-9120-8a11e4857fa5
RuleName = Execute Arbitrary Commands Using MSDT.EXE
EventType = Process.Start
Tag = proc-start-execute-arbitrary-commands-using-msdt.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1202"]}
Query = ((Process.Path like r"%\\msdt.exe" or Process.Name == "msdt.exe") and (Process.CommandLine like r"%IT\_BrowseForFile=%" or (Process.CommandLine like r"% PCWDiagnostic%" and (Process.CommandLine like r"% /af %" or Process.CommandLine like r"% -af %"))))

[ActivityMonitoringRule]
# Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190
RuleId = 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
RuleName = Execute MSDT.EXE Using Diagcab File
EventType = Process.Start
Tag = proc-start-execute-msdt.exe-using-diagcab-file
RiskScore = 75
Annotation = {"mitre_attack": ["T1202"]}
Query = ((Process.Path like r"%\\msdt.exe" or Process.Name == "msdt.exe") and (Process.CommandLine like r"%/cab%" and Process.CommandLine like r"%.diagcab%"))

[ActivityMonitoringRule]
# Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
RuleId = 7a74da6b-ea76-47db-92cc-874ad90df734
RuleName = MSDT Executed with Suspicious Parent
EventType = Process.Start
Tag = proc-start-msdt-executed-with-suspicious-parent
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1218"]}
Query = ((Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\wsl.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\regsvr32.exe") and (Process.Path like r"%\\msdt.exe" or Process.Name == "msdt.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet
RuleId = 94771a71-ba41-4b6e-a757-b531372eaab6
RuleName = Suspicious Minimized MSEdge Start
EventType = Process.Start
Tag = proc-start-suspicious-minimized-msedge-start
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = Process.CommandLine like r"%start /min msedge%"

[ActivityMonitoringRule]
# Identifies suspicious mshta.exe commands.
RuleId = 67f113fa-e23d-4271-befa-30113b3e08b1
RuleName = Mshta JavaScript Execution
EventType = Process.Start
Tag = proc-start-mshta-javascript-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.005"]}
Query = (Process.Path like r"%\\mshta.exe" and Process.CommandLine like r"%javascript%")

[ActivityMonitoringRule]
# Detects a Windows command line executable started from MSHTA
RuleId = 03cc0c25-389f-4bf8-b48d-11878079f1ca
RuleName = MSHTA Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mshta-spawning-windows-shell
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.005"]}
Query = (Parent.Path like r"%\\mshta.exe" and ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\BITSADMIN%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics
RuleId = 744a188b-0415-4792-896f-11ddb0588dbc
RuleName = Msra.exe Process Injection
EventType = Process.Start
Tag = proc-start-msra.exe-process-injection
RiskScore = 75
Annotation = {"mitre_attack": ["T1055"]}
Query = (Parent.Path like r"%\\msra.exe" and Parent.CommandLine like r"%msra.exe" and (Process.Path like r"%\\arp.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nslookup.exe" or Process.Path like r"%\\route.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\whoami.exe"))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
RuleId = e31033fc-33f0-4020-9a16-faf9b31cbf08
RuleName = Ncat Execution
EventType = Process.Start
Tag = proc-start-ncat-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1095"]}
Query = ((Process.Path like r"%\\ncat.exe" or Process.Path like r"%\\netcat.exe") or (Process.CommandLine like r"% -lvp %" or Process.CommandLine like r"% -lvnp%" or Process.CommandLine like r"% -l -v -p %" or Process.CommandLine like r"% -lv -p %" or Process.CommandLine like r"% -l --proxy-type http %" or Process.CommandLine like r"% --exec cmd.exe %" or Process.CommandLine like r"% -vnl --exec %"))

[ActivityMonitoringRule]
# Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
RuleId = 01aeb693-138d-49d2-9403-c4f52d7d3d62
RuleName = Netsh RDP Port Opening
EventType = Process.Start
Tag = proc-start-netsh-rdp-port-opening
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.004"]}
Query = ((Process.CommandLine like r"%netsh%" and Process.CommandLine like r"%firewall add portopening%" and Process.CommandLine like r"%tcp 3389%") or (Process.CommandLine like r"%netsh%" and Process.CommandLine like r"%advfirewall firewall add rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%protocol=TCP%" and Process.CommandLine like r"%localport=3389%"))

[ActivityMonitoringRule]
# Detects Netsh commands that allows a suspcious application location on Windows Firewall
RuleId = a35f5a72-f347-4e36-8895-9869b0d5fc6d
RuleName = Netsh Program Allowed with Suspcious Location
EventType = Process.Start
Tag = proc-start-netsh-program-allowed-with-suspcious-location
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.004"]}
Query = (((Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%allowedprogram%") or (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%advfirewall%" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%program=%")) and ((Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%:\\RECYCLER\\%" or Process.CommandLine like r"%C:\\$Recycle.bin\\%" or Process.CommandLine like r"%:\\SystemVolumeInformation\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%" or Process.CommandLine like r"%C:\\Temp\\%" or Process.CommandLine like r"%C:\\Users\\Public\\%" or Process.CommandLine like r"%C:\\Users\\Default\\%" or Process.CommandLine like r"%C:\\Users\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.CommandLine like r"%\\Local Settings\\Temporary Internet Files\\%") or (Process.CommandLine like r"C:\\Windows\\Tasks\\%" or Process.CommandLine like r"C:\\Windows\\debug\\%" or Process.CommandLine like r"C:\\Windows\\fonts\\%" or Process.CommandLine like r"C:\\Windows\\help\\%" or Process.CommandLine like r"C:\\Windows\\drivers\\%" or Process.CommandLine like r"C:\\Windows\\addins\\%" or Process.CommandLine like r"C:\\Windows\\cursors\\%" or Process.CommandLine like r"C:\\Windows\\system32\\tasks\\%" or Process.CommandLine like r"\%Public\%\\%")))

[ActivityMonitoringRule]
# Detects netsh commands that configure a port forwarding of port 3389 used for RDP
RuleId = 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
RuleName = Netsh RDP Port Forwarding
EventType = Process.Start
Tag = proc-start-netsh-rdp-port-forwarding
RiskScore = 75
Annotation = {"mitre_attack": ["T1090"]}
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%i%" and Process.CommandLine like r"% p%" and Process.CommandLine like r"%=3389%" and Process.CommandLine like r"% c%")

[ActivityMonitoringRule]
# Detects creation of local users via the net.exe command with the option "never expire"
RuleId = b9f0e6f5-09b4-4358-bae4-08408705bd5c
RuleName = Net.exe User Account Creation - Never Expire
EventType = Process.Start
Tag = proc-start-net.exe-user-account-creation-never-expire
RiskScore = 75
Annotation = {"mitre_attack": ["T1136.001"]}
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%expires:never%")

[ActivityMonitoringRule]
# Initial execution of malicious document calls wmic to execute the file with regsvr32
RuleId = 518643ba-7d9c-4fa5-9f37-baed36059f6a
RuleName = Office Applications Spawning Wmi Cli
EventType = Process.Start
Tag = proc-start-office-applications-spawning-wmi-cli
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1218.010"]}
Query = ((Process.Path like r"%\\wbem\\WMIC.exe" or Process.Name == "wmic.exe") and (Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\excel.exe" or Parent.Path like r"%\\powerpnt.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects Office Applications executing a Windows child process including directory traversal patterns
RuleId = 868955d9-697e-45d4-a3da-360cefd7c216
RuleName = Office Directory Traversal CommandLine
EventType = Process.Start
Tag = proc-start-office-directory-traversal-commandline
RiskScore = 75
Query = ((Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\excel.exe" or Parent.Path like r"%\\powerpnt.exe" or Parent.Path like r"%\\msaccess.exe" or Parent.Path like r"%\\mspub.exe" or Parent.Path like r"%\\eqnedt32.exe" or Parent.Path like r"%\\visio.exe") and (Process.Path like r"%\\Windows\\System32\\%" or Process.Path like r"%\\Windows\\SysWOW64\\%") and (Process.CommandLine like r"../../../.." or Process.CommandLine like r"..\\..\\..\\.." or Process.CommandLine like r"..//..//..//.."))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
RuleId = 9d1c72f5-43f0-4da5-9320-648cf2099dd0
RuleName = Excel Proxy Executing Regsvr32 With Payload
EventType = Process.Start
Tag = proc-start-excel-proxy-executing-regsvr32-with-payload
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1218.010"]}
Query = ((Process.Path like r"%\\wbem\\WMIC.exe" or Process.Name == "wmic.exe") and ((Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%msiexec%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%verclsid%") and (Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\excel.exe" or Parent.Path like r"%\\powerpnt.exe") and Process.CommandLine like r"%process%" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%call%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
RuleId = c0e1c3d5-4381-4f18-8145-2583f06a1fe5
RuleName = Excel Proxy Executing Regsvr32 With Payload
EventType = Process.Start
Tag = proc-start-excel-proxy-executing-regsvr32-with-payload
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1218.010"]}
Query = ((Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%msiexec%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%verclsid%") and (Process.Path like r"%\\wbem\\WMIC.exe" or Process.CommandLine like r"%wmic %") and (Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\excel.exe" or Parent.Path like r"%\\powerpnt.exe") and (Process.CommandLine like r"%process%" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%call%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
RuleId = 438025f9-5856-4663-83f7-52f878a70a50
RuleName = Microsoft Office Product Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-microsoft-office-product-spawning-windows-shell
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = ((Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\MSACCESS.EXE" or Parent.Path like r"%\\EQNEDT32.EXE") and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\msbuild.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Initial execution of malicious document calls wmic to execute the file with regsvr32
RuleId = 04f5363a-6bca-42ff-be70-0d28bf629ead
RuleName = Office Applications Spawning Wmi Cli
EventType = Process.Start
Tag = proc-start-office-applications-spawning-wmi-cli
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1218.010"]}
Query = ((Process.Path like r"%\\wbem\\WMIC.exe" or Process.CommandLine like r"%wmic %") and (Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\excel.exe" or Parent.Path like r"%\\powerpnt.exe" or Parent.Path like r"%\\msaccess.exe" or Parent.Path like r"%\\mspub.exe" or Parent.Path like r"%\\eqnedt32.exe" or Parent.Path like r"%\\visio.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
RuleId = aa3a6f94-890e-4e22-b634-ffdfd54792cc
RuleName = MS Office Product Spawning Exe in User Dir
EventType = Process.Start
Tag = proc-start-ms-office-product-spawning-exe-in-user-dir
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = (((Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\MSACCESS.exe" or Parent.Path like r"%\\EQNEDT32.exe") and Process.Path like r"C:\\users\\%" and Process.Path like r"%.exe") and not (Process.Path like r"%\\Teams.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a Windows command and scripting interpreter executable started from Microsoft Outlook
RuleId = 208748f7-881d-47ac-a29c-07ea84bf691d
RuleName = Microsoft Outlook Product Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-microsoft-outlook-product-spawning-windows-shell
RiskScore = 75
Annotation = {"mitre_attack": ["T1204.002"]}
Query = (Parent.Path like r"%\\OUTLOOK.EXE" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\msdt.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
RuleId = b2400ffb-7680-47c0-b08a-098a7de7e7a9
RuleName = Pingback Backdoor
EventType = Process.Start
Tag = proc-start-pingback-backdoor
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.001"]}
Query = (Parent.Path like r"%updata.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%msdtc%" and Process.CommandLine like r"%start%" and Process.CommandLine like r"%auto%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
RuleId = aeab5ec5-be14-471a-80e8-e344418305c2
RuleName = Executable Used by PlugX in Uncommon Location
EventType = Process.Start
Tag = proc-start-executable-used-by-plugx-in-uncommon-location
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002"]}
Query = ((((((((((((Process.Path like r"%\\CamMute.exe" and not ((Process.Path like r"%\\Lenovo\\Communication Utility\\%" or Process.Path like r"%\\Lenovo\\Communications Utility\\%"))) or (Process.Path like r"%\\chrome\_frame\_helper.exe" and not (Process.Path like r"%\\Google\\Chrome\\application\\%"))) or (Process.Path like r"%\\dvcemumanager.exe" and not (Process.Path like r"%\\Microsoft Device Emulator\\%"))) or (Process.Path like r"%\\Gadget.exe" and not (Process.Path like r"%\\Windows Media Player\\%"))) or (Process.Path like r"%\\hcc.exe" and not (Process.Path like r"%\\HTML Help Workshop\\%"))) or (Process.Path like r"%\\hkcmd.exe" and not ((Process.Path like r"%\\System32\\%" or Process.Path like r"%\\SysNative\\%" or Process.Path like r"%\\SysWow64\\%")))) or (Process.Path like r"%\\Mc.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%")))) or (Process.Path like r"%\\MsMpEng.exe" and not ((Process.Path like r"%\\Microsoft Security Client\\%" or Process.Path like r"%\\Windows Defender\\%" or Process.Path like r"%\\AntiMalware\\%")))) or (Process.Path like r"%\\msseces.exe" and not ((Process.Path like r"%\\Microsoft Security Center\\%" or Process.Path like r"%\\Microsoft Security Client\\%" or Process.Path like r"%\\Microsoft Security Essentials\\%")))) or (Process.Path like r"%\\OInfoP11.exe" and not (Process.Path like r"%\\Common Files\\Microsoft Shared\\%"))) or (Process.Path like r"%\\OleView.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%" or Process.Path like r"%\\Windows Resource Kit\\%")))) or (Process.Path like r"%\\rc.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%" or Process.Path like r"%\\Windows Resource Kit\\%" or Process.Path like r"%\\Microsoft.NET\\%"))))

[ActivityMonitoringRule]
# Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
RuleId = 30edb182-aa75-42c0-b0a9-e998bb29067c
RuleName = Powershell AMSI Bypass via .NET Reflection
EventType = Process.Start
Tag = proc-start-powershell-amsi-bypass-via-.net-reflection
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.CommandLine like r"%System.Management.Automation.AmsiUtils%" and Process.CommandLine like r"%amsiInitFailed%")

[ActivityMonitoringRule]
# Detect download by BITS jobs via PowerShell
RuleId = f67dbfce-93bc-440d-86ad-a95ae8858c90
RuleName = Suspicious Bitsadmin Job via PowerShell
EventType = Process.Start
Tag = proc-start-suspicious-bitsadmin-job-via-powershell
RiskScore = 75
Annotation = {"mitre_attack": ["T1197"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Start-BitsTransfer%")

[ActivityMonitoringRule]
# Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines
RuleId = 74403157-20f5-415d-89a7-c505779585cf
RuleName = Encoded PowerShell Command Line Usage of ConvertTo-SecureString
EventType = Process.Start
Tag = proc-start-encoded-powershell-command-line-usage-of-convertto-securestring
RiskScore = 75
Annotation = {"mitre_attack": ["T1027", "T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%ConvertTo-SecureString%")

[ActivityMonitoringRule]
# Detects the PowerShell command lines with reversed strings
RuleId = b6b49cd1-34d6-4ead-b1bf-176e9edba9a4
RuleName = Suspicious PowerShell Cmdline
EventType = Process.Start
Tag = proc-start-suspicious-powershell-cmdline
RiskScore = 75
Annotation = {"mitre_attack": ["T1027", "T1059.001"]}
Query = (((Process.Path like r"%powershell.exe" or Process.Path like r"%pwsh.exe") and (Process.CommandLine like r"%hctac%" or Process.CommandLine like r"%kaerb%" or Process.CommandLine like r"%dnammoc%" or Process.CommandLine like r"%ekovn%" or Process.CommandLine like r"%eliFd%" or Process.CommandLine like r"%rahc%" or Process.CommandLine like r"%etirw%" or Process.CommandLine like r"%golon%" or Process.CommandLine like r"%tninon%" or Process.CommandLine like r"%eddih%" or Process.CommandLine like r"%tpircS%" or Process.CommandLine like r"%ssecorp%" or Process.CommandLine like r"%llehsrewop%" or Process.CommandLine like r"%esnopser%" or Process.CommandLine like r"%daolnwod%" or Process.CommandLine like r"%tneilCbeW%" or Process.CommandLine like r"%tneilc%" or Process.CommandLine like r"%ptth%" or Process.CommandLine like r"%elifotevas%" or Process.CommandLine like r"%46esab%" or Process.CommandLine like r"%htaPpmeTteG%" or Process.CommandLine like r"%tcejbO%" or Process.CommandLine like r"%maerts%" or Process.CommandLine like r"%hcaerof%" or Process.CommandLine like r"%ekovni%" or Process.CommandLine like r"%retupmoc%")) and not ((Process.CommandLine like r"%-EncodedCommand%")))

[ActivityMonitoringRule]
# Detects base64 encoded PowerShell code that modifies Windows Defender
RuleId = c6fb44c6-71f5-49e6-9462-1425d328aee3
RuleName = Powershell Defender Base64 MpPreference
EventType = Process.Start
Tag = proc-start-powershell-defender-base64-mppreference
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.CommandLine like r"%QWRkLU1wUHJlZmVyZW5jZS%" or Process.CommandLine like r"%FkZC1NcFByZWZlcmVuY2Ug%" or Process.CommandLine like r"%BZGQtTXBQcmVmZXJlbmNlI%" or Process.CommandLine like r"%U2V0LU1wUHJlZmVyZW5jZS%" or Process.CommandLine like r"%NldC1NcFByZWZlcmVuY2Ug%" or Process.CommandLine like r"%TZXQtTXBQcmVmZXJlbmNlI%" or Process.CommandLine like r"%YWRkLW1wcHJlZmVyZW5jZS%" or Process.CommandLine like r"%FkZC1tcHByZWZlcmVuY2Ug%" or Process.CommandLine like r"%hZGQtbXBwcmVmZXJlbmNlI%" or Process.CommandLine like r"%c2V0LW1wcHJlZmVyZW5jZS%" or Process.CommandLine like r"%NldC1tcHByZWZlcmVuY2Ug%" or Process.CommandLine like r"%zZXQtbXBwcmVmZXJlbmNlI%") and (Process.CommandLine like r"%QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA%"))

[ActivityMonitoringRule]
# Detects requests to disable Microsoft Defender features using PowerShell commands
RuleId = 1ec65a5f-9473-4f12-97da-622044d6df21
RuleName = Powershell Defender Disable Scan Feature
EventType = Process.Start
Tag = proc-start-powershell-defender-disable-scan-feature
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (((Process.CommandLine like r"%Add-MpPreference %" or Process.CommandLine like r"%Set-MpPreference %") and (Process.CommandLine like r"%DisableRealtimeMonitoring %" or Process.CommandLine like r"%DisableIOAVProtection %" or Process.CommandLine like r"%DisableBehaviorMonitoring %" or Process.CommandLine like r"%DisableBlockAtFirstSeen %") and (Process.CommandLine like r"%$true%" or Process.CommandLine like r"% 1 %")) or ((Process.CommandLine like r"%RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg%" or Process.CommandLine like r"%EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI%" or Process.CommandLine like r"%RGlzYWJsZUlPQVZQcm90ZWN0aW9uI%" or Process.CommandLine like r"%Rpc2FibGVJT0FWUHJvdGVjdGlvbi%" or Process.CommandLine like r"%EaXNhYmxlSU9BVlByb3RlY3Rpb24g%" or Process.CommandLine like r"%RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg%" or Process.CommandLine like r"%EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI%" or Process.CommandLine like r"%RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g%" or Process.CommandLine like r"%Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI%" or Process.CommandLine like r"%EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi%" or Process.CommandLine like r"%ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg%" or Process.CommandLine like r"%kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI%" or Process.CommandLine like r"%ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI%" or Process.CommandLine like r"%Rpc2FibGVpb2F2cHJvdGVjdGlvbi%" or Process.CommandLine like r"%kaXNhYmxlaW9hdnByb3RlY3Rpb24g%" or Process.CommandLine like r"%ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg%" or Process.CommandLine like r"%kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI%" or Process.CommandLine like r"%ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g%" or Process.CommandLine like r"%Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI%" or Process.CommandLine like r"%kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi%") and (Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA%")))

[ActivityMonitoringRule]
# Detects attackers attempting to disable Windows Defender using Powershell
RuleId = a7ee1722-c3c5-aeff-3212-c777e4733217
RuleName = Powershell Used To Disable Windows Defender AV Security Monitoring
EventType = Process.Start
Tag = proc-start-powershell-used-to-disable-windows-defender-av-security-monitoring
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%-DisableBehaviorMonitoring $true%" or Process.CommandLine like r"%-DisableRuntimeMonitoring $true%")) or (Process.CommandLine like r"%sc%" and Process.CommandLine like r"%stop%" and Process.CommandLine like r"%WinDefend%") or (Process.CommandLine like r"%sc%" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%WinDefend%" and Process.CommandLine like r"%start=disabled%"))

[ActivityMonitoringRule]
# Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
RuleId = e6c54d94-498c-4562-a37c-b469d8e9a275
RuleName = Suspicious PowerShell Download and Execute Pattern
EventType = Process.Start
Tag = proc-start-suspicious-powershell-download-and-execute-pattern
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = (Process.CommandLine like r"%IEX ((New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX (New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX((New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX(New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"% -command (New-Object System.Net.WebClient).DownloadFile(%" or Process.CommandLine like r"% -c (New-Object System.Net.WebClient).DownloadFile(%")

[ActivityMonitoringRule]
# Detects suspicious FromBase64String expressions in command line arguments
RuleId = e32d4572-9826-4738-b651-95fa63747e8a
RuleName = FromBase64String Command Line
EventType = Process.Start
Tag = proc-start-frombase64string-command-line
RiskScore = 75
Annotation = {"mitre_attack": ["T1027", "T1140", "T1059.001"]}
Query = Process.CommandLine like r"%::FromBase64String(%"

[ActivityMonitoringRule]
# This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
RuleId = fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
RuleName = Execution of Powershell Script in Public Folder
EventType = Process.Start
Tag = proc-start-execution-of-powershell-script-in-public-folder
RiskScore = 75
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%-f C:\\Users\\Public%" or Process.CommandLine like r"%-f \"C:\\Users\\Public%" or Process.CommandLine like r"%-f \%Public\%%" or Process.CommandLine like r"%-fi C:\\Users\\Public%" or Process.CommandLine like r"%-fi \"C:\\Users\\Public%" or Process.CommandLine like r"%-fi \%Public\%%" or Process.CommandLine like r"%-fil C:\\Users\\Public%" or Process.CommandLine like r"%-fil \"C:\\Users\\Public%" or Process.CommandLine like r"%-fil \%Public\%%" or Process.CommandLine like r"%-file C:\\Users\\Public%" or Process.CommandLine like r"%-file \"C:\\Users\\Public%" or Process.CommandLine like r"%-file \%Public\%%"))

[ActivityMonitoringRule]
# Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
RuleId = edc2f8ae-2412-4dfd-b9d5-0c57727e70be
RuleName = Powershell Reverse Shell Connection
EventType = Process.Start
Tag = proc-start-powershell-reverse-shell-connection
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%new-object system.net.sockets.tcpclient%")

[ActivityMonitoringRule]
# Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM
RuleId = 25676e10-2121-446e-80a4-71ff8506af47
RuleName = Exchange PowerShell Snap-Ins Used by HAFNIUM
EventType = Process.Start
Tag = proc-start-exchange-powershell-snap-ins-used-by-hafnium
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1114"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%add-pssnapin microsoft.exchange.powershell.snapin%")

