Skip to main content

uberAgent-ESA-am-sigma-medium.conf

The following is the uberAgent-ESA-am-sigma-medium.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: medium
#

[ActivityMonitoringRule]
# Detects suspicious DNS queries using base64 encoding
RuleId = 4153a907-2451-4e4f-a578-c52bb6881432
RuleName = Suspicious DNS Query with B64 Encoded String
EventType = Dns.Query
Tag = suspicious-dns-query-with-b64-encoded-string
RiskScore = 50
Annotation = {"mitre_attack": ["T1048.003", "T1071.004"]}
Query = Dns.QueryRequest like r"%==.%"
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
RuleId = c64c5175-5189-431b-a55e-6d9882158251
RuleName = Telegram Bot API Request
EventType = Dns.Query
Tag = telegram-bot-api-request
RiskScore = 50
Annotation = {"mitre_attack": ["T1102.002"]}
Query = Dns.QueryRequest == "api.telegram.org"
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
# These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
# Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
RuleId = 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
RuleName = Query To Remote Access Software Domain
EventType = Dns.Query
Tag = query-to-remote-access-software-domain
RiskScore = 50
Annotation = {"mitre_attack": ["T1219"]}
Query = (Dns.QueryRequest like r"%.getgo.com" or Dns.QueryRequest like r"%.logmein.com" or Dns.QueryRequest like r"%.ammyy.com")
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL
RuleId = 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
RuleName = AppInstaller Attempts From URL by DNS
EventType = Dns.Query
Tag = appinstaller-attempts-from-url-by-dns
RiskScore = 50
Annotation = {"mitre_attack": ["T1105"]}
Query = (Process.Path like r"C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller\_%" and Process.Path like r"%\\AppInstaller.exe")

[ActivityMonitoringRule]
# Detects DNS queries for ip lookup services such as api.ipify.org not originating from a browser process.
RuleId = ec82e2a5-81ea-4211-a1f8-37a0286df2c2
RuleName = Suspicious DNS Query for IP Lookup Service APIs
EventType = Dns.Query
Tag = suspicious-dns-query-for-ip-lookup-service-apis
RiskScore = 50
Annotation = {"mitre_attack": ["T1590"]}
Query = (Dns.QueryRequest in ["canireachthe.net", "ipv4.icanhazip.com", "ip.anysrc.net", "edns.ip-api.com", "wtfismyip.com", "checkip.dyndns.org", "api.2ip.ua", "icanhazip.com", "api.ipify.org", "ip-api.com", "checkip.amazonaws.com", "ipecho.net", "ipinfo.io", "ipv4bot.whatismyipaddress.com", "freegeoip.app"] and not ((Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\iexplore.exe" or Process.Path like r"%\\firefox.exe" or Process.Path like r"%\\brave.exe" or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\vivaldi.exe")))
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
RuleId = 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
RuleName = Suspicious TeamViewer Domain Access
EventType = Dns.Query
Tag = suspicious-teamviewer-domain-access
RiskScore = 50
Annotation = {"mitre_attack": ["T1219"]}
Query = (Dns.QueryRequest in ["taf.teamviewer.com", "udp.ping.teamviewer.com"] and not (Process.Path like r"%TeamViewer%"))
GenericProperty1 = Dns.QueryRequest