[ActivityMonitoringRule]
# Detects suspicious PowerShell invocation with a parameter substring
RuleId = 36210e0d-5b19-485d-a087-c096088885f0
RuleName = Suspicious PowerShell Parameter Substring
EventType = Process.Start
Tag = proc-start-suspicious-powershell-parameter-substring
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% -windowstyle h %" or Process.CommandLine like r"% -windowstyl h%" or Process.CommandLine like r"% -windowsty h%" or Process.CommandLine like r"% -windowst h%" or Process.CommandLine like r"% -windows h%" or Process.CommandLine like r"% -windo h%" or Process.CommandLine like r"% -wind h%" or Process.CommandLine like r"% -win h%" or Process.CommandLine like r"% -wi h%" or Process.CommandLine like r"% -win h %" or Process.CommandLine like r"% -win hi %" or Process.CommandLine like r"% -win hid %" or Process.CommandLine like r"% -win hidd %" or Process.CommandLine like r"% -win hidde %" or Process.CommandLine like r"% -NoPr %" or Process.CommandLine like r"% -NoPro %" or Process.CommandLine like r"% -NoProf %" or Process.CommandLine like r"% -NoProfi %" or Process.CommandLine like r"% -NoProfil %" or Process.CommandLine like r"% -nonin %" or Process.CommandLine like r"% -nonint %" or Process.CommandLine like r"% -noninte %" or Process.CommandLine like r"% -noninter %" or Process.CommandLine like r"% -nonintera %" or Process.CommandLine like r"% -noninterac %" or Process.CommandLine like r"% -noninteract %" or Process.CommandLine like r"% -noninteracti %" or Process.CommandLine like r"% -noninteractiv %" or Process.CommandLine like r"% -ec %" or Process.CommandLine like r"% -encodedComman %" or Process.CommandLine like r"% -encodedComma %" or Process.CommandLine like r"% -encodedComm %" or Process.CommandLine like r"% -encodedCom %" or Process.CommandLine like r"% -encodedCo %" or Process.CommandLine like r"% -encodedC %" or Process.CommandLine like r"% -encoded %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% -encod %" or Process.CommandLine like r"% -enco %" or Process.CommandLine like r"% -en %" or Process.CommandLine like r"% -executionpolic %" or Process.CommandLine like r"% -executionpoli %" or Process.CommandLine like r"% -executionpol %" or Process.CommandLine like r"% -executionpo %" or Process.CommandLine like r"% -executionp %" or Process.CommandLine like r"% -execution bypass%" or Process.CommandLine like r"% -executio bypass%" or Process.CommandLine like r"% -executi bypass%" or Process.CommandLine like r"% -execut bypass%" or Process.CommandLine like r"% -execu bypass%" or Process.CommandLine like r"% -exec bypass%" or Process.CommandLine like r"% -exe bypass%" or Process.CommandLine like r"% -ex bypass%" or Process.CommandLine like r"% -ep bypass%" or Process.CommandLine like r"% /windowstyle h %" or Process.CommandLine like r"% /windowstyl h%" or Process.CommandLine like r"% /windowsty h%" or Process.CommandLine like r"% /windowst h%" or Process.CommandLine like r"% /windows h%" or Process.CommandLine like r"% /windo h%" or Process.CommandLine like r"% /wind h%" or Process.CommandLine like r"% /win h%" or Process.CommandLine like r"% /wi h%" or Process.CommandLine like r"% /win h %" or Process.CommandLine like r"% /win hi %" or Process.CommandLine like r"% /win hid %" or Process.CommandLine like r"% /win hidd %" or Process.CommandLine like r"% /win hidde %" or Process.CommandLine like r"% /NoPr %" or Process.CommandLine like r"% /NoPro %" or Process.CommandLine like r"% /NoProf %" or Process.CommandLine like r"% /NoProfi %" or Process.CommandLine like r"% /NoProfil %" or Process.CommandLine like r"% /nonin %" or Process.CommandLine like r"% /nonint %" or Process.CommandLine like r"% /noninte %" or Process.CommandLine like r"% /noninter %" or Process.CommandLine like r"% /nonintera %" or Process.CommandLine like r"% /noninterac %" or Process.CommandLine like r"% /noninteract %" or Process.CommandLine like r"% /noninteracti %" or Process.CommandLine like r"% /noninteractiv %" or Process.CommandLine like r"% /ec %" or Process.CommandLine like r"% /encodedComman %" or Process.CommandLine like r"% /encodedComma %" or Process.CommandLine like r"% /encodedComm %" or Process.CommandLine like r"% /encodedCom %" or Process.CommandLine like r"% /encodedCo %" or Process.CommandLine like r"% /encodedC %" or Process.CommandLine like r"% /encoded %" or Process.CommandLine like r"% /encode %" or Process.CommandLine like r"% /encod %" or Process.CommandLine like r"% /enco %" or Process.CommandLine like r"% /en %" or Process.CommandLine like r"% /executionpolic %" or Process.CommandLine like r"% /executionpoli %" or Process.CommandLine like r"% /executionpol %" or Process.CommandLine like r"% /executionpo %" or Process.CommandLine like r"% /executionp %" or Process.CommandLine like r"% /execution bypass%" or Process.CommandLine like r"% /executio bypass%" or Process.CommandLine like r"% /executi bypass%" or Process.CommandLine like r"% /execut bypass%" or Process.CommandLine like r"% /execu bypass%" or Process.CommandLine like r"% /exec bypass%" or Process.CommandLine like r"% /exe bypass%" or Process.CommandLine like r"% /ex bypass%" or Process.CommandLine like r"% /ep bypass%"))

[ActivityMonitoringRule]
# Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
RuleId = 56c217c3-2de2-479b-990f-5c109ba8458f
RuleName = Default PowerSploit and Empire Schtasks Persistence
EventType = Process.Start
Tag = proc-start-default-powersploit-and-empire-schtasks-persistence
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005", "T1059.001"]}
Query = ((Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%/SC%" and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%Updater%" and Process.CommandLine like r"%/TR%" and Process.CommandLine like r"%powershell%" and (Process.CommandLine like r"%ONLOGON%" or Process.CommandLine like r"%DAILY%" or Process.CommandLine like r"%ONIDLE%" or Process.CommandLine like r"%Updater%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name
RuleId = 79b06761-465f-4f88-9ef2-150e24d3d737
RuleName = Procdump Evasion
EventType = Process.Start
Tag = proc-start-procdump-evasion
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1003.001"]}
Query = ((Process.CommandLine like r"%copy procdump%" or Process.CommandLine like r"%move procdump%") or (Process.CommandLine like r"%copy %" and Process.CommandLine like r"%.dmp %" and (Process.CommandLine like r"%2.dmp%" or Process.CommandLine like r"%lsass%" or Process.CommandLine like r"%out.dmp%")) or (Process.CommandLine like r"%copy lsass.exe\_%" or Process.CommandLine like r"%move lsass.exe\_%"))

[ActivityMonitoringRule]
# Detects a process memory dump performed by RdrLeakDiag.exe
RuleId = edadb1e5-5919-4e4c-8462-a9e643b02c4b
RuleName = Process Dump via RdrLeakDiag.exe
EventType = Process.Start
Tag = proc-start-process-dump-via-rdrleakdiag.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.001"]}
Query = (Process.Name == "RdrLeakDiag.exe" and Process.CommandLine like r"%fullmemdmp%")

[ActivityMonitoringRule]
# Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
RuleId = 646ea171-dded-4578-8a4d-65e9822892e3
RuleName = Process Dump via Rundll32 and Comsvcs.dll
EventType = Process.Start
Tag = proc-start-process-dump-via-rundll32-and-comsvcs.dll
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1003.001"]}
Query = (((Process.CommandLine like r"%comsvcs.dll%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%.dmp%") and (Process.CommandLine like r"%#24%" or Process.CommandLine like r"%#+24%" or Process.CommandLine like r"%MiniDump%") and Process.CommandLine like r"% full%") or Process.CommandLine like r"%#-4294967272%")

[ActivityMonitoringRule]
# Detects uses of the createdump.exe LOLOBIN utility to dump process memory
RuleId = 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
RuleName = CreateDump Process Dump
EventType = Process.Start
Tag = proc-start-createdump-process-dump
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1003.001"]}
Query = ((Process.Path like r"%\\createdump.exe" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -f %") or (Process.CommandLine like r"% -u -f %" and Process.CommandLine like r"%.dmp %"))

[ActivityMonitoringRule]
# Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
RuleId = 6355a919-2e97-4285-a673-74645566340d
RuleName = RdrLeakDiag Process Dump
EventType = Process.Start
Tag = proc-start-rdrleakdiag-process-dump
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1003.001"]}
Query = ((Process.Path like r"%\\rdrleakdiag.exe" and Process.CommandLine like r"%/fullmemdmp%") or (Process.CommandLine like r"%/fullmemdmp%" and Process.CommandLine like r"% /o %" and Process.CommandLine like r"% /p %"))

[ActivityMonitoringRule]
# Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
RuleId = af77cf95-c469-471c-b6a0-946c685c4798
RuleName = Proxy Execution via Wuauclt
EventType = Process.Start
Tag = proc-start-proxy-execution-via-wuauclt
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = (((Process.Path like r"%wuauclt%" or Process.Name == "wuauclt.exe") and (Process.CommandLine like r"%UpdateDeploymentProvider%" and Process.CommandLine like r"%.dll%" and Process.CommandLine like r"%RunHandlerComServer%")) and not ((Process.CommandLine like r"% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %" or Process.CommandLine like r"% wuaueng.dll %")))

[ActivityMonitoringRule]
# This rule detects suspicious processes with parent images located in the C:\Users\Public folder
RuleId = 69bd9b97-2be2-41b6-9816-fb08757a4d1a
RuleName = Parent in Public Folder Suspicious Process
EventType = Process.Start
Tag = proc-start-parent-in-public-folder-suspicious-process
RiskScore = 75
Query = (Parent.Path like r"C:\\Users\\Public\\%" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%wscript.exe%" or Process.CommandLine like r"%cscript.exe%" or Process.CommandLine like r"%bitsadmin%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%mshta.exe%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
RuleId = a29808fd-ef50-49ff-9c7a-59a9b040b404
RuleName = Registry Parse with Pypykatz
EventType = Process.Start
Tag = proc-start-registry-parse-with-pypykatz
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.002"]}
Query = ((Process.Path like r"%\\pypykatz.exe" or Process.Path like r"%\\python.exe") and Process.CommandLine like r"%live%" and Process.CommandLine like r"%registry%")

[ActivityMonitoringRule]
# Detects python spawning a pretty tty
RuleId = 480e7e51-e797-47e3-8d72-ebfce65b6d8d
RuleName = Python Spawning Pretty TTY on Windows
EventType = Process.Start
Tag = proc-start-python-spawning-pretty-tty-on-windows
RiskScore = 75
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Process.Path like r"%python.exe" or Process.Path like r"%python3.exe" or Process.Path like r"%python2.exe") and ((Process.CommandLine like r"%import pty%" and Process.CommandLine like r"%.spawn(%") or Process.CommandLine like r"%from pty import spawn%"))

[ActivityMonitoringRule]
# This command line patterns found in BlackByte Ransomware operations
RuleId = 999e8307-a775-4d5f-addc-4855632335be
RuleName = BlackByte Ransomware Patterns
EventType = Process.Start
Tag = proc-start-blackbyte-ransomware-patterns
RiskScore = 75
Query = ((Process.Path like r"C:\\Users\\Public\\%" and Process.CommandLine like r"% -single %") or (Process.CommandLine like r"%del C:\\Windows\\System32\\Taskmgr.exe%" or Process.CommandLine like r"%;Set-Service -StartupType Disabled $%" or Process.CommandLine like r"%powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(%" or Process.CommandLine like r"% do start wordpad.exe /p %"))

[ActivityMonitoringRule]
# Detects RDP session hijacking by using MSTSC shadowing
RuleId = 6ba5a05f-b095-4f0a-8654-b825f4f16334
RuleName = MSTSC Shadowing
EventType = Process.Start
Tag = proc-start-mstsc-shadowing
RiskScore = 75
Annotation = {"mitre_attack": ["T1563.002"]}
Query = (Process.CommandLine like r"%noconsentprompt%" and Process.CommandLine like r"%shadow:%")

[ActivityMonitoringRule]
# Detects actions caused by the RedMimicry Winnti playbook
RuleId = 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
RuleName = RedMimicry Winnti Playbook Execute
EventType = Process.Start
Tag = proc-start-redmimicry-winnti-playbook-execute
RiskScore = 75
Annotation = {"mitre_attack": ["T1106", "T1059.003", "T1218.011"]}
Query = ((Process.Path like r"%rundll32.exe%" or Process.Path like r"%cmd.exe%") and (Process.CommandLine like r"%gthread-3.6.dll%" or Process.CommandLine like r"%\\Windows\\Temp\\tmp.bat%" or Process.CommandLine like r"%sigcmm-2.4.dll%"))

[ActivityMonitoringRule]
# Detects the export of a crital Registry key to a file.
RuleId = 82880171-b475-4201-b811-e9c826cd5eaa
RuleName = Exports Critical Registry Keys To a File
EventType = Process.Start
Tag = proc-start-exports-critical-registry-keys-to-a-file
RiskScore = 75
Annotation = {"mitre_attack": ["T1012"]}
Query = (Process.Path like r"%\\regedit.exe" and (Process.CommandLine like r"% /E %" or Process.CommandLine like r"% -E %") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security"))

[ActivityMonitoringRule]
# Detects reg command lines that disable certain important features of Microsoft Defender
RuleId = 452bce90-6fb0-43cc-97a5-affc283139b3
RuleName = Registry Defender Tampering
EventType = Process.Start
Tag = proc-start-registry-defender-tampering
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%SOFTWARE\\Microsoft\\Windows Defender\\%" or Process.CommandLine like r"%SOFTWARE\\Policies\\Microsoft\\Windows Defender\\%") and Process.CommandLine like r"% add %" and Process.CommandLine like r"% /d 0%" and (Process.CommandLine like r"%Real-Time Protection%" or Process.CommandLine like r"%TamperProtection%"))

[ActivityMonitoringRule]
# Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
RuleId = 05b2aa93-1210-42c8-8d9a-2fcc13b284f5
RuleName = Delete Services Via Reg Utility
EventType = Process.Start
Tag = proc-start-delete-services-via-reg-utility
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.Path like r"%reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"% delete %" and Process.CommandLine like r"%\\SYSTEM\\CurrentControlSet\\services\\%")

[ActivityMonitoringRule]
# Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
RuleId = 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
RuleName = Registry Dump of SAM Creds and Secrets
EventType = Process.Start
Tag = proc-start-registry-dump-of-sam-creds-and-secrets
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.002"]}
Query = (Process.CommandLine like r"% save %" and (Process.CommandLine like r"%HKLM\\sam%" or Process.CommandLine like r"%HKLM\\system%" or Process.CommandLine like r"%HKLM\\security%"))

[ActivityMonitoringRule]
# Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
RuleId = 0d5675be-bc88-4172-86d3-1e96a4476536
RuleName = Enabling RDP Service via Reg.exe
EventType = Process.Start
Tag = proc-start-enabling-rdp-service-via-reg.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1021.001", "T1112"]}
Query = ((Process.Path like r"%\\reg.exe" and Process.CommandLine like r"% add %" and Process.CommandLine like r"%\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server%" and Process.CommandLine like r"%REG\_DWORD%" and Process.CommandLine like r"% /f%") and ((Process.CommandLine like r"%Licensing Core%" and Process.CommandLine like r"%EnableConcurrentSessions%") or (Process.CommandLine like r"%WinStations\\RDP-Tcp%" or Process.CommandLine like r"%MaxInstanceCount%" or Process.CommandLine like r"%fEnableWinStation%" or Process.CommandLine like r"%TSUserEnabled%" or Process.CommandLine like r"%TSEnabled%" or Process.CommandLine like r"%TSAppCompat%" or Process.CommandLine like r"%IdleWinStationPoolCount%" or Process.CommandLine like r"%TSAdvertise%" or Process.CommandLine like r"%AllowTSConnections%" or Process.CommandLine like r"%fSingleSessionPerUser%")))

[ActivityMonitoringRule]
# Detects reg command lines that disables PPL on the LSA process
RuleId = 8c0eca51-0f88-4db2-9183-fdfb10c703f9
RuleName = Registry Disabling LSASS PPL
EventType = Process.Start
Tag = proc-start-registry-disabling-lsass-ppl
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.010"]}
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%SYSTEM\\CurrentControlSet\\Control\\Lsa%" and Process.CommandLine like r"% add %" and Process.CommandLine like r"% /d 0%" and Process.CommandLine like r"% /v RunAsPPL %" and (Process.CommandLine like r"%Real-Time Protection%" or Process.CommandLine like r"%TamperProtection%"))

[ActivityMonitoringRule]
# Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
RuleId = 0ba1da6d-b6ce-4366-828c-18826c9de23e
RuleName = Highly Relevant Renamed Binary
EventType = Process.Start
Tag = proc-start-highly-relevant-renamed-binary
RiskScore = 75
Annotation = {"mitre_attack": ["T1036.003"]}
Query = ((Process.Name like r"powershell.exe" or Process.Name like r"pwsh.dll" or Process.Name like r"powershell\_ise.exe" or Process.Name like r"psexec.exe" or Process.Name like r"psexec.c" or Process.Name like r"cscript.exe" or Process.Name like r"wscript.exe" or Process.Name like r"mshta.exe" or Process.Name like r"regsvr32.exe" or Process.Name like r"wmic.exe" or Process.Name like r"certutil.exe" or Process.Name like r"rundll32.exe" or Process.Name like r"cmstp.exe" or Process.Name like r"msiexec.exe") and not ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\psexec.exe" or Process.Path like r"%\\psexec64.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\msiexec.exe")))

[ActivityMonitoringRule]
# Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
RuleId = 8a4519e8-e64a-40b6-ae85-ba8ad2177559
RuleName = Process Creation with Renamed BrowserCore.exe
EventType = Process.Start
Tag = proc-start-process-creation-with-renamed-browsercore.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1528", "T1036.003"]}
Query = (Process.Name == "BrowserCore.exe" and not ((Process.Path like r"%\\BrowserCore.exe")))

[ActivityMonitoringRule]
# Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
RuleId = 643bdcac-8b82-49f4-9fd9-25a90b929f3b
RuleName = Renamed MegaSync
EventType = Process.Start
Tag = proc-start-renamed-megasync
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Parent.Path like r"%\\explorer.exe" and Process.CommandLine like r"%C:\\Windows\\Temp\\meg.exe%") or (Process.Name == "meg.exe" and not (Process.Path like r"%\\meg.exe")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects process creation with a renamed Msdt.exe
RuleId = bd1c6866-65fc-44b2-be51-5588fcff82b9
RuleName = Renamed Msdt.exe
EventType = Process.Start
Tag = proc-start-renamed-msdt.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1036.003"]}
Query = (Process.Name == "msdt.exe" and not ((Process.Path like r"%\\msdt.exe")))

[ActivityMonitoringRule]
# Detects the execution of a renamed ProcDump executable often used by attackers or malware
RuleId = 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
RuleName = Renamed ProcDump
EventType = Process.Start
Tag = proc-start-renamed-procdump
RiskScore = 75
Annotation = {"mitre_attack": ["T1036.003"]}
Query = (((Process.Name == "procdump" or (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"% -accepteula %")) or (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"%.dmp%")) and not ((Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe")))

[ActivityMonitoringRule]
# Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection
RuleId = d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2
RuleName = Renamed Rundll32.exe Execution
EventType = Process.Start
Tag = proc-start-renamed-rundll32.exe-execution
RiskScore = 75
Query = (Process.Name == "RUNDLL32.EXE" and not (Process.Path like r"%\\rundll32.exe"))

[ActivityMonitoringRule]
# Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
RuleId = a7cd7306-df8b-4398-b711-6f3e4935cf16
RuleName = Remote Procedure Call Service Anomaly
EventType = Process.Start
Tag = proc-start-remote-procedure-call-service-anomaly
RiskScore = 75
Annotation = {"mitre_attack": ["T1190", "T1569.002"]}
Query = Parent.CommandLine like r"C:\\WINDOWS\\system32\\svchost.exe -k RPCSS%"
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# load malicious registered COM objects
RuleId = f1edd233-30b5-4823-9e6a-c4171b24d316
RuleName = Rundll32 Registered COM Objects
EventType = Process.Start
Tag = proc-start-rundll32-registered-com-objects
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.015"]}
Query = (Process.Path like r"%\\rundll32.exe" and (Process.CommandLine like r"%-sta %" or Process.CommandLine like r"%-localserver %") and Process.CommandLine like r"%{%" and Process.CommandLine like r"%}%")

[ActivityMonitoringRule]
# Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
RuleId = 5bb68627-3198-40ca-b458-49f973db8752
RuleName = Rundll32 Without Parameters
EventType = Process.Start
Tag = proc-start-rundll32-without-parameters
RiskScore = 75
Annotation = {"mitre_attack": ["T1021.002", "T1570", "T1569.002"]}
Query = Process.CommandLine == "rundll32.exe"

[ActivityMonitoringRule]
# Detects the execution of rundll32 with a command line that doesn't contain a .dll file
RuleId = c3a99af4-35a9-4668-879e-c09aeb4f2bdf
RuleName = Rundll32 Execution Without DLL File
EventType = Process.Start
Tag = proc-start-rundll32-execution-without-dll-file
RiskScore = 75
Query = (Process.Path like r"%\\rundll32.exe" and not ((Process.CommandLine == '') or (Process.CommandLine like r"%.dll%" or Process.CommandLine == "") or (Parent.Path like r"%:\\Program Files\\Internet Explorer\\iexplore.exe" and Process.CommandLine like r"%.cpl%") or (Parent.Path like r"%:\\Windows\\SysWOW64\\msiexec.exe" and Parent.CommandLine like r"C:\\Windows\\syswow64\\MsiExec.exe -Embedding%") or (Parent.Path like r"%:\\Windows\\System32\\msiexec.exe" and Parent.CommandLine like r"C:\\Windows\\system32\\MsiExec.exe -Embedding%") or (Parent.Path like r"%:\\Windows\\System32\\cmd.exe" and Parent.CommandLine like r"% C:\\Program Files\\SplunkUniversalForwarder\\%") or (Process.CommandLine like r"% -localserver %")))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects PowerShell script execution from Alternate Data Stream (ADS)
RuleId = 45a594aa-1fbd-4972-a809-ff5a99dd81b8
RuleName = Run PowerShell Script from ADS
EventType = Process.Start
Tag = proc-start-run-powershell-script-from-ads
RiskScore = 75
Annotation = {"mitre_attack": ["T1564.004"]}
Query = ((Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Get-Content%" and Process.CommandLine like r"%-Stream%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
RuleId = c5c00f49-b3f9-45a6-997e-cfdecc6e1967
RuleName = Suspicious Schtasks Execution AppData Folder
EventType = Process.Start
Tag = proc-start-suspicious-schtasks-execution-appdata-folder
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005", "T1059.001"]}
Query = ((Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%/RU%" and Process.CommandLine like r"%/TR%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\AppData\\Local\\%" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %")) and not (Parent.Path like r"%\\AppData\\Local\\Temp\\%" and Parent.Path like r"%TeamViewer\_.exe%" and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)
RuleId = b66474aa-bd92-4333-a16c-298155b120df
RuleName = Suspicious Powershell No File or Command
EventType = Process.Start
Tag = proc-start-suspicious-powershell-no-file-or-command
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005", "T1059.001"]}
Query = (Process.CommandLine like r"% -windowstyle hidden\"" or Process.CommandLine like r"% -windowstyle hidden" or Process.CommandLine like r"% -windowstyle hidden'" or Process.CommandLine like r"% -w hidden\"" or Process.CommandLine like r"% -w hidden" or Process.CommandLine like r"% -w hidden'" or Process.CommandLine like r"% -ep bypass\"" or Process.CommandLine like r"% -ep bypass" or Process.CommandLine like r"% -ep bypass'" or Process.CommandLine like r"% -noni\"" or Process.CommandLine like r"% -noni" or Process.CommandLine like r"% -noni'")

[ActivityMonitoringRule]
# Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
RuleId = c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
RuleName = Scheduled Task Executing Powershell Encoded Payload from Registry
EventType = Process.Start
Tag = proc-start-scheduled-task-executing-powershell-encoded-payload-from-registry
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005", "T1059.001"]}
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%/SC%" and Process.CommandLine like r"%FromBase64String%" and Process.CommandLine like r"%Get-ItemProperty%" and (Process.CommandLine like r"%HKCU:%" or Process.CommandLine like r"%HKLM:%" or Process.CommandLine like r"%registry::%" or Process.CommandLine like r"%HKEY\_%"))

[ActivityMonitoringRule]
# Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
RuleId = 89ca78fd-b37c-4310-b3d3-81a023f83936
RuleName = Schtasks Creation Or Modification With SYSTEM Privileges
EventType = Process.Start
Tag = proc-start-schtasks-creation-or-modification-with-system-privileges
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"]}
Query = ((Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"% /change %" or Process.CommandLine like r"% /create %") and Process.CommandLine like r"%/ru %" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %")) and not (Parent.Path like r"%\\AppData\\Local\\Temp\\%" and Parent.Path like r"%TeamViewer\_.exe%" and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode
RuleId = 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
RuleName = ScreenConnect Backstage Mode Anomaly
EventType = Process.Start
Tag = proc-start-screenconnect-backstage-mode-anomaly
RiskScore = 75
Annotation = {"mitre_attack": ["T1219"]}
Query = (Parent.Path like r"%ScreenConnect.ClientService.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a suspicious child process of Script Event Consumer (scrcons.exe).
RuleId = f6d1dd2f-b8ce-40ca-bc23-062efb686b34
RuleName = Script Event Consumer Spawning Process
EventType = Process.Start
Tag = proc-start-script-event-consumer-spawning-process
RiskScore = 75
Annotation = {"mitre_attack": ["T1047"]}
Query = (Parent.Path like r"%\\scrcons.exe" and (Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msbuild.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection
RuleId = 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
RuleName = Suspicious Execution of Sc to Delete AV Services
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-sc-to-delete-av-services
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and Process.CommandLine like r"% delete %" and (Process.CommandLine like r"%AvgAdminServer%" or Process.CommandLine like r"%AVG Antivirus%" or Process.CommandLine like r"%MBEndpointAgent%" or Process.CommandLine like r"%MBAMService%" or Process.CommandLine like r"%MBCloudEA%" or Process.CommandLine like r"%avgAdminClient%" or Process.CommandLine like r"%SAVService%" or Process.CommandLine like r"%SAVAdminService%" or Process.CommandLine like r"%Sophos AutoUpdate Service%" or Process.CommandLine like r"%Sophos Clean Service%" or Process.CommandLine like r"%Sophos Device Control Service%" or Process.CommandLine like r"%Sophos File Scanner Service%" or Process.CommandLine like r"%Sophos Health Service%" or Process.CommandLine like r"%Sophos MCS Agent%" or Process.CommandLine like r"%Sophos MCS Client%" or Process.CommandLine like r"%SntpService%" or Process.CommandLine like r"%swc\_service%" or Process.CommandLine like r"%swi\_service%" or Process.CommandLine like r"%Sophos UI%" or Process.CommandLine like r"%swi\_update%" or Process.CommandLine like r"%Sophos Web Control Service%" or Process.CommandLine like r"%Sophos System Protection Service%" or Process.CommandLine like r"%Sophos Safestore Service%" or Process.CommandLine like r"%hmpalertsvc%" or Process.CommandLine like r"%RpcEptMapper%" or Process.CommandLine like r"%Sophos Endpoint Defense Service%" or Process.CommandLine like r"%SophosFIM%" or Process.CommandLine like r"%swi\_filter%" or Process.CommandLine like r"%FirebirdGuardianDefaultInstance%" or Process.CommandLine like r"%FirebirdServerDefaultInstance%" or Process.CommandLine like r"%WRSVC%" or Process.CommandLine like r"%ekrn%" or Process.CommandLine like r"%ekrnEpsw%" or Process.CommandLine like r"%klim6%" or Process.CommandLine like r"%AVP18.0.0%" or Process.CommandLine like r"%KLIF%" or Process.CommandLine like r"%klpd%" or Process.CommandLine like r"%klflt%" or Process.CommandLine like r"%klbackupdisk%" or Process.CommandLine like r"%klbackupflt%" or Process.CommandLine like r"%klkbdflt%" or Process.CommandLine like r"%klmouflt%" or Process.CommandLine like r"%klhk%" or Process.CommandLine like r"%KSDE1.0.0%" or Process.CommandLine like r"%kltap%" or Process.CommandLine like r"%ScSecSvc%" or Process.CommandLine like r"%Core Mail Protection%" or Process.CommandLine like r"%Core Scanning Server%" or Process.CommandLine like r"%Core Scanning ServerEx%" or Process.CommandLine like r"%Online Protection System%" or Process.CommandLine like r"%RepairService%" or Process.CommandLine like r"%Core Browsing Protection%" or Process.CommandLine like r"%Quick Update Service%" or Process.CommandLine like r"%McAfeeFramework%" or Process.CommandLine like r"%macmnsvc%" or Process.CommandLine like r"%masvc%" or Process.CommandLine like r"%mfemms%" or Process.CommandLine like r"%mfevtp%" or Process.CommandLine like r"%TmFilter%" or Process.CommandLine like r"%TMLWCSService%" or Process.CommandLine like r"%tmusa%" or Process.CommandLine like r"%TmPreFilter%" or Process.CommandLine like r"%TMSmartRelayService%" or Process.CommandLine like r"%TMiCRCScanService%" or Process.CommandLine like r"%VSApiNt%" or Process.CommandLine like r"%TmCCSF%" or Process.CommandLine like r"%tmlisten%" or Process.CommandLine like r"%TmProxy%" or Process.CommandLine like r"%ntrtscan%" or Process.CommandLine like r"%ofcservice%" or Process.CommandLine like r"%TmPfw%" or Process.CommandLine like r"%PccNTUpd%" or Process.CommandLine like r"%PandaAetherAgent%" or Process.CommandLine like r"%PSUAService%" or Process.CommandLine like r"%NanoServiceMain%" or Process.CommandLine like r"%EPIntegrationService%" or Process.CommandLine like r"%EPProtectedService%" or Process.CommandLine like r"%EPRedline%" or Process.CommandLine like r"%EPSecurityService%" or Process.CommandLine like r"%EPUpdateService%"))

[ActivityMonitoringRule]
# Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
RuleId = 517490a7-115a-48c6-8862-1a481504d5a8
RuleName = Possible Shim Database Persistence via sdbinst.exe
EventType = Process.Start
Tag = proc-start-possible-shim-database-persistence-via-sdbinst.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.011"]}
Query = ((Process.Path like r"%\\sdbinst.exe" and Process.CommandLine like r"%.sdb%") and not (Process.CommandLine like r"%iisexpressshim.sdb%"))

[ActivityMonitoringRule]
# Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
RuleId = f3d39c45-de1a-4486-a687-ab126124f744
RuleName = Sdiagnhost Calling Suspicious Child Process
EventType = Process.Start
Tag = proc-start-sdiagnhost-calling-suspicious-child-process
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1218"]}
Query = (Parent.Path like r"%\\sdiagnhost.exe" and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\taskkill.exe" or Process.Path like r"%\\calc.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Shadow Copies deletion using operating systems utilities
RuleId = c947b146-0abc-4c87-9c64-b17e9d7274a2
RuleName = Shadow Copies Deletion Using Operating Systems Utilities
EventType = Process.Start
Tag = proc-start-shadow-copies-deletion-using-operating-systems-utilities
RiskScore = 75
Annotation = {"mitre_attack": ["T1070", "T1490"]}
Query = (((((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\diskshadow.exe") or Process.Name in ["PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe"]) and (Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%delete%")) or ((Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and (Process.CommandLine like r"%delete%" and Process.CommandLine like r"%catalog%" and Process.CommandLine like r"%quiet%"))) or ((Process.Path like r"%\\vssadmin.exe" or Process.Name == "VSSADMIN.EXE") and (Process.CommandLine like r"%resize%" and Process.CommandLine like r"%shadowstorage%" and Process.CommandLine like r"%unbounded%")))

[ActivityMonitoringRule]
# Detects dump of credentials in VeeamBackup dbo
RuleId = b57ba453-b384-4ab9-9f40-1038086b4e53
RuleName = VeeamBackup Database Credentials Dump
EventType = Process.Start
Tag = proc-start-veeambackup-database-credentials-dump
RiskScore = 75
Annotation = {"mitre_attack": ["T1005"]}
Query = (Process.Path like r"%\\sqlcmd.exe" and Process.CommandLine like r"%SELECT%" and Process.CommandLine like r"%TOP%" and Process.CommandLine like r"%[VeeamBackup].[dbo].[Credentials]%")

[ActivityMonitoringRule]
# Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
RuleId = 961e0abb-1b1e-4c84-a453-aafe56ad0d34
RuleName = Execution via stordiag.exe
EventType = Process.Start
Tag = proc-start-execution-via-stordiag.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Parent.Path like r"%\\stordiag.exe" and (Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\fltmc.exe")) and not ((Parent.Path like r"c:\\windows\\system32\\%" or Parent.Path like r"c:\\windows\\syswow64\\%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
RuleId = 7c0dcd3d-acf8-4f71-9570-f448b0034f94
RuleName = PsExec Service Execution as LOCAL SYSTEM
EventType = Process.Start
Tag = proc-start-psexec-service-execution-as-local-system
RiskScore = 75
Query = (Parent.Path like r"C:\\Windows\\PSEXESVC.exe" and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%"))
GenericProperty1 = Parent.Path
GenericProperty2 = Process.User

[ActivityMonitoringRule]
# Detects suspicious launch of the PSEXESVC service with a different service name, which is not often used by legitimate administrators
RuleId = 51ae86a2-e2e1-4097-ad85-c46cb6851de4
RuleName = PsExec Service Execution with Different Name
EventType = Process.Start
Tag = proc-start-psexec-service-execution-with-different-name
RiskScore = 75
Query = (Process.Name == "psexesvc.exe" and not (Process.Path like r"C:\\Windows\\PSEXESVC.exe"))

[ActivityMonitoringRule]
# Detects suspicious command line in which a user gets added to the local Remote Desktop Users group
RuleId = ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
RuleName = Suspicious Add User to Remote Desktop Users Group
EventType = Process.Start
Tag = proc-start-suspicious-add-user-to-remote-desktop-users-group
RiskScore = 75
Annotation = {"mitre_attack": ["T1133", "T1136.001", "T1021.001"]}
Query = (Process.CommandLine like r"%net %" and Process.CommandLine like r"%localgroup%" and Process.CommandLine like r"%Remote Desktop Users%" and Process.CommandLine like r"%/add%")

[ActivityMonitoringRule]
# Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
RuleId = fa00b701-44c6-4679-994d-5a18afa8a707
RuleName = Suspicious AdvancedRun Runas Priv User
EventType = Process.Start
Tag = proc-start-suspicious-advancedrun-runas-priv-user
RiskScore = 75
Query = ((Process.CommandLine like r"%/EXEFilename%" or Process.CommandLine like r"%/CommandLine%") and ((Process.CommandLine like r"% /RunAs 8 %" or Process.CommandLine like r"% /RunAs 4 %" or Process.CommandLine like r"% /RunAs 10 %" or Process.CommandLine like r"% /RunAs 11 %") or (Process.CommandLine like r"%/RunAs 8" or Process.CommandLine like r"%/RunAs 4" or Process.CommandLine like r"%/RunAs 10" or Process.CommandLine like r"%/RunAs 11")))

[ActivityMonitoringRule]
# Detects base64 encoded powershell 'Invoke-' call
RuleId = 6385697e-9f1b-40bd-8817-f4a91f40508e
RuleName = Suspicious Base64 Encoded Powershell Invoke
EventType = Process.Start
Tag = proc-start-suspicious-base64-encoded-powershell-invoke
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1027"]}
Query = ((Process.CommandLine like r"%SQBuAHYAbwBrAGUALQ%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0A%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtA%") and not (((Process.CommandLine like r"%SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA%" or Process.CommandLine like r"%SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg%" or Process.CommandLine like r"%SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA%"))))

[ActivityMonitoringRule]
# Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load
RuleId = 9c0295ce-d60d-40bd-bd74-84673b7592b1
RuleName = Suspicious Encoded Obfuscated LOAD String
EventType = Process.Start
Tag = proc-start-suspicious-encoded-obfuscated-load-string
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1027"]}
Query = (Process.CommandLine like r"%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%" or Process.CommandLine like r"%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%" or Process.CommandLine like r"%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%")

[ActivityMonitoringRule]
# Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
RuleId = 737e618a-a410-49b5-bec3-9e55ff7fbc15
RuleName = Suspicious Calculator Usage
EventType = Process.Start
Tag = proc-start-suspicious-calculator-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1036"]}
Query = (Process.CommandLine like r"%\\calc.exe %" or (Process.Path like r"%\\calc.exe" and not (Process.Path like r"%\\Windows\\Sys%")))

[ActivityMonitoringRule]
# Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
RuleId = e011a729-98a6-4139-b5c4-bf6f6dd8239a
RuleName = Suspicious Certutil Command
EventType = Process.Start
Tag = proc-start-suspicious-certutil-command
RiskScore = 75
Annotation = {"mitre_attack": ["T1140", "T1105"]}
Query = ((Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% -decodehex %" or Process.CommandLine like r"% -urlcache %" or Process.CommandLine like r"% -verifyctl %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% /decode %" or Process.CommandLine like r"% /decodehex %" or Process.CommandLine like r"% /urlcache %" or Process.CommandLine like r"% /verifyctl %" or Process.CommandLine like r"% /encode %") or (Process.Path like r"%\\certutil.exe" and (Process.CommandLine like r"%URL%" or Process.CommandLine like r"%ping%")))

[ActivityMonitoringRule]
# Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
RuleId = e0552b19-5a83-4222-b141-b36184bb8d79
RuleName = Obfuscated Command Line Using Special Unicode Characters
EventType = Process.Start
Tag = proc-start-obfuscated-command-line-using-special-unicode-characters
RiskScore = 75
Annotation = {"mitre_attack": ["T1027"]}
Query = (Process.CommandLine like r"%â%" or Process.CommandLine like r"%€%" or Process.CommandLine like r"%£%" or Process.CommandLine like r"%¯%" or Process.CommandLine like r"%®%" or Process.CommandLine like r"%µ%" or Process.CommandLine like r"%¶%")

[ActivityMonitoringRule]
# Detects use of chcp to look up the system locale value as part of host discovery
RuleId = 7090adee-82e2-4269-bd59-80691e7c6338
RuleName = CHCP CodePage Locale Lookup
EventType = Process.Start
Tag = proc-start-chcp-codepage-locale-lookup
RiskScore = 75
Annotation = {"mitre_attack": ["T1614.001"]}
Query = (Parent.Path like r"%\\cmd.exe" and Parent.CommandLine like r"% /c %" and Process.Path like r"%\\chcp.com" and (Process.CommandLine like r"%chcp" or Process.CommandLine like r"%chcp " or Process.CommandLine like r"%chcp  "))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion
RuleId = 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
RuleName = Suspicious Characters in CommandLine
EventType = Process.Start
Tag = proc-start-suspicious-characters-in-commandline
RiskScore = 75
Query = ((Process.CommandLine like r"%ˣ%" or Process.CommandLine like r"%˪%" or Process.CommandLine like r"%ˢ%") or (Process.CommandLine like r"%∕%" or Process.CommandLine like r"%⁄%") or (Process.CommandLine like r"%―%" or Process.CommandLine like r"%—%"))

[ActivityMonitoringRule]
# Detects suspicious command line arguments of common data compression tools
RuleId = 27a72a60-7e5e-47b1-9d17-909c9abafdcd
RuleName = Suspicious Compression Tool Parameters
EventType = Process.Start
Tag = proc-start-suspicious-compression-tool-parameters
RiskScore = 75
Annotation = {"mitre_attack": ["T1560.001"]}
Query = (((Process.Name like r"7z%.exe" or Process.Name like r"%rar.exe" or Process.Name like r"%Command%Line%RAR%") and (Process.CommandLine like r"% -p%" or Process.CommandLine like r"% -ta%" or Process.CommandLine like r"% -tb%" or Process.CommandLine like r"% -sdel%" or Process.CommandLine like r"% -dw%" or Process.CommandLine like r"% -hp%")) and not (Parent.Path like r"C:\\Program%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects process memory dump via comsvcs.dll and rundll32
RuleId = 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
RuleName = Process Dump via Comsvcs DLL
EventType = Process.Start
Tag = proc-start-process-dump-via-comsvcs-dll
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011", "T1003.001"]}
Query = ((Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and (Process.CommandLine like r"%comsvcs%" and Process.CommandLine like r"%MiniDump%" and Process.CommandLine like r"%full%"))

[ActivityMonitoringRule]
# Detects a suspicious process pattern found in CVE-2021-40444 exploitation
RuleId = 894397c6-da03-425c-a589-3d09e7d1f750
RuleName = CVE-2021-40444 Process Pattern
EventType = Process.Start
Tag = proc-start-cve-2021-40444-process-pattern
RiskScore = 75
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Process.Path like r"%\\control.exe" and (Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\powerpnt.exe" or Parent.Path like r"%\\excel.exe")) and not ((Process.CommandLine like r"%\\control.exe input.dll" or Process.CommandLine like r"%\\control.exe\" input.dll")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
RuleId = d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
RuleName = Suspicious Control Panel DLL Load
EventType = Process.Start
Tag = proc-start-suspicious-control-panel-dll-load
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = ((Parent.Path like r"%\\System32\\control.exe" and Process.Path like r"%\\rundll32.exe ") and not (Process.CommandLine like r"%Shell32.dll%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a suspicious copy command to or from an Admin share
RuleId = 855bc8b5-2ae8-402e-a9ed-b889e6df1900
RuleName = Copy from Admin Share
EventType = Process.Start
Tag = proc-start-copy-from-admin-share
RiskScore = 75
Annotation = {"mitre_attack": ["T1039", "T1048", "T1021.002"]}
Query = ((((Process.Path like r"%\\robocopy.exe" or Process.Path like r"%\\xcopy.exe") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%copy%")) or (Process.Path like r"%\\powershell%" and (Process.CommandLine like r"%copy-item%" or Process.CommandLine like r"%copy%" or Process.CommandLine like r"%cpi %" or Process.CommandLine like r"% cp %"))) and (Process.CommandLine like r"%\\\\\*" and Process.CommandLine like r"%$%"))

[ActivityMonitoringRule]
# Detects suspicious command lines used in Covenant luanchers
RuleId = c260b6db-48ba-4b4a-a76f-2f67644e99d2
RuleName = Covenant Launcher Indicators
EventType = Process.Start
Tag = proc-start-covenant-launcher-indicators
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1564.003"]}
Query = ((Process.CommandLine like r"%-Sta%" and Process.CommandLine like r"%-Nop%" and Process.CommandLine like r"%-Window%" and Process.CommandLine like r"%Hidden%" and (Process.CommandLine like r"%-Command%" or Process.CommandLine like r"%-EncodedCommand%")) or (Process.CommandLine like r"%sv o (New-Object IO.MemorySteam);sv d %" or Process.CommandLine like r"%mshta file.hta%" or Process.CommandLine like r"%GruntHTTP%" or Process.CommandLine like r"%-EncodedCommand cwB2ACAAbwAgA%"))

[ActivityMonitoringRule]
# Detect various execution methods of the CrackMapExec pentesting framework
RuleId = 058f4380-962d-40a5-afce-50207d36d7e2
RuleName = CrackMapExec Command Execution
EventType = Process.Start
Tag = proc-start-crackmapexec-command-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1047", "T1053", "T1059.003", "T1059.001"]}
Query = ((Process.CommandLine like r"%cmd.exe /Q /c % 1> \\%\\%\\% 2>&1" or Process.CommandLine like r"%cmd.exe /C % > \\%\\%\\% 2>&1" or Process.CommandLine like r"%cmd.exe /C % > %\\Temp\\% 2>&1") and (Process.CommandLine like r"%powershell.exe -exec bypass -noni -nop -w 1 -C \"%" or Process.CommandLine like r"%powershell.exe -noni -nop -w 1 -enc %"))

[ActivityMonitoringRule]
# This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
RuleId = 42a993dd-bb3e-48c8-b372-4d6684c4106c
RuleName = CrackMapExec Command Line Flags
EventType = Process.Start
Tag = proc-start-crackmapexec-command-line-flags
RiskScore = 75
Query = ((Process.CommandLine like r"% -M pe\_inject %" or (Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -x %") or (Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% -H 'NTHASH'%") or (Process.CommandLine like r"% mssql %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% -M %" and Process.CommandLine like r"% -d %") or (Process.CommandLine like r"% smb %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -H %" and Process.CommandLine like r"% -M %" and Process.CommandLine like r"% -o %") or (Process.CommandLine like r"% smb %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% --local-auth%")) or (Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% 10.%" and Process.CommandLine like r"% 192.168.%" and Process.CommandLine like r"%/24 %"))

[ActivityMonitoringRule]
# The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
RuleId = 6f8b3439-a203-45dc-a88b-abf57ea15ccf
RuleName = CrackMapExec PowerShell Obfuscation
EventType = Process.Start
Tag = proc-start-crackmapexec-powershell-obfuscation
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1027.005"]}
Query = ((Process.CommandLine like r"%powershell.exe%" or Process.CommandLine like r"%pwsh.exe%") and (Process.CommandLine like r"%join%split%" or Process.CommandLine like r"%( $ShellId[1]+$ShellId[13]+'x')%" or Process.CommandLine like r"%( $PSHome[%]+$PSHOME[%]+%" or Process.CommandLine like r"%( $env:Public[13]+$env:Public[5]+'x')%" or Process.CommandLine like r"%( $env:ComSpec[4,%,25]-Join'')%" or Process.CommandLine like r"%[1,3]+'x'-Join'')%"))

[ActivityMonitoringRule]
# Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
RuleId = b730a276-6b63-41b8-bcf8-55930c8fc6ee
RuleName = Suspicious Parent of Csc.exe
EventType = Process.Start
Tag = proc-start-suspicious-parent-of-csc.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.005", "T1059.007", "T1218.005", "T1027.004"]}
Query = (Process.Path like r"%\\csc.exe" and (Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious process injection using ZOHO's dctask64.exe
RuleId = 6345b048-8441-43a7-9bed-541133633d7a
RuleName = ZOHO Dctask64 Process Injection
EventType = Process.Start
Tag = proc-start-zoho-dctask64-process-injection
RiskScore = 75
Annotation = {"mitre_attack": ["T1055.001"]}
Query = (Process.Path like r"%\\dctask64.exe" and not (Process.CommandLine like r"%DesktopCentral\_Agent\\agent%"))