[ActivityMonitoringRule]
# Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
RuleId = 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
RuleName = In-memory PowerShell
EventType = Image.Load
Tag = in-memory-powershell
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Image.Path like r"%\\System.Management.Automation.Dll" or Image.Path like r"%\\System.Management.Automation.ni.Dll") and not ((Process.Path like r"C:\\Windows\\System32\\dsac.exe" or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\WINDOWS\\System32\\sdiagnhost.exe" or Process.Path like r"%\\mscorsvw.exe" or Process.Path like r"%\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe" or Process.Path like r"%\\sqlps.exe" or Process.Path like r"%\\wsmprovhost.exe" or Process.Path like r"%\\winrshost.exe" or Process.Path like r"%\\syncappvpublishingserver.exe" or Process.Path like r"%\\runscripthelper.exe" or Process.Path like r"%\\ServerManager.exe" or Process.Path like r"%\\Microsoft SQL Server Management Studio %\\Common%\\IDE\\Ssms.exe" or Process.Path like r"%\\IDE\\devenv.exe" or Process.Path like r"%\\ServiceHub.VSDetouredHost.exe" or Process.Path like r"%\\ServiceHub.SettingsHost.exe" or Process.Path like r"%\\ServiceHub.Host.CLR.x86.exe" or Process.Path like r"%\\Citrix\\ConfigSync\\ConfigSyncRun.exe") or (Process.Path like r"C:\\Program Files (x86)\\Microsoft Visual Studio\\%" or Process.Path like r"C:\\Program Files\\Microsoft Visual Studio\\%")) or (Process.Path like r"C:\\Windows\\Temp\\asgard2-agent\\%" and (Process.Path like r"%\\thor64.exe" or Process.Path like r"%\\thor.exe"))))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
RuleId = 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
RuleName = UIPromptForCredentials DLLs
EventType = Image.Load
Tag = uipromptforcredentials-dlls
RiskScore = 50
Annotation = {"mitre_attack": ["T1056.002"]}
Query = (((Image.Path like r"%\\credui.dll" or Image.Path like r"%\\wincredui.dll") or Process.Name in ["credui.dll", "wincredui.dll"]) and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\explorer.exe%" or Process.Path like r"C:\\Program Files\\%" or Process.Path like r"C:\\Users\\%\\AppData\\Local\\Microsoft\\OneDrive\\%\\Microsoft.SharePoint.exe%" or Process.Path like r"C:\\Program Files (x86)\\%" or Process.Path like r"C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe%" or Process.Path like r"C:\\Users\\%\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe%" or Process.Path like r"C:\\Users\\%\\AppData\\Roaming\\Spotify\\Spotify.exe%") or Process.Path like r"%\\opera\_autoupdate.exe" or Process.Path like r"%\\Local\\Microsoft\\OneDrive\\%"))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
RuleId = ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
RuleName = Suspicious WSMAN Provider Image Loads
EventType = Image.Load
Tag = suspicious-wsman-provider-image-loads
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001", "T1021.003"]}
Query = (((((Image.Path like r"%\\WsmSvc.dll" or Image.Path like r"%\\WsmAuto.dll" or Image.Path like r"%\\Microsoft.WSMan.Management.ni.dll") or Process.Name in ["WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"]) or (Process.Path like r"%\\svchost.exe" and Process.Name == "WsmWmiPl.dll")) and not (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%C:\\Windows\\System32\\sdiagnhost.exe" or Process.Path like r"%C:\\Windows\\System32\\services.exe")) or ((Process.CommandLine like r"%svchost.exe -k netsvcs -p -s BITS%" or Process.CommandLine like r"%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%" or Process.CommandLine like r"%svchost.exe -k NetworkService -p -s Wecsvc%" or Process.CommandLine like r"%svchost.exe -k netsvcs%")) or ((Process.Path like r"C:\\Windows\\Microsoft.NET\\Framework64\\v%" or Process.Path like r"C:\\Windows\\Microsoft.NET\\Framework\\v%") and Process.Path like r"%\\mscorsvw.exe") or ((Process.Path like r"C:\\Windows\\System32\\Configure-SMRemoting.exe" or Process.Path like r"C:\\Windows\\System32\\ServerManager.exe")) or (Process.Path like r"C:\\Windows\\Temp\\asgard2-agent\\%") or (Process.Path like r"C:\\Program Files\\Citrix\\%"))) and not ((Process.Path like r"%\\svchost.exe" and Process.CommandLine == '')))
GenericProperty1 = Image.Path