[ActivityMonitoringRule]
# Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
RuleId = bb58aa4a-b80b-415a-a2c0-2f65a4c81009
RuleName = Suspicious Desktopimgdownldr Command
EventType = Process.Start
Tag = proc-start-suspicious-desktopimgdownldr-command
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = ((Process.CommandLine like r"% /lockscreenurl:%" and not ((Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.png%"))) or (Process.CommandLine like r"%reg delete%" and Process.CommandLine like r"%\\PersonalizationCSP%"))

[ActivityMonitoringRule]
# Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system
RuleId = 90d50722-0483-4065-8e35-57efaadd354d
RuleName = DevInit Lolbin Download
EventType = Process.Start
Tag = proc-start-devinit-lolbin-download
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.CommandLine like r"% -t msi-install %" and Process.CommandLine like r"% -i http%")

[ActivityMonitoringRule]
# The Devtoolslauncher.exe executes other binary
RuleId = cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
RuleName = Devtoolslauncher.exe Executes Specified Binary
EventType = Process.Start
Tag = proc-start-devtoolslauncher.exe-executes-specified-binary
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\devtoolslauncher.exe" and Process.CommandLine like r"%LaunchForDeploy%")

[ActivityMonitoringRule]
# Detects command that is used to disable or delete Windows eventlog via logman Windows utility
RuleId = cd1f961e-0b96-436b-b7c6-38da4583ec00
RuleName = Disable or Delete Windows Eventlog
EventType = Process.Start
Tag = proc-start-disable-or-delete-windows-eventlog
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001", "T1070.001"]}
Query = (Process.CommandLine like r"%logman %" and (Process.CommandLine like r"%stop %" or Process.CommandLine like r"%delete %") and Process.CommandLine like r"%EventLog-System%")

[ActivityMonitoringRule]
# Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
RuleId = fb50eb7a-5ab1-43ae-bcc9-091818cb8424
RuleName = Disabled IE Security Features
EventType = Process.Start
Tag = proc-start-disabled-ie-security-features
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.CommandLine like r"% -name IEHarden %" and Process.CommandLine like r"% -value 0 %") or (Process.CommandLine like r"% -name DEPOff %" and Process.CommandLine like r"% -value 1 %") or (Process.CommandLine like r"% -name DisableFirstRunCustomize %" and Process.CommandLine like r"% -value 2 %"))

[ActivityMonitoringRule]
# Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
RuleId = a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
RuleName = Raccine Uninstall
EventType = Process.Start
Tag = proc-start-raccine-uninstall
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.CommandLine like r"%taskkill %" and Process.CommandLine like r"%RaccineSettings.exe%") or (Process.CommandLine like r"%reg.exe%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%Raccine Tray%") or (Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%/DELETE%" and Process.CommandLine like r"%Raccine Rules Updater%"))

[ActivityMonitoringRule]
# Detects using Diskshadow.exe to execute arbitrary code in text file
RuleId = 0c2f8629-7129-4a8a-9897-7e0768f13ff2
RuleName = Execution via Diskshadow.exe
EventType = Process.Start
Tag = proc-start-execution-via-diskshadow.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\diskshadow.exe" and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%-s%"))

[ActivityMonitoringRule]
# Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
RuleId = d3b70aad-097e-409c-9df2-450f80dc476b
RuleName = DIT Snapshot Viewer Use
EventType = Process.Start
Tag = proc-start-dit-snapshot-viewer-use
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.003"]}
Query = (Process.Path like r"%\\ditsnap.exe" or Process.CommandLine like r"%ditsnap.exe%")

[ActivityMonitoringRule]
# Detects a "dllhost" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes
RuleId = e7888eb1-13b0-4616-bd99-4bc0c2b054b9
RuleName = Dllhost Process With No CommandLine
EventType = Process.Start
Tag = proc-start-dllhost-process-with-no-commandline
RiskScore = 75
Annotation = {"mitre_attack": ["T1055"]}
Query = (Process.CommandLine like r"%dllhost.exe" and Process.Path like r"%\\dllhost.exe")

[ActivityMonitoringRule]
# Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
RuleId = 00d49ed5-4491-4271-a8db-650a4ef6f8c1
RuleName = Suspicious Download from Office Domain
EventType = Process.Start
Tag = proc-start-suspicious-download-from-office-domain
RiskScore = 75
Query = (((Process.Path like r"%\\curl.exe" or Process.Path like r"%\\wget.exe") or (Process.CommandLine like r"%Start-BitsTransfer%" or Process.CommandLine like r"%.DownloadFile(%" or Process.CommandLine like r"%.DownloadString(%")) and (Process.CommandLine like r"%https://attachment.outlook.live.net/owa/%" or Process.CommandLine like r"%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%"))

[ActivityMonitoringRule]
# Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
RuleId = 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
RuleName = Suspicious Kernel Dump Using Dtrace
EventType = Process.Start
Tag = proc-start-suspicious-kernel-dump-using-dtrace
RiskScore = 75
Query = ((Process.Path like r"%\\dtrace.exe" and Process.CommandLine like r"%lkd(0)%") or (Process.CommandLine like r"%syscall:::return%" and Process.CommandLine like r"%lkd(%"))

[ActivityMonitoringRule]
# Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
RuleId = cc36992a-4671-4f21-a91d-6c2b72a2edf5
RuleName = Suspicious Eventlog Clear or Configuration Using Wevtutil
EventType = Process.Start
Tag = proc-start-suspicious-eventlog-clear-or-configuration-using-wevtutil
RiskScore = 75
Annotation = {"mitre_attack": ["T1070.001"]}
Query = ((Process.Path like r"%\\wevtutil.exe" and (Process.CommandLine like r"%clear-log%" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log%" or Process.CommandLine like r"% sl %")) or ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Clear-EventLog%" or Process.CommandLine like r"%Remove-EventLog%" or Process.CommandLine like r"%Limit-EventLog%")) or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"% ClearEventLog %"))

[ActivityMonitoringRule]
# Detects a suspicious execution from an uncommon folder
RuleId = 3dfd06d2-eaf4-4532-9555-68aca59f57c4
RuleName = Execution from Suspicious Folder
EventType = Process.Start
Tag = proc-start-execution-from-suspicious-folder
RiskScore = 75
Annotation = {"mitre_attack": ["T1036"]}
Query = (((Process.Path like r"%\\$Recycle.bin\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Intel\\Logs\\%" or Process.Path like r"%\\RSA\\MachineKeys\\%" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\NetworkService\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\Windows\\addins\\%" or Process.Path like r"%\\Windows\\debug\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\Help\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\Media\\%" or Process.Path like r"%\\Windows\\repair\\%" or Process.Path like r"%\\Windows\\security\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%" or Process.Path like r"%\\Windows\\Tasks\\%") or Process.Path like r"C:\\Perflogs\\%") and not (Process.Path like r"C:\\Users\\Public\\IBM\\ClientSolutions\\Start\_Programs\\%"))

[ActivityMonitoringRule]
# Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
RuleId = 534f2ef7-e8a2-4433-816d-c91bccde289b
RuleName = Explorer NOUACCHECK Flag
EventType = Process.Start
Tag = proc-start-explorer-nouaccheck-flag
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002"]}
Query = ((Process.Path like r"%\\explorer.exe" and Process.CommandLine like r"%/NOUACCHECK%") and not ((Parent.CommandLine like r"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" or Parent.Path like r"C:\\Windows\\System32\\svchost.exe")))
GenericProperty1 = Parent.CommandLine
GenericProperty2 = Parent.Path

[ActivityMonitoringRule]
# Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
RuleId = 37db85d1-b089-490a-a59a-c7b6f984f480
RuleName = Suspicious Findstr 385201 Execution
EventType = Process.Start
Tag = proc-start-suspicious-findstr-385201-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1518.001"]}
Query = (Process.Path like r"%\\findstr.exe" and Process.CommandLine like r"% 385201%")

[ActivityMonitoringRule]
# Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays
RuleId = af491bca-e752-4b44-9c86-df5680533dbc
RuleName = Finger.exe Suspicious Invocation
EventType = Process.Start
Tag = proc-start-finger.exe-suspicious-invocation
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = Process.Path like r"%\\finger.exe"

[ActivityMonitoringRule]
# Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
RuleId = 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
RuleName = Format.com FileSystem LOLBIN
EventType = Process.Start
Tag = proc-start-format.com-filesystem-lolbin
RiskScore = 75
Query = ((Process.Path like r"%\\format.com" and Process.CommandLine like r"%/fs:%") and not (((Process.CommandLine like r"%/fs:FAT%" or Process.CommandLine like r"%/fs:exFAT%" or Process.CommandLine like r"%/fs:NTFS%" or Process.CommandLine like r"%/fs:UDF%" or Process.CommandLine like r"%/fs:ReFS%"))))

[ActivityMonitoringRule]
# Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
RuleId = add64136-62e5-48ea-807e-88638d02df1e
RuleName = Fsutil Suspicious Invocation
EventType = Process.Start
Tag = proc-start-fsutil-suspicious-invocation
RiskScore = 75
Annotation = {"mitre_attack": ["T1070"]}
Query = ((Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and (Process.CommandLine like r"%deletejournal%" or Process.CommandLine like r"%createjournal%"))

[ActivityMonitoringRule]
# Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
RuleId = 0a4f6091-223b-41f6-8743-f322ec84930b
RuleName = Suspicious GUP Usage
EventType = Process.Start
Tag = proc-start-suspicious-gup-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002"]}
Query = (Process.Path like r"%\\GUP.exe" and not ((Process.Path like r"%\\Users\\%\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Users\\%\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Program Files\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Program Files (x86)\\Notepad++\\updater\\GUP.exe")))

[ActivityMonitoringRule]
# Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
RuleId = 44143844-0631-49ab-97a0-96387d6b2d7c
RuleName = Download Files Using Notepad++ GUP Utility
EventType = Process.Start
Tag = proc-start-download-files-using-notepad++-gup-utility
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = (((Process.Path like r"%\\GUP.exe" or Process.Name == "gup.exe") and (Process.CommandLine like r"% -unzipTo %" and Process.CommandLine like r"%http%")) and not (Parent.Path like r"%\\notepad++.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects execution of the Notepad++ updater (gup) to launch other commands or executables
RuleId = d65aee4d-2292-4cea-b832-83accd6cfa43
RuleName = Execute Arbitrary Binaries Using GUP Utility
EventType = Process.Start
Tag = proc-start-execute-arbitrary-binaries-using-gup-utility
RiskScore = 75
Query = ((Parent.Path like r"%\\gup.exe" and Process.Path like r"%\\explorer.exe") and not (Process.Path like r"%\\explorer.exe" and Process.CommandLine like r"%\\Notepad++\\notepad++.exe%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
RuleId = 71158e3f-df67-472b-930e-7d287acaa3e1
RuleName = Execution Of Non-Existing File
EventType = Process.Start
Tag = proc-start-execution-of-non-existing-file
RiskScore = 75
Query = (not (Process.Path like r"%\\%") and not ((Process.Path == '') or (Process.Path in ["-", ""]) or (Process.Path in ["Registry", "MemCompression"] or Process.CommandLine in ["Registry", "MemCompression"])))

[ActivityMonitoringRule]
# Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
RuleId = cc7abbd0-762b-41e3-8a26-57ad50d2eea3
RuleName = MSHTA Suspicious Execution 01
EventType = Process.Start
Tag = proc-start-mshta-suspicious-execution-01
RiskScore = 75
Annotation = {"mitre_attack": ["T1140", "T1218.005", "T1059.007"]}
Query = (Process.Path like r"%\\mshta.exe" and (Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.lnk%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.zip%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.exe%"))

[ActivityMonitoringRule]
# Detects suspicious mshta process patterns
RuleId = e32f92d1-523e-49c3-9374-bdb13b46a3ba
RuleName = Suspicious MSHTA Process Patterns
EventType = Process.Start
Tag = proc-start-suspicious-mshta-process-patterns
RiskScore = 75
Annotation = {"mitre_attack": ["T1106"]}
Query = (((Process.Path like r"%\\mshta.exe" and ((Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") or (Process.CommandLine like r"%\\AppData\\Local%" or Process.CommandLine like r"%C:\\Windows\\Temp%" or Process.CommandLine like r"%C:\\Users\\Public%"))) or (Process.Path like r"%\\mshta.exe" and not ((Process.Path like r"%C:\\Windows\\System32%" or Process.Path like r"%C:\\Windows\\SysWOW64%")))) or (Process.Path like r"%\\mshta.exe" and not ((Process.CommandLine like r"%.htm%" or Process.CommandLine like r"%.hta%") and (Process.CommandLine like r"%mshta.exe" or Process.CommandLine like r"%mshta"))))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious msiexec process starts in an uncommon directory
RuleId = e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
RuleName = Suspicious MsiExec Directory
EventType = Process.Start
Tag = proc-start-suspicious-msiexec-directory
RiskScore = 75
Annotation = {"mitre_attack": ["T1036.005"]}
Query = (Process.Path like r"%\\msiexec.exe" and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%")))

[ActivityMonitoringRule]
# Downloads payload from remote server
RuleId = 0c79148b-118e-472b-bdb7-9b57b444cc19
RuleName = Malicious Payload Download via Office Binaries
EventType = Process.Start
Tag = proc-start-malicious-payload-download-via-office-binaries
RiskScore = 75
Annotation = {"mitre_attack": ["T1105"]}
Query = ((Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\winword.exe" or Process.Path like r"%\\excel.exe") and Process.CommandLine like r"%http%")

[ActivityMonitoringRule]
# Detects persitence via netsh helper
RuleId = 56321594-9087-49d9-bf10-524fe8479452
RuleName = Suspicious Netsh DLL Persistence
EventType = Process.Start
Tag = proc-start-suspicious-netsh-dll-persistence
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.007"]}
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%helper%")

[ActivityMonitoringRule]
# Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
RuleId = 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8
RuleName = Suspicious New Service Creation
EventType = Process.Start
Tag = proc-start-suspicious-new-service-creation
RiskScore = 75
Annotation = {"mitre_attack": ["T1543.003"]}
Query = (((Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%binPath=%") or (Process.CommandLine like r"%New-Service%" and Process.CommandLine like r"%-BinaryPathName%")) and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%cmd.exe /c%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%C:\\Users\\Public%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" or Process.CommandLine like r"%C:\\Windows\\TEMP\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%"))

[ActivityMonitoringRule]
# Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
RuleId = ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
RuleName = Ngrok Usage
EventType = Process.Start
Tag = proc-start-ngrok-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1572"]}
Query = ((Process.CommandLine like r"% tcp 139%" or Process.CommandLine like r"% tcp 445%" or Process.CommandLine like r"% tcp 3389%" or Process.CommandLine like r"% tcp 5985%" or Process.CommandLine like r"% tcp 5986%") or (Process.CommandLine like r"% start %" and Process.CommandLine like r"%--all%" and Process.CommandLine like r"%--config%" and Process.CommandLine like r"%.yml%") or (Process.Path like r"%ngrok.exe" and (Process.CommandLine like r"% tcp %" or Process.CommandLine like r"% http %" or Process.CommandLine like r"% authtoken %")))

[ActivityMonitoringRule]
# Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
RuleId = f6ecd1cf-19b8-4488-97f6-00f0924991a3
RuleName = Suspicious Nmap Execution
EventType = Process.Start
Tag = proc-start-suspicious-nmap-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1046"]}
Query = Process.Name == "nmap.exe"

[ActivityMonitoringRule]
# Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
RuleId = c09dad97-1c78-4f71-b127-7edb2b8e491a
RuleName = Execution of Suspicious File Type Extension
EventType = Process.Start
Tag = proc-start-execution-of-suspicious-file-type-extension
RiskScore = 75
Query = (not ((Process.Path like r"%.exe" or Process.Path like r"%.tmp")) and not ((Process.Path == '') or (Process.Path in ["Registry", "MemCompression"]) or (Process.Path in ["-", ""]) or (Process.Path like r"C:\\Windows\\Installer\\MSI%") or ((Parent.Path like r"C:\\ProgramData\\Avira\\%" or Parent.Path like r"C:\\Windows\\System32\\DriverStore\\FileRepository\\%")) or (Process.Path like r"%.scr") or (Process.Path like r"%NVIDIA\\NvBackend\\%" and Process.Path like r"%.dat") or ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%") and Process.Path like r"%.com") or (Process.Path like r"%\\WinSCP.com") or (Process.Path like r"%C:\\Users\\%" and Process.Path like r"%\\AppData\\%" and Process.Path like r"%.tmp%" and Process.Path like r"%CodeSetup%") or (Process.Path like r"%\\program\\soffice.bin") or ((Process.Path like r"C:\\Program Files\\EMC NetWorker\\Management\\GST\\apache\\cgi-bin\\update\_jnlp.cgi" or Process.Path like r"C:\\Program Files (x86)\\EMC NetWorker\\Management\\GST\\apache\\cgi-bin\\update\_jnlp.cgi")) or ((Process.Path like r"C:\\Program Files (x86)\\WINPAKPRO\\%" or Process.Path like r"C:\\Program Files\\WINPAKPRO\\%") and Process.Path like r"%.ngn") or ((Process.Path like r"C:\\Program Files (x86)\\MyQ\\Server\\pcltool.dll" or Process.Path like r"C:\\Program Files\\MyQ\\Server\\pcltool.dll")) or ((Process.Path like r"C:\\Program Files\\Microsoft Visual Studio\\%" or Process.Path like r"C:\\Program Files (x86)\\Microsoft Visual Studio%") and Process.Path like r"%.com") or (Process.Path like r"C:\\Config.Msi\\%" and (Process.Path like r"%.rbf" or Process.Path like r"%.rbs")) or (Process.Path like r"%\\AppData\\Local\\Packages\\%" and Process.Path like r"%\\LocalState\\rootfs\\%") or (Process.Path like r"%\\LZMA\_EXE")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection
RuleId = bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2
RuleName = Suspicious Ntdll Pipe Redirection
EventType = Process.Start
Tag = proc-start-suspicious-ntdll-pipe-redirection
RiskScore = 75
Query = (Process.CommandLine like r"%type \%windir\%\\system32\\ntdll.dll%" or Process.CommandLine like r"%type \%systemroot\%\\system32\\ntdll.dll%" or Process.CommandLine like r"%type c:\\windows\\system32\\ntdll.dll%" or Process.CommandLine like r"%\\ntdll.dll > \\\\.\\pipe\\\*")

[ActivityMonitoringRule]
# Detects suspicious process patterns used in NTDS.DIT exfiltration
RuleId = 8bc64091-6875-4881-aaf9-7bd25b5dda08
RuleName = Suspicious Process Patterns NTDS.DIT Exfil
EventType = Process.Start
Tag = proc-start-suspicious-process-patterns-ntds.dit-exfil
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.003"]}
Query = ((((Process.Path like r"%\\NTDSDump.exe" or Process.Path like r"%\\NTDSDumpEx.exe") or (Process.CommandLine like r"%ntds.dit%" and Process.CommandLine like r"%system.hiv%") or Process.CommandLine like r"%NTDSgrab.ps1%") or (Process.CommandLine like r"%ac i ntds%" and Process.CommandLine like r"%create full%") or (Process.CommandLine like r"%/c copy %" and Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%") or (Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%ntds.dit%")) or (Process.CommandLine like r"%ntds.dit%" and ((Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%" or Parent.Path like r"%\\AppData\\%" or Parent.Path like r"%\\Temp\\%" or Parent.Path like r"%\\Public\\%" or Parent.Path like r"%\\PerfLogs\\%") or (Process.Path like r"%\\apache%" or Process.Path like r"%\\tomcat%" or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Temp\\%" or Process.Path like r"%\\Public\\%" or Process.Path like r"%\\PerfLogs\\%"))))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
RuleId = bb76d96b-821c-47cf-944b-7ce377864492
RuleName = Suspicious WebDav Client Execution
EventType = Process.Start
Tag = proc-start-suspicious-webdav-client-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1212"]}
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%C:\\windows\\system32\\davclnt.dll,DavSetCookie%" and Process.CommandLine like r"%http%" and (Process.CommandLine like r"%spoolss%" or Process.CommandLine like r"%srvsvc%" or Process.CommandLine like r"%/print/pipe/%"))

[ActivityMonitoringRule]
# Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
RuleId = c6c56ada-612b-42d1-9a29-adad3c5c2c1e
RuleName = Suspicious NT Resource Kit Auditpol Usage
EventType = Process.Start
Tag = proc-start-suspicious-nt-resource-kit-auditpol-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.002"]}
Query = (Process.CommandLine like r"%/logon:none%" or Process.CommandLine like r"%/system:none%" or Process.CommandLine like r"%/sam:none%" or Process.CommandLine like r"%/privilege:none%" or Process.CommandLine like r"%/object:none%" or Process.CommandLine like r"%/process:none%" or Process.CommandLine like r"%/policy:none%")

[ActivityMonitoringRule]
# The OpenWith.exe executes other binary
RuleId = cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
RuleName = OpenWith.exe Executes Specified Binary
EventType = Process.Start
Tag = proc-start-openwith.exe-executes-specified-binary
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\OpenWith.exe" and Process.CommandLine like r"%/c%")

[ActivityMonitoringRule]
# Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
RuleId = e212d415-0e93-435f-9e1a-f29005bb4723
RuleName = Suspicious Execution from Outlook
EventType = Process.Start
Tag = proc-start-suspicious-execution-from-outlook
RiskScore = 75
Annotation = {"mitre_attack": ["T1059", "T1202"]}
Query = (Process.CommandLine like r"%EnableUnsafeClientMailRules%" or (Parent.Path like r"%\\outlook.exe" and Process.CommandLine like r"%\\\\\*" and Process.CommandLine like r"%\\\*" and Process.CommandLine like r"%.exe%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a suspicious program execution in Outlook temp folder
RuleId = a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
RuleName = Execution in Outlook Temp Folder
EventType = Process.Start
Tag = proc-start-execution-in-outlook-temp-folder
RiskScore = 75
Annotation = {"mitre_attack": ["T1566.001"]}
Query = Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%"

[ActivityMonitoringRule]
# Detects suspicious parent processes that should not have any children or should only have a single possible child program
RuleId = cbec226f-63d9-4eca-9f52-dfb6652f24df
RuleName = Suspicious Process Parents
EventType = Process.Start
Tag = proc-start-suspicious-process-parents
RiskScore = 75
Query = ((Parent.Path like r"%\\minesweeper.exe" or Parent.Path like r"%\\winver.exe" or Parent.Path like r"%\\bitsadmin.exe") or ((Parent.Path like r"%\\csrss.exe" or Parent.Path like r"%\\certutil.exe" or Parent.Path like r"%\\schtasks.exe" or Parent.Path like r"%\\eventvwr.exe" or Parent.Path like r"%\\calc.exe" or Parent.Path like r"%\\notepad.exe") and not (((Process.Path like r"%\\WerFault.exe" or Process.Path like r"%\\wermgr.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\mmc.exe" or Process.Path like r"%\\win32calc.exe" or Process.Path like r"%\\notepad.exe")) or (Process.Path == ''))))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a ping command that uses a hex encoded IP address
RuleId = 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
RuleName = Ping Hex IP
EventType = Process.Start
Tag = proc-start-ping-hex-ip
RiskScore = 75
Annotation = {"mitre_attack": ["T1140", "T1027"]}
Query = (Process.Path like r"%\\ping.exe" and Process.CommandLine like r"%0x%")

[ActivityMonitoringRule]
# Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
RuleId = b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c
RuleName = Suspicious PowerShell Encoded Command Patterns
EventType = Process.Start
Tag = proc-start-suspicious-powershell-encoded-command-patterns
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% -en %" or Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -enco%") and (Process.CommandLine like r"% JAB%" or Process.CommandLine like r"% SUVYI%" or Process.CommandLine like r"% SQBFAFgA%" or Process.CommandLine like r"% aWV4I%" or Process.CommandLine like r"% IAB%" or Process.CommandLine like r"% PAA%" or Process.CommandLine like r"% aQBlAHgA%"))

[ActivityMonitoringRule]
# Detects suspicious ways to download files or content using PowerShell
RuleId = 85b0b087-eddf-4a2b-b033-d771fa2b9775
RuleName = PowerShell Web Download and Execution
EventType = Process.Start
Tag = proc-start-powershell-web-download-and-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.013"]}
Query = ((Process.CommandLine like r"%.DownloadString(%" or Process.CommandLine like r"%.DownloadFile(%") and (Process.CommandLine like r"%IEX(%" or Process.CommandLine like r"%IEX (%" or Process.CommandLine like r"%I`EX%" or Process.CommandLine like r"%IE`X%" or Process.CommandLine like r"%I`E`X%" or Process.CommandLine like r"% | IEX%" or Process.CommandLine like r"%|IEX %" or Process.CommandLine like r"%Invoke-Execution%" or Process.CommandLine like r"%;iex $%"))

[ActivityMonitoringRule]
# Detects suspicious powershell command line parameters used in Empire
RuleId = 79f4ede3-402e-41c8-bc3e-ebbf5f162581
RuleName = Empire PowerShell Launch Parameters
EventType = Process.Start
Tag = proc-start-empire-powershell-launch-parameters
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = (Process.CommandLine like r"% -NoP -sta -NonI -W Hidden -Enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc %" or Process.CommandLine like r"% -NoP -NonI -W Hidden -enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc%" or Process.CommandLine like r"% -enc  SQB%" or Process.CommandLine like r"% -nop -exec bypass -EncodedCommand %")

[ActivityMonitoringRule]
# Detects suspicious encoded character syntax often used for defense evasion
RuleId = e312efd0-35a1-407f-8439-b8d434b438a6
RuleName = PowerShell Encoded Character Syntax
EventType = Process.Start
Tag = proc-start-powershell-encoded-character-syntax
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1027"]}
Query = Process.CommandLine like r"%(WCHAR)0x%"

[ActivityMonitoringRule]
# Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
RuleId = ca2092a1-c273-4878-9b4b-0d60115bf5ea
RuleName = Suspicious Encoded PowerShell Command Line
EventType = Process.Start
Tag = proc-start-suspicious-encoded-powershell-command-line
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((((Process.CommandLine like r"% -e%" and Process.CommandLine like r"% JAB%") or (Process.CommandLine like r"% -e%" and Process.CommandLine like r"% JAB%" and Process.CommandLine like r"% -w%" and Process.CommandLine like r"% hidden %")) or (Process.CommandLine like r"% -e%" and (Process.CommandLine like r"% BA^J%" or Process.CommandLine like r"% SUVYI%" or Process.CommandLine like r"% SQBFAFgA%" or Process.CommandLine like r"% aQBlAHgA%" or Process.CommandLine like r"% aWV4I%" or Process.CommandLine like r"% IAA%" or Process.CommandLine like r"% IAB%" or Process.CommandLine like r"% UwB%" or Process.CommandLine like r"% cwB%")) or Process.CommandLine like r"%.exe -ENCOD %") and not (Process.CommandLine like r"% -ExecutionPolicy%" and Process.CommandLine like r"%remotesigned %"))

[ActivityMonitoringRule]
# Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
RuleId = b2815d0d-7481-4bf0-9b6c-a4c48a94b349
RuleName = PowerShell Get-Process LSASS
EventType = Process.Start
Tag = proc-start-powershell-get-process-lsass
RiskScore = 75
Annotation = {"mitre_attack": ["T1552.004"]}
Query = Process.CommandLine like r"%Get-Process lsass%"

[ActivityMonitoringRule]
# Detects base64 encoded strings used in hidden malicious PowerShell command lines
RuleId = f26c6093-6f14-4b12-800f-0fcb46f5ffd0
RuleName = Malicious Base64 Encoded PowerShell Keywords in Command Lines
EventType = Process.Start
Tag = proc-start-malicious-base64-encoded-powershell-keywords-in-command-lines
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"% hidden %" and (Process.CommandLine like r"%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%" or Process.CommandLine like r"%aXRzYWRtaW4gL3RyYW5zZmVy%" or Process.CommandLine like r"%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%" or Process.CommandLine like r"%JpdHNhZG1pbiAvdHJhbnNmZX%" or Process.CommandLine like r"%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%" or Process.CommandLine like r"%Yml0c2FkbWluIC90cmFuc2Zlc%" or Process.CommandLine like r"%AGMAaAB1AG4AawBfAHMAaQB6AGUA%" or Process.CommandLine like r"%JABjAGgAdQBuAGsAXwBzAGkAegBlA%" or Process.CommandLine like r"%JGNodW5rX3Npem%" or Process.CommandLine like r"%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%" or Process.CommandLine like r"%RjaHVua19zaXpl%" or Process.CommandLine like r"%Y2h1bmtfc2l6Z%" or Process.CommandLine like r"%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%" or Process.CommandLine like r"%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%" or Process.CommandLine like r"%lPLkNvbXByZXNzaW9u%" or Process.CommandLine like r"%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%" or Process.CommandLine like r"%SU8uQ29tcHJlc3Npb2%" or Process.CommandLine like r"%Ty5Db21wcmVzc2lvb%" or Process.CommandLine like r"%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%" or Process.CommandLine like r"%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%" or Process.CommandLine like r"%lPLk1lbW9yeVN0cmVhb%" or Process.CommandLine like r"%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%" or Process.CommandLine like r"%SU8uTWVtb3J5U3RyZWFt%" or Process.CommandLine like r"%Ty5NZW1vcnlTdHJlYW%" or Process.CommandLine like r"%4ARwBlAHQAQwBoAHUAbgBrA%" or Process.CommandLine like r"%5HZXRDaHVua%" or Process.CommandLine like r"%AEcAZQB0AEMAaAB1AG4Aaw%" or Process.CommandLine like r"%LgBHAGUAdABDAGgAdQBuAGsA%" or Process.CommandLine like r"%LkdldENodW5r%" or Process.CommandLine like r"%R2V0Q2h1bm%" or Process.CommandLine like r"%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%" or Process.CommandLine like r"%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%" or Process.CommandLine like r"%RIUkVBRF9JTkZPNj%" or Process.CommandLine like r"%SFJFQURfSU5GTzY0%" or Process.CommandLine like r"%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%" or Process.CommandLine like r"%VEhSRUFEX0lORk82N%" or Process.CommandLine like r"%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%" or Process.CommandLine like r"%cmVhdGVSZW1vdGVUaHJlYW%" or Process.CommandLine like r"%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%" or Process.CommandLine like r"%NyZWF0ZVJlbW90ZVRocmVhZ%" or Process.CommandLine like r"%Q3JlYXRlUmVtb3RlVGhyZWFk%" or Process.CommandLine like r"%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%" or Process.CommandLine like r"%0AZQBtAG0AbwB2AGUA%" or Process.CommandLine like r"%1lbW1vdm%" or Process.CommandLine like r"%AGUAbQBtAG8AdgBlA%" or Process.CommandLine like r"%bQBlAG0AbQBvAHYAZQ%" or Process.CommandLine like r"%bWVtbW92Z%" or Process.CommandLine like r"%ZW1tb3Zl%"))

[ActivityMonitoringRule]
# Detects suspicious ways to run Invoke-Execution using IEX acronym
RuleId = 09576804-7a05-458e-a817-eb718ca91f54
RuleName = Suspicious PowerShell IEX Execution Patterns
EventType = Process.Start
Tag = proc-start-suspicious-powershell-iex-execution-patterns
RiskScore = 75
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%-' | iex;' -' | iex ' -' | iex}' -' | IEX;' -' | IEX ;' -' | IEX -Error' -' | IEX (new' -' | IEX (New' -');IEX '%" and (Process.CommandLine like r"%::FromBase64String%" or Process.CommandLine like r"%.GetString([System.Convert]::%")) or Process.CommandLine like r"%-')|iex;$' -')|IEX;$' -');iex($' -');iex $' -' | IEX | '%")

[ActivityMonitoringRule]
# Detects suspicious PowerShell scripts accessing SAM hives
RuleId = 1af57a4b-460a-4738-9034-db68b880c665
RuleName = PowerShell SAM Copy
EventType = Process.Start
Tag = proc-start-powershell-sam-copy
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.002"]}
Query = (Process.CommandLine like r"%\\HarddiskVolumeShadowCopy%" and Process.CommandLine like r"%ystem32\\config\\sam%" and (Process.CommandLine like r"%Copy-Item%" or Process.CommandLine like r"%cp $\_.%" or Process.CommandLine like r"%cpi $\_.%" or Process.CommandLine like r"%copy $\_.%" or Process.CommandLine like r"%.File]::Copy(%"))

[ActivityMonitoringRule]
# Detects suspicious sub processes spawned by PowerShell
RuleId = e4b6d2a7-d8a4-4f19-acbd-943c16d90647
RuleName = Suspicious PowerShell Sub Processes
EventType = Process.Start
Tag = proc-start-suspicious-powershell-sub-processes
RiskScore = 75
Query = (((Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\powershell\_ise.exe") and (Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe")) and not (Parent.CommandLine like r"%\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\%" and Process.CommandLine like r"%\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\%"))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects PowerShell command line contents that include a suspicious anormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
RuleId = c86133ad-4725-4bd0-8170-210788e0a7ba
RuleName = Net WebClient Casing Anomalies
EventType = Process.Start
Tag = proc-start-net-webclient-casing-anomalies
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%TgBlAFQALgB3AEUAQg%" or Process.CommandLine like r"%4AZQBUAC4AdwBFAEIA%" or Process.CommandLine like r"%OAGUAVAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AGUAYg%" or Process.CommandLine like r"%4ARQB0AC4AdwBlAGIA%" or Process.CommandLine like r"%uAEUAdAAuAHcAZQBiA%" or Process.CommandLine like r"%TgBFAHQALgB3AGUAYg%" or Process.CommandLine like r"%OAEUAdAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBlAFQALgB3AGUAYg%" or Process.CommandLine like r"%4AZQBUAC4AdwBlAGIA%" or Process.CommandLine like r"%uAGUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%TgBlAFQALgB3AGUAYg%" or Process.CommandLine like r"%OAGUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBFAFQALgB3AGUAYg%" or Process.CommandLine like r"%4ARQBUAC4AdwBlAGIA%" or Process.CommandLine like r"%uAEUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBlAHQALgBXAGUAYg%" or Process.CommandLine like r"%4AZQB0AC4AVwBlAGIA%" or Process.CommandLine like r"%uAGUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBFAHQALgBXAGUAYg%" or Process.CommandLine like r"%4ARQB0AC4AVwBlAGIA%" or Process.CommandLine like r"%uAEUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%TgBFAHQALgBXAGUAYg%" or Process.CommandLine like r"%OAEUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBlAFQALgBXAGUAYg%" or Process.CommandLine like r"%4AZQBUAC4AVwBlAGIA%" or Process.CommandLine like r"%uAGUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%TgBlAFQALgBXAGUAYg%" or Process.CommandLine like r"%OAGUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBFAFQALgBXAGUAYg%" or Process.CommandLine like r"%4ARQBUAC4AVwBlAGIA%" or Process.CommandLine like r"%uAEUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBlAHQALgB3AEUAYg%" or Process.CommandLine like r"%4AZQB0AC4AdwBFAGIA%" or Process.CommandLine like r"%uAGUAdAAuAHcARQBiA%" or Process.CommandLine like r"%TgBlAHQALgB3AEUAYg%" or Process.CommandLine like r"%OAGUAdAAuAHcARQBiA%" or Process.CommandLine like r"%bgBFAHQALgB3AEUAYg%" or Process.CommandLine like r"%4ARQB0AC4AdwBFAGIA%" or Process.CommandLine like r"%uAEUAdAAuAHcARQBiA%" or Process.CommandLine like r"%TgBFAHQALgB3AEUAYg%" or Process.CommandLine like r"%OAEUAdAAuAHcARQBiA%" or Process.CommandLine like r"%bgBlAFQALgB3AEUAYg%" or Process.CommandLine like r"%4AZQBUAC4AdwBFAGIA%" or Process.CommandLine like r"%uAGUAVAAuAHcARQBiA%" or Process.CommandLine like r"%TgBlAFQALgB3AEUAYg%" or Process.CommandLine like r"%OAGUAVAAuAHcARQBiA%" or Process.CommandLine like r"%bgBFAFQALgB3AEUAYg%" or Process.CommandLine like r"%4ARQBUAC4AdwBFAGIA%" or Process.CommandLine like r"%uAEUAVAAuAHcARQBiA%" or Process.CommandLine like r"%TgBFAFQALgB3AEUAYg%" or Process.CommandLine like r"%OAEUAVAAuAHcARQBiA%" or Process.CommandLine like r"%bgBlAHQALgBXAEUAYg%" or Process.CommandLine like r"%4AZQB0AC4AVwBFAGIA%" or Process.CommandLine like r"%uAGUAdAAuAFcARQBiA%" or Process.CommandLine like r"%TgBlAHQALgBXAEUAYg%" or Process.CommandLine like r"%OAGUAdAAuAFcARQBiA%" or Process.CommandLine like r"%bgBFAHQALgBXAEUAYg%" or Process.CommandLine like r"%4ARQB0AC4AVwBFAGIA%" or Process.CommandLine like r"%uAEUAdAAuAFcARQBiA%" or Process.CommandLine like r"%TgBFAHQALgBXAEUAYg%" or Process.CommandLine like r"%OAEUAdAAuAFcARQBiA%" or Process.CommandLine like r"%bgBlAFQALgBXAEUAYg%" or Process.CommandLine like r"%4AZQBUAC4AVwBFAGIA%" or Process.CommandLine like r"%uAGUAVAAuAFcARQBiA%" or Process.CommandLine like r"%TgBlAFQALgBXAEUAYg%" or Process.CommandLine like r"%OAGUAVAAuAFcARQBiA%" or Process.CommandLine like r"%bgBFAFQALgBXAEUAYg%" or Process.CommandLine like r"%4ARQBUAC4AVwBFAGIA%" or Process.CommandLine like r"%uAEUAVAAuAFcARQBiA%" or Process.CommandLine like r"%TgBFAFQALgBXAEUAYg%" or Process.CommandLine like r"%OAEUAVAAuAFcARQBiA%" or Process.CommandLine like r"%bgBlAHQALgB3AGUAQg%" or Process.CommandLine like r"%4AZQB0AC4AdwBlAEIA%" or Process.CommandLine like r"%uAGUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBlAHQALgB3AGUAQg%" or Process.CommandLine like r"%OAGUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AGUAQg%" or Process.CommandLine like r"%4ARQB0AC4AdwBlAEIA%" or Process.CommandLine like r"%uAEUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBFAHQALgB3AGUAQg%" or Process.CommandLine like r"%OAEUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBlAFQALgB3AGUAQg%" or Process.CommandLine like r"%4AZQBUAC4AdwBlAEIA%" or Process.CommandLine like r"%uAGUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBlAFQALgB3AGUAQg%" or Process.CommandLine like r"%OAGUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBFAFQALgB3AGUAQg%" or Process.CommandLine like r"%4ARQBUAC4AdwBlAEIA%" or Process.CommandLine like r"%uAEUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBFAFQALgB3AGUAQg%" or Process.CommandLine like r"%OAEUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBlAHQALgBXAGUAQg%" or Process.CommandLine like r"%4AZQB0AC4AVwBlAEIA%" or Process.CommandLine like r"%uAGUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBlAHQALgBXAGUAQg%" or Process.CommandLine like r"%OAGUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBFAHQALgBXAGUAQg%" or Process.CommandLine like r"%4ARQB0AC4AVwBlAEIA%" or Process.CommandLine like r"%uAEUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBFAHQALgBXAGUAQg%" or Process.CommandLine like r"%OAEUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBlAFQALgBXAGUAQg%" or Process.CommandLine like r"%4AZQBUAC4AVwBlAEIA%" or Process.CommandLine like r"%uAGUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBlAFQALgBXAGUAQg%" or Process.CommandLine like r"%OAGUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBFAFQALgBXAGUAQg%" or Process.CommandLine like r"%4ARQBUAC4AVwBlAEIA%" or Process.CommandLine like r"%uAEUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBFAFQALgBXAGUAQg%" or Process.CommandLine like r"%OAEUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBlAHQALgB3AEUAQg%" or Process.CommandLine like r"%4AZQB0AC4AdwBFAEIA%" or Process.CommandLine like r"%uAGUAdAAuAHcARQBCA%" or Process.CommandLine like r"%TgBlAHQALgB3AEUAQg%" or Process.CommandLine like r"%OAGUAdAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AEUAQg%" or Process.CommandLine like r"%4ARQB0AC4AdwBFAEIA%" or Process.CommandLine like r"%uAEUAdAAuAHcARQBCA%" or Process.CommandLine like r"%TgBFAHQALgB3AEUAQg%" or Process.CommandLine like r"%OAEUAdAAuAHcARQBCA%" or Process.CommandLine like r"%bgBlAFQALgB3AEUAQg%" or Process.CommandLine like r"%uAGUAVAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAFQALgB3AEUAQg%" or Process.CommandLine like r"%4ARQBUAC4AdwBFAEIA%" or Process.CommandLine like r"%uAEUAVAAuAHcARQBCA%" or Process.CommandLine like r"%TgBFAFQALgB3AEUAQg%" or Process.CommandLine like r"%OAEUAVAAuAHcARQBCA%" or Process.CommandLine like r"%TgBlAHQALgBXAEUAQg%" or Process.CommandLine like r"%4AZQB0AC4AVwBFAEIA%" or Process.CommandLine like r"%OAGUAdAAuAFcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgBXAEUAQg%" or Process.CommandLine like r"%4ARQB0AC4AVwBFAEIA%" or Process.CommandLine like r"%uAEUAdAAuAFcARQBCA%" or Process.CommandLine like r"%TgBFAHQALgBXAEUAQg%" or Process.CommandLine like r"%OAEUAdAAuAFcARQBCA%" or Process.CommandLine like r"%bgBlAFQALgBXAEUAQg%" or Process.CommandLine like r"%4AZQBUAC4AVwBFAEIA%" or Process.CommandLine like r"%uAGUAVAAuAFcARQBCA%" or Process.CommandLine like r"%TgBlAFQALgBXAEUAQg%" or Process.CommandLine like r"%OAGUAVAAuAFcARQBCA%" or Process.CommandLine like r"%bgBFAFQALgBXAEUAQg%" or Process.CommandLine like r"%4ARQBUAC4AVwBFAEIA%" or Process.CommandLine like r"%uAEUAVAAuAFcARQBCA%"))

[ActivityMonitoringRule]
# Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
RuleId = a20391f8-76fb-437b-abc0-dba2df1952c6
RuleName = NodejsTools PressAnyKey Lolbin
EventType = Process.Start
Tag = proc-start-nodejstools-pressanykey-lolbin
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.CommandLine like r"%Microsoft.NodejsTools.PressAnyKey.exe normal %" or (Process.CommandLine like r"%.exe normal %" and Process.CommandLine like r"%.exe")) and not ((Process.Path like r"%\\Microsoft\\NodeJsTools\\NodeJsTools%")))

[ActivityMonitoringRule]
# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
RuleId = 03795938-1387-481b-9f4c-3f6241e604fe
RuleName = Suspicious Use of Procdump
EventType = Process.Start
Tag = proc-start-suspicious-use-of-procdump
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1003.001"]}
Query = (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"% -accepteula %")

[ActivityMonitoringRule]
# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
RuleId = 5afee48e-67dd-4e03-a783-f74259dcf998
RuleName = Suspicious Use of Procdump on LSASS
EventType = Process.Start
Tag = proc-start-suspicious-use-of-procdump-on-lsass
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1003.001"]}
Query = ((Process.CommandLine like r"% -ma %" and Process.CommandLine like r"% lsass%") or (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"% ls%"))

[ActivityMonitoringRule]
# Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
RuleId = efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6
RuleName = Suspicious Program Names
EventType = Process.Start
Tag = proc-start-suspicious-program-names
RiskScore = 75
Query = (Process.Path like r"%\\CVE-202%" or (Process.Path like r"%\\poc.exe" or Process.Path like r"%\\artifact.exe" or Process.Path like r"%\\artifact64.exe" or Process.Path like r"%\\artifact\_protected.exe" or Process.Path like r"%\\artifact32.exe" or Process.Path like r"%\\artifact32big.exe" or Process.Path like r"%obfuscated.exe" or Process.Path like r"%obfusc.exe" or Process.Path like r"%\\meterpreter") or (Process.CommandLine like r"%inject.ps1%" or Process.CommandLine like r"%Invoke-CVE%" or Process.CommandLine like r"%pupy.ps1%" or Process.CommandLine like r"%payload.ps1%" or Process.CommandLine like r"%beacon.ps1%" or Process.CommandLine like r"%PowerView.ps1%" or Process.CommandLine like r"%bypass.ps1%" or Process.CommandLine like r"%obfuscated.ps1%" or Process.CommandLine like r"%obfusc.ps1%" or Process.CommandLine like r"%obfus.ps1%" or Process.CommandLine like r"%obfs.ps1%" or Process.CommandLine like r"%evil.ps1%" or Process.CommandLine like r"%MiniDogz.ps1%" or Process.CommandLine like r"%\_enc.ps1%" or Process.CommandLine like r"%\\shell.ps1%" or Process.CommandLine like r"%\\rshell.ps1%" or Process.CommandLine like r"%revshell.ps1%" or Process.CommandLine like r"%\\av.ps1%" or Process.CommandLine like r"%\\av\_test.ps1%" or Process.CommandLine like r"%adrecon.ps1%" or Process.CommandLine like r"%mimikatz.ps1%" or Process.CommandLine like r"%\\PowerUp\_%" or Process.CommandLine like r"%powerup.ps1%" or Process.CommandLine like r"%\\Temp\\a.ps1%" or Process.CommandLine like r"%\\Temp\\p.ps1%" or Process.CommandLine like r"%\\Temp\\1.ps1%" or Process.CommandLine like r"%Hound.ps1%" or Process.CommandLine like r"%encode.ps1%" or Process.CommandLine like r"%powercat.ps1%"))

[ActivityMonitoringRule]
# Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
RuleId = 8834e2f7-6b4b-4f09-8906-d2276470ee23
RuleName = PsExec/PAExec Escalation to LOCAL SYSTEM
EventType = Process.Start
Tag = proc-start-psexec/paexec-escalation-to-local-system
RiskScore = 75
Annotation = {"mitre_attack": ["T1587.001"]}
Query = (Process.CommandLine like r"% -s cmd.exe" and (Process.CommandLine like r"%PsExec%" or Process.CommandLine like r"%PAExec%" or Process.CommandLine like r"%accepteula%" or Process.CommandLine like r"%cmd /c %"))