[ActivityMonitoringRule]
# Detects suspicious connections from Microsoft Sync Center to non-private IPs.
RuleId = 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
RuleName = Microsoft Sync Center Suspicious Network Connections
EventType = Net.Any
Tag = microsoft-sync-center-suspicious-network-connections
RiskScore = 50
Annotation = {"mitre_attack": ["T1055", "T1218"]}
Query = (Process.Path like r"%\\mobsync.exe" and not ((Net.Target.Ip like r"10.%" or Net.Target.Ip like r"192.168.%" or Net.Target.Ip like r"172.16.%" or Net.Target.Ip like r"172.17.%" or Net.Target.Ip like r"172.18.%" or Net.Target.Ip like r"172.19.%" or Net.Target.Ip like r"172.20.%" or Net.Target.Ip like r"172.21.%" or Net.Target.Ip like r"172.22.%" or Net.Target.Ip like r"172.23.%" or Net.Target.Ip like r"172.24.%" or Net.Target.Ip like r"172.25.%" or Net.Target.Ip like r"172.26.%" or Net.Target.Ip like r"172.27.%" or Net.Target.Ip like r"172.28.%" or Net.Target.Ip like r"172.29.%" or Net.Target.Ip like r"172.30.%" or Net.Target.Ip like r"172.31.%") and Net.Target.IpIsV6 == "false"))
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.IpIsV6

[ActivityMonitoringRule]
# Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
RuleId = c649a6c7-cd8c-4a78-9c04-000fc76df954
RuleName = Wuauclt Network Connection
EventType = Net.Any
Tag = wuauclt-network-connection
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = Process.Path like r"%wuauclt%"

[ActivityMonitoringRule]
# Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
RuleId = bef37fa2-f205-4a7b-b484-0759bfd5f86f
RuleName = Advanced IP Scanner
EventType = Process.Start
Tag = proc-start-advanced-ip-scanner
RiskScore = 50
Annotation = {"mitre_attack": ["T1046", "T1135"]}
Query = (Process.Path like r"%\\advanced\_ip\_scanner%" or (Process.CommandLine like r"%/portable%" and Process.CommandLine like r"%/lng%"))

[ActivityMonitoringRule]
# Detects the use of Advanced Port Scanner.
RuleId = 54773c5f-f1cc-4703-9126-2f797d96a69d
RuleName = Advanced Port Scanner
EventType = Process.Start
Tag = proc-start-advanced-port-scanner
RiskScore = 50
Annotation = {"mitre_attack": ["T1046", "T1135"]}
Query = (Process.Path like r"%\\advanced\_port\_scanner%" or (Process.CommandLine like r"%/portable%" and Process.CommandLine like r"%/lng%"))

[ActivityMonitoringRule]
# Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
RuleId = 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
RuleName = Execute From Alternate Data Streams
EventType = Process.Start
Tag = proc-start-execute-from-alternate-data-streams
RiskScore = 50
Annotation = {"mitre_attack": ["T1564.004"]}
Query = (Process.CommandLine like r"%txt:%" and ((Process.CommandLine like r"%type %" and Process.CommandLine like r"% > %") or (Process.CommandLine like r"%makecab %" and Process.CommandLine like r"%.cab%") or (Process.CommandLine like r"%reg %" and Process.CommandLine like r"% export %") or (Process.CommandLine like r"%regedit %" and Process.CommandLine like r"% /E %") or (Process.CommandLine like r"%esentutl %" and Process.CommandLine like r"% /y %" and Process.CommandLine like r"% /d %" and Process.CommandLine like r"% /o %")))

[ActivityMonitoringRule]
# This rule looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell
RuleId = 1e53dd56-8d83-4eb4-a43e-b790a05510aa
RuleName = Always Install Elevated MSI Spawned Cmd And Powershell
EventType = Process.Start
Tag = proc-start-always-install-elevated-msi-spawned-cmd-and-powershell
RiskScore = 50
Annotation = {"mitre_attack": ["T1548.002"]}
Query = ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Parent.Path like r"%\\Windows\\Installer\\%" and Parent.Path like r"%msi%" and Parent.Path like r"%tmp")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
RuleId = 958d81aa-8566-4cea-a565-59ccd4df27b0
RuleName = Defrag Deactivation
EventType = Process.Start
Tag = proc-start-defrag-deactivation
RiskScore = 50
Annotation = {"mitre_attack": ["T1053.005"]}
Query = (Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"%/delete%" or Process.CommandLine like r"%/change%") and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%\\Microsoft\\Windows\\Defrag\\ScheduledDefrag%")