[ActivityMonitoringRule]
# Detects suspicious flags used by PsExec and PAExec but no usual program name in command line
RuleId = 207b0396-3689-42d9-8399-4222658efc99
RuleName = PsExec/PAExec Flags
EventType = Process.Start
Tag = proc-start-psexec/paexec-flags
RiskScore = 75
Annotation = {"mitre_attack": ["T1587.001"]}
Query = (((Process.CommandLine like r"% -s cmd.exe" or Process.CommandLine like r"% -s -i cmd.exe") or (Process.CommandLine like r"%accepteula%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% \\\*")) and not ((Process.CommandLine like r"%paexec%" or Process.CommandLine like r"%PsExec%")))

[ActivityMonitoringRule]
# Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
RuleId = 8f70ac5f-1f6f-4f8e-b454-db19561216c5
RuleName = PowerShell DownloadFile
EventType = Process.Start
Tag = proc-start-powershell-downloadfile
RiskScore = 75
Annotation = {"mitre_attack": ["T1059.001", "T1104", "T1105"]}
Query = (Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%.DownloadFile%" and Process.CommandLine like r"%System.Net.WebClient%")

[ActivityMonitoringRule]
# Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
RuleId = 8d01b53f-456f-48ee-90f6-bc28e67d4e35
RuleName = Suspicious PowerShell Obfuscated PowerShell Code
EventType = Process.Start
Tag = proc-start-suspicious-powershell-obfuscated-powershell-code
RiskScore = 75
Query = (Process.CommandLine like r"%IAAtAGIAeABvAHIAIAAwAHgA%" or Process.CommandLine like r"%AALQBiAHgAbwByACAAMAB4A%" or Process.CommandLine like r"%gAC0AYgB4AG8AcgAgADAAeA%" or Process.CommandLine like r"%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%" or Process.CommandLine like r"%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%" or Process.CommandLine like r"%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%" or Process.CommandLine like r"%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADEAfQB7ADAAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAxAH0AewAwAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADAAfQB7ADMAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAwAH0AewAzAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADIAfQB7ADAAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAyAH0AewAwAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADEAfQB7ADAAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAxAH0AewAwAH0AJwAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADAAfQB7ADMAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAwAH0AewAzAH0AJwAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADIAfQB7ADAAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAyAH0AewAwAH0AJwAgAC0AZgAg%")

[ActivityMonitoringRule]
# Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
RuleId = faa48cae-6b25-4f00-a094-08947fef582f
RuleName = Rar Usage with Password and Compression Level
EventType = Process.Start
Tag = proc-start-rar-usage-with-password-and-compression-level
RiskScore = 75
Annotation = {"mitre_attack": ["T1560.001"]}
Query = (Process.CommandLine like r"% -hp%" and (Process.CommandLine like r"% -m%" or Process.CommandLine like r"% a %"))

[ActivityMonitoringRule]
# Detects a set of suspicious network related commands often used in recon stages
RuleId = e6313acd-208c-44fc-a0ff-db85d572e90e
RuleName = Network Reconnaissance Activity
EventType = Process.Start
Tag = proc-start-network-reconnaissance-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1087", "T1082"]}
Query = (Process.CommandLine like r"%nslookup%" and Process.CommandLine like r"%\_ldap.\_tcp.dc.\_msdcs.%")

[ActivityMonitoringRule]
# Detects a suspicious output redirection to the local admins share as often found in malicious scripts or hacktool stagers
RuleId = ab9e3b40-0c85-4ba1-aede-455d226fd124
RuleName = Suspicious Redirection to Local Admin Share
EventType = Process.Start
Tag = proc-start-suspicious-redirection-to-local-admin-share
RiskScore = 75
Query = (Process.CommandLine like r"%> \\\\127.0.0.1\\admin$%" or Process.CommandLine like r"%> \\\\localhost\\admin$%")

[ActivityMonitoringRule]
# Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
RuleId = 883835a7-df45-43e4-bf1d-4268768afda4
RuleName = Regedit as Trusted Installer
EventType = Process.Start
Tag = proc-start-regedit-as-trusted-installer
RiskScore = 75
Annotation = {"mitre_attack": ["T1548"]}
Query = (Process.Path like r"%\\regedit.exe" and (Parent.Path like r"%\\TrustedInstaller.exe" or Parent.Path like r"%\\ProcessHacker.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects various anomalies in relation to regsvr32.exe
RuleId = 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
RuleName = Regsvr32 Anomaly
EventType = Process.Start
Tag = proc-start-regsvr32-anomaly
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.010"]}
Query = (((Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%\\Temp\\%") or (Process.Path like r"%\\regsvr32.exe" and (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\powershell\_ise.exe")) or (Process.Path like r"%\\regsvr32.exe" and Parent.Path like r"%\\cmd.exe") or (Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%/i:%" and Process.CommandLine like r"%http%" and Process.CommandLine like r"%scrobj.dll") or (Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%/i:%" and Process.CommandLine like r"%ftp%" and Process.CommandLine like r"%scrobj.dll") or (Process.Path like r"%\\wscript.exe" and Parent.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\EXCEL.EXE" and Process.CommandLine like r"%..\\..\\..\\Windows\\System32\\regsvr32.exe %") or (Parent.Path like r"%\\mshta.exe" and Process.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\regsvr32.exe" and (Process.CommandLine like r"%\\AppData\\Local%" or Process.CommandLine like r"%C:\\Users\\Public%")) or (Process.Path like r"%\\regsvr32.exe" and (Process.CommandLine like r"%.jpg" or Process.CommandLine like r"%.jpeg" or Process.CommandLine like r"%.png" or Process.CommandLine like r"%.gif" or Process.CommandLine like r"%.bin" or Process.CommandLine like r"%.tmp" or Process.CommandLine like r"%.temp" or Process.CommandLine like r"%.txt"))) and not (((Process.CommandLine like r"%\\AppData\\Local\\Microsoft\\Teams%" or Process.CommandLine like r"%\\AppData\\Local\\WebEx\\WebEx64\\Meetings\\atucfobj.dll%")) or (Parent.Path like r"C:\\Program Files\\Box\\Box\\FS\\streem.exe" and Process.CommandLine like r"%\\Program Files\\Box\\Box\\Temp\\%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
RuleId = b236190c-1c61-41e9-84b3-3fe03f6d76b0
RuleName = Regsvr32 Flags Anomaly
EventType = Process.Start
Tag = proc-start-regsvr32-flags-anomaly
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.010"]}
Query = ((Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"% /i:%") and not (Process.CommandLine like r"% /n %"))

[ActivityMonitoringRule]
# Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN
RuleId = 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
RuleName = Suspicious Regsvr32 HTTP IP Pattern
EventType = Process.Start
Tag = proc-start-suspicious-regsvr32-http-ip-pattern
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.010"]}
Query = (Process.CommandLine like r"% /s%" and Process.CommandLine like r"% /u%" and (Process.CommandLine like r"% /i:http://1%" or Process.CommandLine like r"% /i:http://2%" or Process.CommandLine like r"% /i:http://3%" or Process.CommandLine like r"% /i:http://4%" or Process.CommandLine like r"% /i:http://5%" or Process.CommandLine like r"% /i:http://6%" or Process.CommandLine like r"% /i:http://7%" or Process.CommandLine like r"% /i:http://8%" or Process.CommandLine like r"% /i:http://9%"))

[ActivityMonitoringRule]
# utilizes REGSVR32.exe to execute this DLL masquerading as a Image file
RuleId = 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
RuleName = Suspicious Regsvr32 Execution With Image Extension
EventType = Process.Start
Tag = proc-start-suspicious-regsvr32-execution-with-image-extension
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.010"]}
Query = (Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%.jpg")

[ActivityMonitoringRule]
# Detects a regsvr.exe execution that doesn't contain a DLL in the command line
RuleId = 50919691-7302-437f-8e10-1fe088afa145
RuleName = Regsvr32 Command Line Without DLL
EventType = Process.Start
Tag = proc-start-regsvr32-command-line-without-dll
RiskScore = 75
Annotation = {"mitre_attack": ["T1574"]}
Query = (((Process.Path like r"%\\regsvr32.exe" and not ((Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.ocx%" or Process.CommandLine like r"%.cpl%" or Process.CommandLine like r"%.ax%" or Process.CommandLine like r"%.bav%" or Process.CommandLine like r"%.ppl%"))) and not (Process.CommandLine == '')) and not (Process.CommandLine == ""))

[ActivityMonitoringRule]
# Detects "regsvr32.exe" spawning "explorer.exe", which is very uncommon.
RuleId = 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
RuleName = Regsvr32 Spawning Explorer
EventType = Process.Start
Tag = proc-start-regsvr32-spawning-explorer
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.010"]}
Query = (Parent.Path like r"%\\regsvr32.exe" and Process.Path like r"%\\explorer.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a suspicious reg.exe invocation that looks as if it would disable an important security service
RuleId = 5e95028c-5229-4214-afae-d653d573d0ec
RuleName = Reg Disable Security Service
EventType = Process.Start
Tag = proc-start-reg-disable-security-service
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.CommandLine like r"%reg%" and Process.CommandLine like r"%add%") and ((Process.CommandLine like r"% /d 4%" and Process.CommandLine like r"% /v Start%" and (Process.CommandLine like r"%\\Sense%" or Process.CommandLine like r"%\\WinDefend%" or Process.CommandLine like r"%\\MsMpSvc%" or Process.CommandLine like r"%\\NisSrv%" or Process.CommandLine like r"%\\WdBoot%" or Process.CommandLine like r"%\\WdNisDrv%" or Process.CommandLine like r"%\\WdNisSvc%" or Process.CommandLine like r"%\\wscsvc%" or Process.CommandLine like r"%\\SecurityHealthService%" or Process.CommandLine like r"%\\wuauserv%" or Process.CommandLine like r"%\\UsoSvc%" or Process.CommandLine like r"%\\WdFilter%" or Process.CommandLine like r"%\\AppIDSvc%")) or (Process.CommandLine like r"% /d 1%" and Process.CommandLine like r"%Windows Defender%" and (Process.CommandLine like r"%DisableIOAVProtection%" or Process.CommandLine like r"%DisableOnAccessProtection%" or Process.CommandLine like r"%DisableRoutinelyTakingAction%" or Process.CommandLine like r"%DisableScanOnRealtimeEnable%" or Process.CommandLine like r"%DisableBlockAtFirstSeen%" or Process.CommandLine like r"%DisableBehaviorMonitoring%" or Process.CommandLine like r"%DisableEnhancedNotifications%" or Process.CommandLine like r"%DisableAntiSpyware%" or Process.CommandLine like r"%DisableAntiSpywareRealtimeProtection%" or Process.CommandLine like r"%DisableConfig%" or Process.CommandLine like r"%DisablePrivacyMode%" or Process.CommandLine like r"%SignatureDisableUpdateOnStartupWithoutEngine%" or Process.CommandLine like r"%DisableArchiveScanning%" or Process.CommandLine like r"%DisableIntrusionPreventionSystem%" or Process.CommandLine like r"%DisableScriptScanning%"))))

[ActivityMonitoringRule]
# Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
RuleId = e79a9e79-eb72-4e78-a628-0e7e8f59e89c
RuleName = Suspicious Call by Ordinal
EventType = Process.Start
Tag = proc-start-suspicious-call-by-ordinal
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = ((Process.Path like r"%\\rundll32.exe" and (Process.CommandLine like r"%,#%" or Process.CommandLine like r"%, #%" or Process.CommandLine like r"%.dll #%" or Process.CommandLine like r"%.ocx #%")) and not (Process.CommandLine like r"%EDGEHTML.dll%" and Process.CommandLine like r"%#141%"))

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
RuleId = 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
RuleName = Suspicious Rundll32 Invoking Inline VBScript
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-invoking-inline-vbscript
RiskScore = 75
Annotation = {"mitre_attack": ["T1055"]}
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%Execute%" and Process.CommandLine like r"%RegRead%" and Process.CommandLine like r"%window.close%")

[ActivityMonitoringRule]
# Detects suspicious command line patterns used when rundll32 is used to run JavaScript code
RuleId = 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
RuleName = Rundll32 JS RunHTMLApplication Pattern
EventType = Process.Start
Tag = proc-start-rundll32-js-runhtmlapplication-pattern
RiskScore = 75
Query = ((Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%javascript%" and Process.CommandLine like r"%..\\..\\mshtml,RunHTMLApplication%") or Process.CommandLine like r"%;document.write();GetObject(\"script%")

[ActivityMonitoringRule]
# Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
RuleId = a4694263-59a8-4608-a3a0-6f8d3a51664c
RuleName = Suspicious Key Manager Access
EventType = Process.Start
Tag = proc-start-suspicious-key-manager-access
RiskScore = 75
Annotation = {"mitre_attack": ["T1555.004"]}
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%keymgr%" and Process.CommandLine like r"%KRShowKeyMgr%")

[ActivityMonitoringRule]
# Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
RuleId = 1775e15e-b61b-4d14-a1a3-80981298085a
RuleName = Suspicious Rundll32 Without Any CommandLine Params
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-without-any-commandline-params
RiskScore = 75
Annotation = {"mitre_attack": ["T1202"]}
Query = ((Process.CommandLine like r"%\\rundll32.exe" and not (Parent.Path like r"%\\svchost.exe")) and not ((Parent.Path like r"%\\AppData\\Local\\%" or Parent.Path like r"%\\Microsoft\\Edge\\%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
RuleId = caa06de8-fdef-4c91-826a-7f9e163eef4b
RuleName = RunDLL32 Spawning Explorer
EventType = Process.Start
Tag = proc-start-rundll32-spawning-explorer
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = ((Parent.Path like r"%\\rundll32.exe" and Process.Path like r"%\\explorer.exe") and not (Parent.CommandLine like r"%\\shell32.dll,Control\_RunDLL%"))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
RuleId = 731231b9-0b5d-4219-94dd-abb6959aa7ea
RuleName = Suspicious Rundll32 Activity Invoking Sys File
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-activity-invoking-sys-file
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.CommandLine like r"%rundll32.exe%" and (Process.CommandLine like r"%.sys,%" or Process.CommandLine like r"%.sys %"))

[ActivityMonitoringRule]
# Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
# Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
# Instead they modify the task after creation to include their malicious payload
RuleId = 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
RuleName = Suspicious Modification Of Scheduled Tasks
EventType = Process.Start
Tag = proc-start-suspicious-modification-of-scheduled-tasks
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"]}
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /Change %" and Process.CommandLine like r"% /TN %" and (Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\WINDOWS\\Temp\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Perflogs\\%" or Process.CommandLine like r"%\%ProgramData\%%" or Process.CommandLine like r"%\%appdata\%%" or Process.CommandLine like r"%\%comspec\%%" or Process.CommandLine like r"%\%localappdata\%%") and (Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%bitsadmin%" or Process.CommandLine like r"%bash.exe%" or Process.CommandLine like r"%bash %" or Process.CommandLine like r"%scrcons%" or Process.CommandLine like r"%wmic %" or Process.CommandLine like r"%wmic.exe%" or Process.CommandLine like r"%forfiles%" or Process.CommandLine like r"%scriptrunner%" or Process.CommandLine like r"%hh.exe%" or Process.CommandLine like r"%hh %"))

[ActivityMonitoringRule]
# Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc.
RuleId = 9ac94dc8-9042-493c-ba45-3b5e7c86b980
RuleName = Disable Important Scheduled Task
EventType = Process.Start
Tag = proc-start-disable-important-scheduled-task
RiskScore = 75
Annotation = {"mitre_attack": ["T1489"]}
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Change%" and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%/disable%" and (Process.CommandLine like r"%Microsoft\\Windows\\SystemRestore\\SR%" or Process.CommandLine like r"%Microsoft\\Windows\\Windows Defender\\%" or Process.CommandLine like r"%Microsoft\\Windows\\BitLocker%" or Process.CommandLine like r"%Windows\\ExploitGuard%"))

[ActivityMonitoringRule]
# Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
RuleId = 81325ce1-be01-4250-944f-b4789644556f
RuleName = Suspicious Schtasks From Env Var Folder
EventType = Process.Start
Tag = proc-start-suspicious-schtasks-from-env-var-folder
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"]}
Query = (((Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and (Process.CommandLine like r"%\%AppData\%%" or Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%\\AppData\\Roaming\\%" or Process.CommandLine like r"%\%Public\%%" or Process.CommandLine like r"%\\Users\\Public%" or Process.CommandLine like r"%C:\\Windows\\Temp%" or Process.CommandLine like r"%C:\\Perflogs%")) or (Parent.CommandLine like r"%\\svchost.exe -k netsvcs -p -s Schedule" and (Process.CommandLine like r"%\%Public\%%" or Process.CommandLine like r"%\\Users\\Public%" or Process.CommandLine like r"%C:\\Windows\\Temp%" or Process.CommandLine like r"%C:\\Perflogs%"))) and not ((Process.CommandLine like r"%update\_task.xml%" or Parent.CommandLine like r"%unattended.ini%")))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects scheduled task creations that have suspicious action command and folder combinations
RuleId = 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
RuleName = Schtasks From Suspicious Folders
EventType = Process.Start
Tag = proc-start-schtasks-from-suspicious-folders
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"]}
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd.exe /c %") and (Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%\%ProgramData\%%"))

[ActivityMonitoringRule]
# Detects suspicious scheduled task creations with commands that are uncommon
RuleId = f2c64357-b1d2-41b7-849f-34d2682c0fad
RuleName = Suspicious Add Scheduled Command Pattern
EventType = Process.Start
Tag = proc-start-suspicious-add-scheduled-command-pattern
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"]}
Query = ((Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create %") and (((Process.CommandLine like r"%/sc minute %" or Process.CommandLine like r"%/ru system %") and (Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd /c%")) or (Process.CommandLine like r"% bypass %" or Process.CommandLine like r"%.DownloadString%" or Process.CommandLine like r"%.DownloadFile%" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"% -w hidden %" or Process.CommandLine like r"% IEX%" or Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -decode %" or Process.CommandLine like r"%/c start /min %" or Process.CommandLine like r"% curl %") or (Process.CommandLine like r"%/xml C:\\Users\\%" and Process.CommandLine like r"%\\AppData\\Local\\%") or (Process.CommandLine like r"%wscript.exe%" and Process.CommandLine like r"%\\AppData\\%")))

[ActivityMonitoringRule]
# schtasks.exe create task from user AppData\Local\Temp
RuleId = 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8
RuleName = Suspicious Add Scheduled Task From User AppData Temp
EventType = Process.Start
Tag = proc-start-suspicious-add-scheduled-task-from-user-appdata-temp
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"]}
Query = ((Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create %" and Process.CommandLine like r"%\\AppData\\Local\\Temp%") and not ((Process.CommandLine like r"%/Create /TN \"klcp\_update\" /XML %" and Process.CommandLine like r"%\\klcp\_update\_task.xml%")))

[ActivityMonitoringRule]
# Detects the creation of scheduled tasks that involves a temporary folder and runs only once
RuleId = 39019a4e-317f-4ce3-ae63-309a8c6b53c5
RuleName = Suspicious Scheduled Task Creation Involving Temp Folder
EventType = Process.Start
Tag = proc-start-suspicious-scheduled-task-creation-involving-temp-folder
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"]}
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and Process.CommandLine like r"% /sc once %" and Process.CommandLine like r"%\\Temp\\%")

[ActivityMonitoringRule]
# Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)
RuleId = 75bfe6e6-cd8e-429e-91d3-03921e1d7962
RuleName = ScreenConnect Remote Access
EventType = Process.Start
Tag = proc-start-screenconnect-remote-access
RiskScore = 75
Annotation = {"mitre_attack": ["T1133"]}
Query = (Process.CommandLine like r"%e=Access&%" and Process.CommandLine like r"%y=Guest&%" and Process.CommandLine like r"%&p=%" and Process.CommandLine like r"%&c=%" and Process.CommandLine like r"%&k=%")

[ActivityMonitoringRule]
# Detects a suspicious script executions in temporary folders or folders accessible by environment variables
RuleId = 1228c958-e64e-4e71-92ad-7d429f4138ba
RuleName = Script Interpreter Execution From Suspicious Folder
EventType = Process.Start
Tag = proc-start-script-interpreter-execution-from-suspicious-folder
RiskScore = 75
Annotation = {"mitre_attack": ["T1059"]}
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\cmd.exe") or (Process.CommandLine like r"% -w hidden %" or Process.CommandLine like r"% -ep bypass %" or Process.CommandLine like r"%/e:vbscript %" or Process.CommandLine like r"%/e:javascript %") or Process.Name in ["powershell.exe", "pwsh.dll", "mshta.exe", "wscript.exe", "cscript.exe", "cmd.exe"]) and (Process.Path like r"%\\Windows\\Temp%" or Process.Path like r"%\\Temporary Internet%" or Process.Path like r"%\\AppData\\Local\\Temp%" or Process.Path like r"%\\AppData\\Roaming\\Temp%" or Process.Path like r"%C:\\Users\\Public\\%" or Process.Path like r"%C:\\Perflogs\\%"))

[ActivityMonitoringRule]
# Detects a suspicious script executions from temporary folder
RuleId = a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
RuleName = Suspicious Script Execution From Temp Folder
EventType = Process.Start
Tag = proc-start-suspicious-script-execution-from-temp-folder
RiskScore = 75
Annotation = {"mitre_attack": ["T1059"]}
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%\\Windows\\Temp%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\Temp%" or Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%\%TMP\%%" or Process.CommandLine like r"%\%LocalAppData\%\\Temp%")) and not ((Process.CommandLine like r"% >%" or Process.CommandLine like r"%Out-File%" or Process.CommandLine like r"%ConvertTo-Json%" or Process.CommandLine like r"%-WindowStyle hidden -Verb runAs%")))

[ActivityMonitoringRule]
# Detects suspicious DACL modifications that can  be used to hide services or make them unstopable
RuleId = 99cf1e02-00fb-4c0d-8375-563f978dfd37
RuleName = Suspicious Service DACL Modification
EventType = Process.Start
Tag = proc-start-suspicious-service-dacl-modification
RiskScore = 75
Annotation = {"mitre_attack": ["T1543.003"]}
Query = (Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%D;;%" and (Process.CommandLine like r"%;;;IU%" or Process.CommandLine like r"%;;;SU%" or Process.CommandLine like r"%;;;BA%" or Process.CommandLine like r"%;;;SY%" or Process.CommandLine like r"%;;;WD%"))

[ActivityMonitoringRule]
# Detects a service binary running in a suspicious directory
RuleId = 883faa95-175a-4e22-8181-e5761aeb373c
RuleName = Suspicious Service Binary Directory
EventType = Process.Start
Tag = proc-start-suspicious-service-binary-directory
RiskScore = 75
Annotation = {"mitre_attack": ["T1202"]}
Query = ((Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\$Recycle.bin%" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\Contacts\\%" or Process.Path like r"%\\Users\\Searches\\%" or Process.Path like r"%C:\\Perflogs\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%") and (Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\svchost.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects service path modification via the "sc" binary to a suspicious command or path
RuleId = 138d3531-8793-4f50-a2cd-f291b2863d78
RuleName = Suspicious Service Path Modification
EventType = Process.Start
Tag = proc-start-suspicious-service-path-modification
RiskScore = 75
Annotation = {"mitre_attack": ["T1543.003"]}
Query = (Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%binPath%" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%cmd%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%C:\\Users\\Public%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" or Process.CommandLine like r"%C:\\Windows\\TEMP\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%"))

[ActivityMonitoringRule]
# Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
RuleId = 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
RuleName = Suspicious Serv-U Process Pattern
EventType = Process.Start
Tag = proc-start-suspicious-serv-u-process-pattern
RiskScore = 75
Annotation = {"mitre_attack": ["T1555"]}
Query = (Parent.Path like r"%\\Serv-U.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
RuleId = b2317cfa-4a47-4ead-b3ff-297438c0bc2d
RuleName = Suspicious Execution of SharpView Aka PowerView
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-sharpview-aka-powerview
RiskScore = 75
Annotation = {"mitre_attack": ["T1049", "T1069.002", "T1482", "T1135", "T1033"]}
Query = (Process.Name == "SharpView.exe" or (Process.CommandLine like r"%Get-DomainGPOUserLocalGroupMapping%" or Process.CommandLine like r"%Find-GPOLocation%" or Process.CommandLine like r"%Get-DomainGPOComputerLocalGroupMapping%" or Process.CommandLine like r"%Find-GPOComputerAdmin%" or Process.CommandLine like r"%Get-DomainObjectAcl%" or Process.CommandLine like r"%Get-ObjectAcl%" or Process.CommandLine like r"%Add-DomainObjectAcl%" or Process.CommandLine like r"%Add-ObjectAcl%" or Process.CommandLine like r"%Remove-DomainObjectAcl%" or Process.CommandLine like r"%Get-RegLoggedOn%" or Process.CommandLine like r"%Get-LoggedOnLocal%" or Process.CommandLine like r"%Get-NetRDPSession%" or Process.CommandLine like r"%Test-AdminAccess%" or Process.CommandLine like r"%Invoke-CheckLocalAdminAccess%" or Process.CommandLine like r"%Get-WMIProcess%" or Process.CommandLine like r"%Get-NetProcess%" or Process.CommandLine like r"%Get-WMIRegProxy%" or Process.CommandLine like r"%Get-Proxy%" or Process.CommandLine like r"%Get-WMIRegLastLoggedOn%" or Process.CommandLine like r"%Get-LastLoggedOn%" or Process.CommandLine like r"%Get-WMIRegCachedRDPConnection%" or Process.CommandLine like r"%Get-CachedRDPConnection%" or Process.CommandLine like r"%Get-WMIRegMountedDrive%" or Process.CommandLine like r"%Get-RegistryMountedDrive%" or Process.CommandLine like r"%Find-InterestingDomainAcl%" or Process.CommandLine like r"%Invoke-ACLScanner%" or Process.CommandLine like r"%Get-NetShare%" or Process.CommandLine like r"%Get-NetLoggedon%" or Process.CommandLine like r"%Get-NetLocalGroup%" or Process.CommandLine like r"%Get-NetLocalGroupMember%" or Process.CommandLine like r"%Get-NetSession%" or Process.CommandLine like r"%Get-PathAcl%" or Process.CommandLine like r"%ConvertFrom-UACValue%" or Process.CommandLine like r"%Get-PrincipalContext%" or Process.CommandLine like r"%New-DomainGroup%" or Process.CommandLine like r"%New-DomainUser%" or Process.CommandLine like r"%Add-DomainGroupMember%" or Process.CommandLine like r"%Set-DomainUserPassword%" or Process.CommandLine like r"%Invoke-Kerberoast%" or Process.CommandLine like r"%Export-PowerViewCSV%" or Process.CommandLine like r"%Find-LocalAdminAccess%" or Process.CommandLine like r"%Find-DomainLocalGroupMember%" or Process.CommandLine like r"%Find-DomainShare%" or Process.CommandLine like r"%Find-DomainUserEvent%" or Process.CommandLine like r"%Find-DomainProcess%" or Process.CommandLine like r"%Find-DomainUserLocation%" or Process.CommandLine like r"%Find-InterestingFile%" or Process.CommandLine like r"%Find-InterestingDomainShareFile%" or Process.CommandLine like r"%Find-DomainObjectPropertyOutlier%" or Process.CommandLine like r"%TestMethod%" or Process.CommandLine like r"%Get-Domain%" or Process.CommandLine like r"%Get-NetDomain%" or Process.CommandLine like r"%Get-DomainComputer%" or Process.CommandLine like r"%Get-NetComputer%" or Process.CommandLine like r"%Get-DomainController%" or Process.CommandLine like r"%Get-NetDomainController%" or Process.CommandLine like r"%Get-DomainFileServer%" or Process.CommandLine like r"%Get-NetFileServer%" or Process.CommandLine like r"%Convert-ADName%" or Process.CommandLine like r"%Get-DomainObject%" or Process.CommandLine like r"%Get-ADObject%" or Process.CommandLine like r"%Get-DomainUser%" or Process.CommandLine like r"%Get-NetUser%" or Process.CommandLine like r"%Get-DomainGroup%" or Process.CommandLine like r"%Get-NetGroup%" or Process.CommandLine like r"%Get-DomainDFSShare%" or Process.CommandLine like r"%Get-DFSshare%" or Process.CommandLine like r"%Get-DomainDNSRecord%" or Process.CommandLine like r"%Get-DNSRecord%" or Process.CommandLine like r"%Get-DomainDNSZone%" or Process.CommandLine like r"%Get-DNSZone%" or Process.CommandLine like r"%Get-DomainForeignGroupMember%" or Process.CommandLine like r"%Find-ForeignGroup%" or Process.CommandLine like r"%Get-DomainForeignUser%" or Process.CommandLine like r"%Find-ForeignUser%" or Process.CommandLine like r"%ConvertFrom-SID%" or Process.CommandLine like r"%Convert-SidToName%" or Process.CommandLine like r"%Get-DomainGroupMember%" or Process.CommandLine like r"%Get-NetGroupMember%" or Process.CommandLine like r"%Get-DomainManagedSecurityGroup%" or Process.CommandLine like r"%Find-ManagedSecurityGroups%" or Process.CommandLine like r"%Get-DomainOU%" or Process.CommandLine like r"%Get-NetOU%" or Process.CommandLine like r"%Get-DomainSID%" or Process.CommandLine like r"%Get-Forest%" or Process.CommandLine like r"%Get-NetForest%" or Process.CommandLine like r"%Get-ForestTrust%" or Process.CommandLine like r"%Get-NetForestTrust%" or Process.CommandLine like r"%Get-DomainTrust%" or Process.CommandLine like r"%Get-NetDomainTrust%" or Process.CommandLine like r"%Get-ForestDomain%" or Process.CommandLine like r"%Get-NetForestDomain%" or Process.CommandLine like r"%Get-DomainSite%" or Process.CommandLine like r"%Get-NetSite%" or Process.CommandLine like r"%Get-DomainSubnet%" or Process.CommandLine like r"%Get-NetSubnet%" or Process.CommandLine like r"%Get-DomainTrustMapping%" or Process.CommandLine like r"%Invoke-MapDomainTrust%" or Process.CommandLine like r"%Get-ForestGlobalCatalog%" or Process.CommandLine like r"%Get-NetForestCatalog%" or Process.CommandLine like r"%Get-DomainUserEvent%" or Process.CommandLine like r"%Get-UserEvent%" or Process.CommandLine like r"%Get-DomainGUIDMap%" or Process.CommandLine like r"%Get-GUIDMap%" or Process.CommandLine like r"%Resolve-IPAddress%" or Process.CommandLine like r"%Get-IPAddress%" or Process.CommandLine like r"%ConvertTo-SID%" or Process.CommandLine like r"%Invoke-UserImpersonation%" or Process.CommandLine like r"%Invoke-RevertToSelf%" or Process.CommandLine like r"%Get-DomainSPNTicket%" or Process.CommandLine like r"%Request-SPNTicket%" or Process.CommandLine like r"%Get-NetComputerSiteName%" or Process.CommandLine like r"%Get-SiteName%" or Process.CommandLine like r"%Get-DomainGPO%" or Process.CommandLine like r"%Get-NetGPO%" or Process.CommandLine like r"%Set-DomainObject%" or Process.CommandLine like r"%Set-ADObject%" or Process.CommandLine like r"%Add-RemoteConnection%" or Process.CommandLine like r"%Remove-RemoteConnection%" or Process.CommandLine like r"%Get-IniContent%" or Process.CommandLine like r"%Get-GptTmpl%" or Process.CommandLine like r"%Get-GroupsXML%" or Process.CommandLine like r"%Get-DomainPolicyData%" or Process.CommandLine like r"%Get-DomainPolicy%" or Process.CommandLine like r"%Get-DomainGPOLocalGroup%" or Process.CommandLine like r"%Get-NetGPOGroup%"))

[ActivityMonitoringRule]
# Detects suspicious shell spawn from Java host process (e.g. log4j exploitation)
RuleId = 0d34ed8b-1c12-4ff2-828c-16fc860b766d
RuleName = Suspicious Shells Spawn by Java
EventType = Process.Start
Tag = proc-start-suspicious-shells-spawn-by-java
RiskScore = 75
Query = (Parent.Path like r"%\\java.exe" and (Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\curl.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
RuleId = 90fb5e62-ca1f-4e22-b42e-cc521874c938
RuleName = Suspicious Shells Spawn by Java Utility Keytool
EventType = Process.Start
Tag = proc-start-suspicious-shells-spawn-by-java-utility-keytool
RiskScore = 75
Query = (Parent.Path like r"%\\keytool.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
RuleId = 869b9ca7-9ea2-4a5a-8325-e80e62f75445
RuleName = Suspicious Shells Spawn by SQL Server
EventType = Process.Start
Tag = proc-start-suspicious-shells-spawn-by-sql-server
RiskScore = 75
Annotation = {"mitre_attack": ["T1505.003", "T1190"]}
Query = ((Parent.Path like r"%\\sqlservr.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\bitsadmin.exe")) and not ((Parent.Path like r"C:\\Program Files\\Microsoft SQL Server\\%" and Parent.Path like r"%DATEV\_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and Process.Path like r"C:\\Windows\\System32\\cmd.exe" and Process.CommandLine like r"\"C:\\Windows\\system32\\cmd.exe\" %")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious processes including shells spawnd from WinRM host process
RuleId = 5cc2cda8-f261-4d88-a2de-e9e193c86716
RuleName = Suspicious Processes Spawned by WinRM
EventType = Process.Start
Tag = proc-start-suspicious-processes-spawned-by-winrm
RiskScore = 75
Annotation = {"mitre_attack": ["T1190"]}
Query = (Parent.Path like r"%\\wsmprovhost.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wsl.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects actions that clear the local ShimCache and remove forensic evidence
RuleId = b0524451-19af-4efa-a46f-562a977f792e
RuleName = ShimCache Flush
EventType = Process.Start
Tag = proc-start-shimcache-flush
RiskScore = 75
Annotation = {"mitre_attack": ["T1112"]}
Query = ((Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%apphelp.dll%" and (Process.CommandLine like r"%ShimFlushCache%" or Process.CommandLine like r"%#250%")) or (Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%kernel32.dll%" and (Process.CommandLine like r"%BaseFlushAppcompatCache%" or Process.CommandLine like r"%#46%")))

[ActivityMonitoringRule]
# Detects suspicious Splwow64.exe process without any command line parameters
RuleId = 1f1a8509-2cbb-44f5-8751-8e1571518ce2
RuleName = Suspicious Splwow64 Without Params
EventType = Process.Start
Tag = proc-start-suspicious-splwow64-without-params
RiskScore = 75
Annotation = {"mitre_attack": ["T1202"]}
Query = (Process.Path like r"%\\splwow64.exe" and Process.CommandLine like r"%splwow64.exe")

[ActivityMonitoringRule]
# Detects a suspicious svchost process start
RuleId = 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
RuleName = Suspicious Svchost Process
EventType = Process.Start
Tag = proc-start-suspicious-svchost-process
RiskScore = 75
Annotation = {"mitre_attack": ["T1036.005"]}
Query = (Process.Path like r"%\\svchost.exe" and not (((Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\MsMpEng.exe" or Parent.Path like r"%\\Mrt.exe" or Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\ngen.exe" or Parent.Path like r"%\\TiWorker.exe")) or (Parent.Path == '') or (Parent.Path == "") or (Parent.Path == "-")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
RuleId = 16c37b52-b141-42a5-a3ea-bbe098444397
RuleName = Suspect Svchost Activity
EventType = Process.Start
Tag = proc-start-suspect-svchost-activity
RiskScore = 75
Annotation = {"mitre_attack": ["T1055"]}
Query = ((Process.CommandLine like r"%svchost.exe" and Process.Path like r"%\\svchost.exe") and not ((Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\rpcnetp.exe") or Process.CommandLine == ''))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects shell32.dll executing a DLL in a suspicious directory
RuleId = 32b96012-7892-429e-b26c-ac2bf46066ff
RuleName = Shell32 DLL Execution in Suspicious Directory
EventType = Process.Start
Tag = proc-start-shell32-dll-execution-in-suspicious-directory
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%Control\_RunDLL%" and (Process.CommandLine like r"%\%AppData\%%" or Process.CommandLine like r"%\%LocalAppData\%%" or Process.CommandLine like r"%\%Temp\%%" or Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Temp\\%" or Process.CommandLine like r"%\\Users\\Public\\%"))

[ActivityMonitoringRule]
# Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
RuleId = 9fff585c-c33e-4a86-b3cd-39312079a65f
RuleName = Taskmgr as LOCAL_SYSTEM
EventType = Process.Start
Tag = proc-start-taskmgr-as-local_system
RiskScore = 75
Annotation = {"mitre_attack": ["T1036"]}
Query = ((Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and Process.Path like r"%\\taskmgr.exe")
GenericProperty1 = Process.User

[ActivityMonitoringRule]
# Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
RuleId = 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
RuleName = Process Access via TrolleyExpress Exclusion
EventType = Process.Start
Tag = proc-start-process-access-via-trolleyexpress-exclusion
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.011", "T1003.001"]}
Query = ((Process.CommandLine like r"%\\TrolleyExpress 7%" or Process.CommandLine like r"%\\TrolleyExpress 8%" or Process.CommandLine like r"%\\TrolleyExpress 9%" or Process.CommandLine like r"%\\TrolleyExpress.exe 7%" or Process.CommandLine like r"%\\TrolleyExpress.exe 8%" or Process.CommandLine like r"%\\TrolleyExpress.exe 9%" or Process.CommandLine like r"%\\TrolleyExpress.exe -ma %") or (Process.Path like r"%\\TrolleyExpress.exe" and not ((Process.Name like r"%CtxInstall%") or (Process.Name == ''))))

[ActivityMonitoringRule]
# Detects a tscon.exe start as LOCAL SYSTEM
RuleId = 9847f263-4a81-424f-970c-875dab15b79b
RuleName = Suspicious TSCON Start as SYSTEM
EventType = Process.Start
Tag = proc-start-suspicious-tscon-start-as-system
RiskScore = 75
Annotation = {"mitre_attack": ["T1219"]}
Query = ((Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and Process.Path like r"%\\tscon.exe")
GenericProperty1 = Process.User

[ActivityMonitoringRule]
# Detects a suspicious RDP session redirect using tscon.exe
RuleId = f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
RuleName = Suspicious RDP Redirect Using TSCON
EventType = Process.Start
Tag = proc-start-suspicious-rdp-redirect-using-tscon
RiskScore = 75
Annotation = {"mitre_attack": ["T1563.002", "T1021.001"]}
Query = Process.CommandLine like r"% /dest:rdp-tcp:%"

[ActivityMonitoringRule]
# Detects the execution of CSharp interactive console by PowerShell
RuleId = a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
RuleName = Suspicious Use of CSharp Interactive Console
EventType = Process.Start
Tag = proc-start-suspicious-use-of-csharp-interactive-console
RiskScore = 75
Annotation = {"mitre_attack": ["T1127"]}
Query = (Process.Path like r"%\\csi.exe" and (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\powershell\_ise.exe") and Process.Name == "csi.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious inline VBScript keywords as used by UNC2452
RuleId = 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
RuleName = Suspicious VBScript UN2452 Pattern
EventType = Process.Start
Tag = proc-start-suspicious-vbscript-un2452-pattern
RiskScore = 75
Annotation = {"mitre_attack": ["T1547.001"]}
Query = ((Process.CommandLine like r"%Execute%" and Process.CommandLine like r"%CreateObject%" and Process.CommandLine like r"%RegRead%" and Process.CommandLine like r"%window.close%" and Process.CommandLine like r"%\\Microsoft\\Windows\\CurrentVersion%") and not (Process.CommandLine like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%"))

[ActivityMonitoringRule]
# Detects commands that temporarily turn off Volume Snapshots
RuleId = dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
RuleName = Disabled Volume Snapshots
EventType = Process.Start
Tag = proc-start-disabled-volume-snapshots
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.CommandLine like r"%reg%" and Process.CommandLine like r"% add %" and Process.CommandLine like r"%\\Services\\VSS\\Diag%" and Process.CommandLine like r"%/d Disabled%")

[ActivityMonitoringRule]
# Detects the execution of whoami with suspicious parents or parameters
RuleId = 8de1cbe8-d6f5-496d-8237-5f44a721c7a0
RuleName = Whoami Execution Anomaly
EventType = Process.Start
Tag = proc-start-whoami-execution-anomaly
RiskScore = 75
Annotation = {"mitre_attack": ["T1033"]}
Query = (((((Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe") and not ((Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\powershell\_ise.exe"))) and not ((Parent.Path like r"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe" or Parent.Path like r""))) and not (Parent.Path == '')) or (Process.CommandLine like r"%whoami -all%" or Process.CommandLine like r"%whoami /all%" or Process.CommandLine like r"%whoami.exe -all%" or Process.CommandLine like r"%whoami.exe /all%" or Process.CommandLine like r"%whoami.exe >%" or Process.CommandLine like r"%whoami >%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
RuleId = e9142d84-fbe0-401d-ac50-3e519fb00c89
RuleName = WhoAmI as Parameter
EventType = Process.Start
Tag = proc-start-whoami-as-parameter
RiskScore = 75
Annotation = {"mitre_attack": ["T1033"]}
Query = Process.CommandLine like r"%.exe whoami%"

[ActivityMonitoringRule]
# Detects WMIC executions in which a event consumer gets created in order to establish persistence
RuleId = ebef4391-1a81-4761-a40a-1db446c0e625
RuleName = Suspicious WMIC ActiveScriptEventConsumer Creation
EventType = Process.Start
Tag = proc-start-suspicious-wmic-activescripteventconsumer-creation
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.003"]}
Query = (Process.CommandLine like r"%ActiveScriptEventConsumer%" and Process.CommandLine like r"% CREATE %")

[ActivityMonitoringRule]
# Detects WMI executing rundll32
RuleId = 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
RuleName = Suspicious WMI Execution Using Rundll32
EventType = Process.Start
Tag = proc-start-suspicious-wmi-execution-using-rundll32
RiskScore = 75
Annotation = {"mitre_attack": ["T1047"]}
Query = (Process.CommandLine like r"%process call create%" and Process.CommandLine like r"%rundll32%")

[ActivityMonitoringRule]
# Detects using WorkFolders.exe to execute an arbitrary control.exe
RuleId = 0bbc6369-43e3-453d-9944-cae58821c173
RuleName = Execution via WorkFolders.exe
EventType = Process.Start
Tag = proc-start-execution-via-workfolders.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\control.exe" and Parent.Path like r"%\\WorkFolders.exe") and not (Process.Path like r"C:\\Windows\\System32\\control.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects code execution via the Windows Update client (wuauclt)
RuleId = d7825193-b70a-48a4-b992-8b5b3015cc11
RuleName = Windows Update Client LOLBIN
EventType = Process.Start
Tag = proc-start-windows-update-client-lolbin
RiskScore = 75
Annotation = {"mitre_attack": ["T1105", "T1218"]}
Query = (((Process.CommandLine like r"%/UpdateDeploymentProvider%" and Process.CommandLine like r"%/RunHandlerComServer%" and Process.CommandLine like r"%.dll%") and (Process.Path like r"%\\wuauclt.exe" or Process.Name == "wuauclt.exe")) and not ((Process.CommandLine like r"% /ClassId %" or Process.CommandLine like r"% wuaueng.dll %")))

[ActivityMonitoringRule]
# Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
RuleId = 52d097e2-063e-4c9c-8fbb-855c8948d135
RuleName = Suspicious Windows Update Agent Empty Cmdline
EventType = Process.Start
Tag = proc-start-suspicious-windows-update-agent-empty-cmdline
RiskScore = 75
Query = ((Process.Path like r"%\\Wuauclt.exe" or Process.Name == "Wuauclt.exe") and Process.CommandLine like r"%\\Wuauclt.exe")

[ActivityMonitoringRule]
# Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
RuleId = 0a13e132-651d-11eb-ae93-0242ac130002
RuleName = Suspicious Auditpol Usage
EventType = Process.Start
Tag = proc-start-suspicious-auditpol-usage
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.002"]}
Query = (Process.Path like r"%\\auditpol.exe" and (Process.CommandLine like r"%disable%" or Process.CommandLine like r"%clear%" or Process.CommandLine like r"%remove%" or Process.CommandLine like r"%restore%"))

[ActivityMonitoringRule]
# Detect possible Sysmon driver unload
RuleId = 4d7cda18-1b12-4e52-b45c-d28653210df8
RuleName = Sysmon Driver Unload
EventType = Process.Start
Tag = proc-start-sysmon-driver-unload
RiskScore = 75
Annotation = {"mitre_attack": ["T1070", "T1562", "T1562.002"]}
Query = (Process.Path like r"%\\fltmc.exe" and Process.CommandLine like r"%unload%" and Process.CommandLine like r"%sys%")

[ActivityMonitoringRule]
# Detects UAC bypass method using Windows event viewer
RuleId = be344333-921d-4c4d-8bb8-e584cf584780
RuleName = UAC Bypass via Event Viewer
EventType = Process.Start
Tag = proc-start-uac-bypass-via-event-viewer
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002"]}
Query = (Parent.Path like r"%\\eventvwr.exe" and not (Process.Path like r"%\\mmc.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a Windows program executable started from a suspicious folder
RuleId = e4a6b256-3e47-40fc-89d2-7a477edd6915
RuleName = System File Execution Location Anomaly
EventType = Process.Start
Tag = proc-start-system-file-execution-location-anomaly
RiskScore = 75
Annotation = {"mitre_attack": ["T1036"]}
Query = ((Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\spoolsv.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\smss.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\winlogon.exe" or Process.Path like r"%\\explorer.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\Taskmgr.exe" or Process.Path like r"%\\sihost.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\smartscreen.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\audiodg.exe" or Process.Path like r"%\\wlanext.exe" or Process.Path like r"%\\dashost.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wsl.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\atbroker.exe" or Process.Path like r"%\\bcdedit.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\certreq.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\consent.exe" or Process.Path like r"%\\defrag.exe" or Process.Path like r"%\\dism.exe" or Process.Path like r"%\\dllhst3g.exe" or Process.Path like r"%\\eventvwr.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\runonce.exe" or Process.Path like r"%\\winver.exe" or Process.Path like r"%\\logonui.exe" or Process.Path like r"%\\userinit.exe" or Process.Path like r"%\\dwm.exe" or Process.Path like r"%\\LsaIso.exe" or Process.Path like r"%\\ntoskrnl.exe") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\avast! sandbox%") or Process.Path like r"%\\SystemRoot\\System32\\%" or Process.Path like r"C:\\Windows\\explorer.exe"))

[ActivityMonitoringRule]
# The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
RuleId = cc4e02ba-9c06-48e2-b09e-2500cace9ae0
RuleName = Tasks Folder Evasion
EventType = Process.Start
Tag = proc-start-tasks-folder-evasion
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002"]}
Query = ((Process.CommandLine like r"%echo %" or Process.CommandLine like r"%copy %" or Process.CommandLine like r"%type %" or Process.CommandLine like r"%file createnew%") and (Process.CommandLine like r"% C:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"% C:\\Windows\\SysWow64\\Tasks\\%"))