[ActivityMonitoringRule]
# The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
RuleId = 24de4f3b-804c-4165-b442-5a06a2302c7e
RuleName = Arbitrary Shell Command Execution Via Settingcontent-Ms
EventType = Process.Start
Tag = proc-start-arbitrary-shell-command-execution-via-settingcontent-ms
RiskScore = 50
Annotation = {"mitre_attack": ["T1204", "T1566.001"]}
Query = (Process.CommandLine like r"%.SettingContent-ms%" and not (Process.CommandLine like r"%immersivecontrolpanel%"))

[ActivityMonitoringRule]
# Application Virtualization Utility is included with Microsoft Office. We are able to abuse "AppVLP" to execute shell commands.
# Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder
# or to mark a file as a system file.
RuleId = 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
RuleName = Using AppVLP To Circumvent ASR File Path Rule
EventType = Process.Start
Tag = proc-start-using-appvlp-to-circumvent-asr-file-path-rule
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.CommandLine like r"%appvlp.exe%" and (Process.CommandLine like r"%cmd.exe%" or Process.CommandLine like r"%powershell.exe%" or Process.CommandLine like r"%pwsh.exe%") and (Process.CommandLine like r"%.sh%" or Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.bin%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cmd%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.msh%" or Process.CommandLine like r"%.reg%" or Process.CommandLine like r"%.scr%" or Process.CommandLine like r"%.ps%" or Process.CommandLine like r"%.vb%" or Process.CommandLine like r"%.jar%" or Process.CommandLine like r"%.pl%" or Process.CommandLine like r"%.inf%"))

[ActivityMonitoringRule]
# Once established within a system or network, an adversary may use automated techniques for collecting internal data.
RuleId = f576a613-2392-4067-9d1a-9345fb58d8d1
RuleName = Automated Collection Command Prompt
EventType = Process.Start
Tag = proc-start-automated-collection-command-prompt
RiskScore = 50
Annotation = {"mitre_attack": ["T1119", "T1552.001"]}
Query = ((Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.docx%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.xlsx%" or Process.CommandLine like r"%.ppt%" or Process.CommandLine like r"%.pptx%" or Process.CommandLine like r"%.rtf%" or Process.CommandLine like r"%.pdf%" or Process.CommandLine like r"%.txt%") and ((Process.CommandLine like r"%dir %" and Process.CommandLine like r"% /b %" and Process.CommandLine like r"% /s %") or (Process.Name == "FINDSTR.EXE" and (Process.CommandLine like r"% /e %" or Process.CommandLine like r"% /si %"))))

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file
RuleId = d059842b-6b9d-4ed1-b5c3-5b89143c6ede
RuleName = Bitsadmin Download
EventType = Process.Start
Tag = proc-start-bitsadmin-download
RiskScore = 50
Annotation = {"mitre_attack": ["T1197", "T1036.003"]}
Query = ((Process.Path like r"%\\bitsadmin.exe" and (Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and Process.CommandLine like r"%http%") or (Process.Path like r"%\\bitsadmin.exe" and Process.CommandLine like r"% /transfer %") or Process.CommandLine like r"%copy bitsadmin.exe%")

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file from a suspicious domain
RuleId = 8518ed3d-f7c9-4601-a26c-f361a4256a0c
RuleName = Bitsadmin Download from Suspicious Domain
EventType = Process.Start
Tag = proc-start-bitsadmin-download-from-suspicious-domain
RiskScore = 50
Annotation = {"mitre_attack": ["T1197", "T1036.003"]}
Query = (Process.Path like r"%\\bitsadmin.exe" and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%raw.githubusercontent.com%" or Process.CommandLine like r"%gist.githubusercontent.com%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%cdn.discordapp.com/attachments/%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%.paste.ee%" or Process.CommandLine like r"%.hastebin.com%" or Process.CommandLine like r"%.ghostbin.co/%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%storage.googleapis.com%"))