[ActivityMonitoringRule]
# Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
RuleId = 1012f107-b8f1-4271-af30-5aed2de89b39
RuleName = Terminal Service Process Spawn
EventType = Process.Start
Tag = proc-start-terminal-service-process-spawn
RiskScore = 75
Annotation = {"mitre_attack": ["T1190", "T1210"]}
Query = ((Parent.CommandLine like r"%\\svchost.exe%" and Parent.CommandLine like r"%termsvcs%") and not ((Process.Path like r"%\\rdpclip.exe" or Process.Path like r"%:\\Windows\\System32\\csrss.exe" or Process.Path like r"%:\\Windows\\System32\\wininit.exe")))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects the use of NirCmd tool for command execution as SYSTEM user
RuleId = d9047477-0359-48c9-b8c7-792cedcdc9c4
RuleName = NirCmd Tool Execution As LOCAL SYSTEM
EventType = Process.Start
Tag = proc-start-nircmd-tool-execution-as-local-system
RiskScore = 75
Annotation = {"mitre_attack": ["T1569.002"]}
Query = Process.CommandLine like r"% runassystem %"

[ActivityMonitoringRule]
# Detects the use of NSudo tool for command execution
RuleId = 771d1eb5-9587-4568-95fb-9ec44153a012
RuleName = NSudo Tool Execution
EventType = Process.Start
Tag = proc-start-nsudo-tool-execution
RiskScore = 75
Annotation = {"mitre_attack": ["T1569.002"]}
Query = (((Process.Path like r"%\\NSudo.exe" or Process.Path like r"%\\NSudoLC.exe" or Process.Path like r"%\\NSudoLG.exe") or Process.Name in ["NSudo.exe", "NSudoLC.exe", "NSudoLG.exe"]) and (Process.CommandLine like r"%-U:S %" or Process.CommandLine like r"%-U:T %" or Process.CommandLine like r"%-U:E %" or Process.CommandLine like r"%-P:E %" or Process.CommandLine like r"%-M:S %" or Process.CommandLine like r"%-M:H %" or Process.CommandLine like r"%-U=S %" or Process.CommandLine like r"%-U=T %" or Process.CommandLine like r"%-U=E %" or Process.CommandLine like r"%-P=E %" or Process.CommandLine like r"%-M=S %" or Process.CommandLine like r"%-M=H %"))

[ActivityMonitoringRule]
# Detects the use of RunXCmd tool for command execution
RuleId = 93199800-b52a-4dec-b762-75212c196542
RuleName = RunXCmd Tool Execution As System
EventType = Process.Start
Tag = proc-start-runxcmd-tool-execution-as-system
RiskScore = 75
Annotation = {"mitre_attack": ["T1569.002"]}
Query = (Process.CommandLine like r"% /account=system %" and Process.CommandLine like r"%/exec=%")

[ActivityMonitoringRule]
# Detects the use of Tor or Tor-Browser to connect to onion routing networks
RuleId = 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
RuleName = Tor Client or Tor Browser Use
EventType = Process.Start
Tag = proc-start-tor-client-or-tor-browser-use
RiskScore = 75
Annotation = {"mitre_attack": ["T1090.003"]}
Query = (Process.Path like r"%\\tor.exe" or Process.Path like r"%\\Tor Browser\\Browser\\firefox.exe")

[ActivityMonitoringRule]
# Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
RuleId = e66779cc-383e-4224-a3a4-267eeb585c40
RuleName = Bypass UAC via CMSTP
EventType = Process.Start
Tag = proc-start-bypass-uac-via-cmstp
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002", "T1218.003"]}
Query = ((Process.Path like r"%\\cmstp.exe" or Process.Name == "CMSTP.EXE") and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%/au%" or Process.CommandLine like r"%/ni%"))

[ActivityMonitoringRule]
# Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
RuleId = 7f741dcf-fc22-4759-87b4-9ae8376676a2
RuleName = Bypass UAC via Fodhelper.exe
EventType = Process.Start
Tag = proc-start-bypass-uac-via-fodhelper.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002"]}
Query = Parent.Path like r"%\\fodhelper.exe"
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
RuleId = d797268e-28a9-49a7-b9a8-2f5039011c5c
RuleName = Bypass UAC via WSReset.exe
EventType = Process.Start
Tag = proc-start-bypass-uac-via-wsreset.exe
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002"]}
Query = (Parent.Path like r"%\\wsreset.exe" and not (Process.Path like r"%\\conhost.exe" or Process.Name == "CONHOST.EXE"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion
RuleId = 6a5f68d1-c4b5-46b9-94ee-5324892ea939
RuleName = Uninstall Sysinternals Sysmon
EventType = Process.Start
Tag = proc-start-uninstall-sysinternals-sysmon
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.Path like r"%\\Sysmon64.exe" or Process.Path like r"%\\Sysmon.exe") and Process.CommandLine like r"%-u%")

[ActivityMonitoringRule]
# Detection of sc.exe utility adding a new service with special permission which hides that service.
RuleId = a537cfc3-4297-4789-92b5-345bfd845ad0
RuleName = Abuse of Service Permissions to Hide Services in Tools
EventType = Process.Start
Tag = proc-start-abuse-of-service-permissions-to-hide-services-in-tools
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.011"]}
Query = ((Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and (Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%DCLCWPDTSD%"))

[ActivityMonitoringRule]
# Detects using SettingSyncHost.exe to run hijacked binary
RuleId = b2ddd389-f676-4ac4-845a-e00781a48e5f
RuleName = Using SettingSyncHost.exe as LOLBin
EventType = Process.Start
Tag = proc-start-using-settingsynchost.exe-as-lolbin
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.008"]}
Query = (not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")) and (Parent.CommandLine like r"%cmd.exe /c%" and Parent.CommandLine like r"%RoamDiag.cmd%" and Parent.CommandLine like r"%-outputpath%"))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
RuleId = 5687f942-867b-4578-ade7-1e341c46e99a
RuleName = VMToolsd Suspicious Child Process
EventType = Process.Start
Tag = proc-start-vmtoolsd-suspicious-child-process
RiskScore = 75
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Parent.Path like r"%\\vmtoolsd.exe" and ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") or Process.Name in ["Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "RUNDLL32.EXE", "REGSVR32.EXE", "wscript.exe", "cscript.exe"])) and not ((Process.CommandLine like r"%\\VMware\\VMware Tools\\poweron-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\poweroff-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\resume-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\suspend-vm-default.bat%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects certain command line parameters often used during reconnaissance activity via web shells
RuleId = bed2a484-9348-4143-8a8a-b801c979301c
RuleName = Webshell Detection With Command Line Keywords
EventType = Process.Start
Tag = proc-start-webshell-detection-with-command-line-keywords
RiskScore = 75
Annotation = {"mitre_attack": ["T1505.003", "T1018", "T1033", "T1087"]}
Query = (((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe") or ((Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%")) or ((Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%catalina.jar%" or Process.CommandLine like r"%CATALINA\_HOME%"))) and ((Process.Name in ["net.exe", "net1.exe"] and (Process.CommandLine like r"% user %" or Process.CommandLine like r"% use %" or Process.CommandLine like r"% group %")) or (Process.Name == "ping.exe" and Process.CommandLine like r"% -n %") or (Process.CommandLine like r"%&cd&echo%" or Process.CommandLine like r"%cd /d %") or (Process.Name == "wmic.exe" and Process.CommandLine like r"% /node:%") or ((Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\quser.exe" or Process.Path like r"%\\ipconfig.exe" or Process.Path like r"%\\pathping.exe" or Process.Path like r"%\\tracert.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\tasklist.exe") or Process.Name in ["whoami.exe", "sysinfo.exe", "quser.exe", "ipconfig.exe", "pathping.exe", "tracert.exe", "netstat.exe", "schtasks.exe", "VSSADMIN.EXE", "wevtutil.exe", "tasklist.exe"]) or (Process.CommandLine like r"% Test-NetConnection %" or Process.CommandLine like r"%dir \\%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system
RuleId = 4ebc877f-4612-45cb-b3a5-8e3834db36c9
RuleName = Webshell Hacking Activity Patterns
EventType = Process.Start
Tag = proc-start-webshell-hacking-activity-patterns
RiskScore = 75
Annotation = {"mitre_attack": ["T1505.003", "T1018", "T1033", "T1087"]}
Query = (((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe") or ((Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%")) or ((Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%catalina.jar%" or Process.CommandLine like r"%CATALINA\_HOME%"))) and ((Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%comsvcs.dll%") or (Process.CommandLine like r"% -hp%" and Process.CommandLine like r"% a %" and Process.CommandLine like r"% -m%") or (Process.CommandLine like r"%net%" and Process.CommandLine like r"% user %" and Process.CommandLine like r"% /add%") or (Process.CommandLine like r"%net%" and Process.CommandLine like r"% localgroup %" and Process.CommandLine like r"% administrators %" and Process.CommandLine like r"%/add%") or (Process.Path like r"%\\ntdsutil.exe" or Process.Path like r"%\\ldifde.exe" or Process.Path like r"%\\adfind.exe" or Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\Nanodump.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\fsutil.exe") or (Process.CommandLine like r"% -NoP %" or Process.CommandLine like r"% -W Hidden %" or Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% /decode %" or Process.CommandLine like r"%reg save %" or Process.CommandLine like r"%.downloadstring(%" or Process.CommandLine like r"%.downloadfile(%" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"% /ticket:%" or Process.CommandLine like r"% sekurlsa%" or Process.CommandLine like r"%.dmp full%" or Process.CommandLine like r"%process call create%" or Process.CommandLine like r"%whoami /priv%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
RuleId = f64e5c19-879c-4bae-b471-6d84c8339677
RuleName = Webshell Recon Detection Via CommandLine & Processes
EventType = Process.Start
Tag = proc-start-webshell-recon-detection-via-commandline-&-processes
RiskScore = 75
Annotation = {"mitre_attack": ["T1505.003"]}
Query = (((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe") or ((Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%")) or ((Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%catalina.jar%" or Process.CommandLine like r"%CATALINA\_HOME%"))) and (Process.CommandLine like r"%perl --help%" or Process.CommandLine like r"%python --help%" or Process.CommandLine like r"%python -h%" or Process.CommandLine like r"%python3 --help%" or Process.CommandLine like r"%python3 -h%" or Process.CommandLine like r"%wget --help%" or Process.CommandLine like r"%perl -h%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack
RuleId = 8202070f-edeb-4d31-a010-a26c72ac5600
RuleName = Shells Spawned by Web Servers
EventType = Process.Start
Tag = proc-start-shells-spawned-by-web-servers
RiskScore = 75
Annotation = {"mitre_attack": ["T1505.003", "T1190"]}
Query = ((((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\ws\_TomcatService.exe" or Parent.Path like r"%\\tomcat.exe" or Parent.Path like r"%\\UMWorkerProcess.exe") or ((Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%")) or ((Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.CommandLine like r"%catalina.jar%" or Parent.CommandLine like r"%CATALINA\_HOME%" or Parent.CommandLine like r"%catalina.home%"))) and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\arp.exe" or Process.Path like r"%\\at.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\dsget.exe" or Process.Path like r"%\\dsquery.exe" or Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Path like r"%\\fsutil.exe" or Process.Path like r"%\\hostname.exe" or Process.Path like r"%\\ipconfig.exe" or Process.Path like r"%\\nbtstat.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netdom.exe" or Process.Path like r"%\\netsh.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nltest.exe" or Process.Path like r"%\\nslookup.exe" or Process.Path like r"%\\ntdutil.exe" or Process.Path like r"%\\pathping.exe" or Process.Path like r"%\\ping.exe" or Process.Path like r"%\\qprocess.exe" or Process.Path like r"%\\query.exe" or Process.Path like r"%\\qwinsta.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\sc.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\tasklist.exe" or Process.Path like r"%\\tracert.exe" or Process.Path like r"%\\ver.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wusa.exe")) and not ((Process.CommandLine like r"%Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt")))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects a whoami.exe executed by privileged accounts that are often misused by threat actors
RuleId = 79ce34ca-af29-4d0e-b832-fc1b377020db
RuleName = Run Whoami as Privileged User
EventType = Process.Start
Tag = proc-start-run-whoami-as-privileged-user
RiskScore = 75
Annotation = {"mitre_attack": ["T1033"]}
Query = (Process.User like r"%TrustedInstaller%" and (Process.Name == "whoami.exe" or Process.Path like r"%\\whoami.exe"))
GenericProperty1 = Process.User

[ActivityMonitoringRule]
# Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
RuleId = 80167ada-7a12-41ed-b8e9-aa47195c66a1
RuleName = Run Whoami as SYSTEM
EventType = Process.Start
Tag = proc-start-run-whoami-as-system
RiskScore = 75
Annotation = {"mitre_attack": ["T1033"]}
Query = ((Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and (Process.Name == "whoami.exe" or Process.Path like r"%\\whoami.exe"))
GenericProperty1 = Process.User

[ActivityMonitoringRule]
# Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.
RuleId = 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
RuleName = Run Whoami Showing Privileges
EventType = Process.Start
Tag = proc-start-run-whoami-showing-privileges
RiskScore = 75
Annotation = {"mitre_attack": ["T1033"]}
Query = ((Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe") and Process.CommandLine like r"%/priv%")

[ActivityMonitoringRule]
# Detects Task Scheduler .job import arbitrary DACL write\par
RuleId = 931b6802-d6a6-4267-9ffa-526f57f22aaf
RuleName = Windows 10 Scheduled Task SandboxEscaper 0-day
EventType = Process.Start
Tag = proc-start-windows-10-scheduled-task-sandboxescaper-0-day
RiskScore = 75
Annotation = {"mitre_attack": ["T1053.005"]}
Query = (Process.Path like r"%\\schtasks.exe" and Process.Name == "schtasks.exe" and Process.CommandLine like r"%/change%" and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%/RU%" and Process.CommandLine like r"%/RP%")

[ActivityMonitoringRule]
# Detects WMI script event consumers
RuleId = ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
RuleName = WMI Persistence - Script Event Consumer
EventType = Process.Start
Tag = proc-start-wmi-persistence-script-event-consumer
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.003"]}
Query = (Process.Path like r"C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and Parent.Path like r"C:\\Windows\\System32\\svchost.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects WMI spawning a PowerShell process
RuleId = 692f0bec-83ba-4d04-af7e-e884a96059b6
RuleName = WMI Spawning Windows PowerShell
EventType = Process.Start
Tag = proc-start-wmi-spawning-windows-powershell
RiskScore = 75
Annotation = {"mitre_attack": ["T1047", "T1059.001"]}
Query = (((Parent.Path like r"%\\wmiprvse.exe" and ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") or Process.Name in ["PowerShell.EXE", "pwsh.dll"])) and not (Process.CommandLine == "null")) and not (Process.CommandLine == ''))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
RuleId = 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
RuleName = Microsoft Workflow Compiler
EventType = Process.Start
Tag = proc-start-microsoft-workflow-compiler
RiskScore = 75
Annotation = {"mitre_attack": ["T1127", "T1218"]}
Query = (Process.Path like r"%\\Microsoft.Workflow.Compiler.exe" or (Process.Name == "Microsoft.Workflow.Compiler.exe" and Process.CommandLine like r"%.xml%"))

[ActivityMonitoringRule]
# Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the refernece section
RuleId = 4abc0ec4-db5a-412f-9632-26659cddf145
RuleName = UEFI Persistence Via Wpbbin - ProcessCreation
EventType = Process.Start
Tag = proc-start-uefi-persistence-via-wpbbin-processcreation
RiskScore = 75
Annotation = {"mitre_attack": ["T1542.001"]}
Query = Process.Path like r"C:\\Windows\\System32\\wpbbin.exe"

[ActivityMonitoringRule]
# Detects suspicious use of XORDump process memory dumping utility
RuleId = 66e563f9-1cbd-4a22-a957-d8b7c0f44372
RuleName = XORDump Use
EventType = Process.Start
Tag = proc-start-xordump-use
RiskScore = 75
Annotation = {"mitre_attack": ["T1036", "T1003.001"]}
Query = (Process.Path like r"%\\xordump.exe" or (Process.CommandLine like r"% -process lsass.exe %" or Process.CommandLine like r"% -m comsvcs %" or Process.CommandLine like r"% -m dbghelp %" or Process.CommandLine like r"% -m dbgcore %"))

[ActivityMonitoringRule]
# Sysmon registry detection of a local hidden user account.
RuleId = 460479f3-80b7-42da-9c43-2cc1d54dbccd
RuleName = Creation of a Local Hidden User Account by Registry
EventType = Reg.Any
Tag = creation-of-a-local-hidden-user-account-by-registry
RiskScore = 75
Annotation = {"mitre_attack": ["T1136.001"]}
Query = (Reg.Key.Target like r"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\%" and Reg.Key.Target like r"%$" and Process.Path like r"%\\lsass.exe")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
RuleId = 6ea3bf32-9680-422d-9f50-e90716b12a66
RuleName = UAC Bypass Via Wsreset
EventType = Reg.Any
Tag = uac-bypass-via-wsreset
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002"]}
Query = Reg.Key.Target like r"%\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects various indicators of Microsoft Connection Manager Profile Installer execution
RuleId = b6d235fc-1d38-4b12-adbe-325f06728f37
RuleName = CMSTP Execution Registry Event
EventType = Reg.Any
Tag = cmstp-execution-registry-event
RiskScore = 75
Annotation = {"mitre_attack": ["T1218.003"]}
Query = Reg.Key.Target like r"%\\cmmgr32.exe%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
RuleId = 1a2d6c47-75b0-45bd-b133-2c0be75349fd
RuleName = Wdigest CredGuard Registry Modification
EventType = Reg.Any
Tag = wdigest-credguard-registry-modification
RiskScore = 75
Annotation = {"mitre_attack": ["T1112"]}
Query = Reg.Key.Target like r"%\\IsCredGuardEnabled"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
RuleId = e61e8a88-59a9-451c-874e-70fcc9740d67
RuleName = DNS ServerLevelPluginDll Install
EventType = Reg.Any
Tag = dns-serverlevelplugindll-install
RiskScore = 75
Annotation = {"mitre_attack": ["T1574.002", "T1112"]}
Query = Reg.Key.Target like r"%\\services\\DNS\\Parameters\\ServerLevelPluginDll"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
RuleId = 5aad0995-46ab-41bd-a9ff-724f41114971
RuleName = Esentutl Volume Shadow Copy Service Keys
EventType = Reg.Any
Tag = esentutl-volume-shadow-copy-service-keys
RiskScore = 75
Annotation = {"mitre_attack": ["T1003.002"]}
Query = ((Reg.Key.Target like r"%System\\CurrentControlSet\\Services\\VSS%" and Process.Path like r"%esentutl.exe") and not (Reg.Key.Target like r"%System\\CurrentControlSet\\Services\\VSS\\Start%"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects NetNTLM downgrade attack
RuleId = d67572a0-e2ec-45d6-b8db-c100d14b8ef2
RuleName = NetNTLM Downgrade Attack
EventType = Reg.Any
Tag = netntlm-downgrade-attack
RiskScore = 75
Annotation = {"mitre_attack": ["T1562.001", "T1112"]}
Query = (Reg.Key.Target like r"%SYSTEM\\%" and Reg.Key.Target like r"%ControlSet%" and Reg.Key.Target like r"%\\Control\\Lsa%" and (Reg.Key.Target like r"%\\lmcompatibilitylevel" or Reg.Key.Target like r"%\\NtlmMinClientSec" or Reg.Key.Target like r"%\\RestrictSendingNTLMTraffic"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects actions caused by the RedMimicry Winnti playbook
RuleId = 5b175490-b652-4b02-b1de-5b5b4083c5f8
RuleName = RedMimicry Winnti Playbook Registry Manipulation
EventType = Reg.Any
Tag = redmimicry-winnti-playbook-registry-manipulation
RiskScore = 75
Annotation = {"mitre_attack": ["T1112"]}
Query = Reg.Key.Target like r"%HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects potential malicious modification of run keys by winekey or team9 backdoor
RuleId = b98968aa-dbc0-4a9c-ac35-108363cbf8d5
RuleName = WINEKEY Registry Modification
EventType = Reg.Any
Tag = winekey-registry-modification
RiskScore = 75
Annotation = {"mitre_attack": ["T1547"]}
Query = Reg.Key.Target like r"%Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs
RuleId = 9577edbb-851f-4243-8c91-1d5b50c1a39b
RuleName = Atbroker Registry Change
EventType = Reg.Any
Tag = atbroker-registry-change
RiskScore = 75
Annotation = {"mitre_attack": ["T1218", "T1547"]}
Query = (Reg.Key.Target like r"%Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs%" or Reg.Key.Target like r"%Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration%")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
RuleId = 9c5037d1-c568-49b3-88c7-9846a5bdc2be
RuleName = Suspicious Run Key from Download
EventType = Reg.Any
Tag = suspicious-run-key-from-download
RiskScore = 75
Annotation = {"mitre_attack": ["T1547.001"]}
Query = ((Process.Path like r"%\\Downloads\\%" or Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.Path like r"%\\Local Settings\\Temporary Internet Files\\%") and Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\%")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects Processes accessing the camera and microphone from suspicious folder
RuleId = 62120148-6b7a-42be-8b91-271c04e281a3
RuleName = Suspicious Camera and Microphone Access
EventType = Reg.Any
Tag = suspicious-camera-and-microphone-access
RiskScore = 75
Annotation = {"mitre_attack": ["T1125", "T1123"]}
Query = (Reg.Key.Target like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\%" and Reg.Key.Target like r"%\\NonPackaged%" and (Reg.Key.Target like r"%microphone%" or Reg.Key.Target like r"%webcam%") and (Reg.Key.Target like r"%:#Windows#Temp#%" or Reg.Key.Target like r"%:#$Recycle.bin#%" or Reg.Key.Target like r"%:#Temp#%" or Reg.Key.Target like r"%:#Users#Public#%" or Reg.Key.Target like r"%:#Users#Default#%" or Reg.Key.Target like r"%:#Users#Desktop#%"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects persistence using GlobalFlags in image file executiobn options
RuleId = 36803969-5421-41ec-b92f-8500f79c23b0
RuleName = GlobalFlags Registry Persistence Mechanisms
EventType = Reg.Any
Tag = globalflags-registry-persistence-mechanisms
RiskScore = 75
Annotation = {"mitre_attack": ["T1546.012"]}
Query = (Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion%" and ((Reg.Key.Target like r"%\\Image File Execution Options\\%" and Reg.Key.Target like r"%\\GlobalFlag%") or (Reg.Key.Target like r"%SilentProcessExit\\%" and Reg.Key.Target like r"%\\ReportingMode%") or (Reg.Key.Target like r"%SilentProcessExit\\%" and Reg.Key.Target like r"%\\MonitorProcess%")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects UAC bypass method using Windows event viewer
RuleId = 7c81fec3-1c1d-43b0-996a-46753041b1b6
RuleName = UAC Bypass via Event Viewer
EventType = Reg.Any
Tag = uac-bypass-via-event-viewer
RiskScore = 75
Annotation = {"mitre_attack": ["T1548.002"]}
Query = (Reg.Key.Target like r"HKCU\\%" and Reg.Key.Target like r"%\\mscfile\\shell\\open\\command")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target


Comments

Your email address will not be published. Required fields are marked *