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file to uncommon target folder
RuleId = 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
RuleName = Bitsadmin Download to Uncommon Target Folder
EventType = Process.Start
Tag = proc-start-bitsadmin-download-to-uncommon-target-folder
RiskScore = 50
Annotation = {"mitre_attack": ["T1197", "T1036.003"]}
Query = (Process.Path like r"%\\bitsadmin.exe" and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%C:\\Windows\\Temp\\%" or Process.CommandLine like r"%\%temp\%%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%\%ProgramData\%%" or Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%\%AppData\%%"))

[ActivityMonitoringRule]
# Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
RuleId = 242301bc-f92f-4476-8718-78004a6efd9f
RuleName = Suspicious Load DLL via CertOC.exe
EventType = Process.Start
Tag = proc-start-suspicious-load-dll-via-certoc.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\certoc.exe" or Process.Name == "CertOC.exe") and (Process.CommandLine like r"%-LoadDLL%" and Process.CommandLine like r"%.dll%"))

[ActivityMonitoringRule]
# Detects starting browser with remote debugging flag, may be used for browser injection attacks
RuleId = b3d34dc5-2efd-4ae3-845f-8ec14921f449
RuleName = Browser Started with Remote Debugging
EventType = Process.Start
Tag = proc-start-browser-started-with-remote-debugging
RiskScore = 50
Annotation = {"mitre_attack": ["T1185"]}
Query = ((Process.CommandLine like r"% --remote-debugging-address=%" or Process.CommandLine like r"% --remote-debugging-port=%") or (Process.Path like r"%\\firefox.exe" and Process.CommandLine like r"% -start-debugger-server %"))

[ActivityMonitoringRule]
# Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
RuleId = f44800ac-38ec-471f-936e-3fa7d9c53100
RuleName = CleanWipe Usage
EventType = Process.Start
Tag = proc-start-cleanwipe-usage
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.Path like r"%\\SepRemovalToolNative\_x64.exe" or (Process.Path like r"%\\CATClean.exe" and Process.CommandLine like r"%--uninstall%") or (Process.Path like r"%\\NetInstaller.exe" and Process.CommandLine like r"%-r%") or (Process.Path like r"%\\WFPUnins.exe" and Process.CommandLine like r"%/uninstall%" and Process.CommandLine like r"%/enterprise%"))

[ActivityMonitoringRule]
# Posssible Payload Obfuscation
RuleId = a77c1610-fc73-4019-8e29-0f51efc04a51
RuleName = Suspicious Dosfuscation Character in Commandline
EventType = Process.Start
Tag = proc-start-suspicious-dosfuscation-character-in-commandline
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = (Process.CommandLine like r"%^^%" or Process.CommandLine like r"%,;,%" or Process.CommandLine like r"%\%COMSPEC:~%" or Process.CommandLine like r"% s^et %" or Process.CommandLine like r"% s^e^t %" or Process.CommandLine like r"% se^t %")

[ActivityMonitoringRule]
# Detects inline windows shell commands redirecting output via the ">" symbol to a suspicous location
RuleId = 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
RuleName = Suspicious CMD Shell Redirect
EventType = Process.Start
Tag = proc-start-suspicious-cmd-shell-redirect
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"% > \%USERPROFILE\%\\%" and Process.CommandLine like r"% > \%APPDATA\%\\%" and Process.CommandLine like r"% > \\Users\\Public\\%" and Process.CommandLine like r"% > C:\\Users\\Public\\%" and Process.CommandLine like r"% > \%TEMP\%\\%")

[ActivityMonitoringRule]
# Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
RuleId = 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
RuleName = Mavinject Inject DLL Into Running Process
EventType = Process.Start
Tag = proc-start-mavinject-inject-dll-into-running-process
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.013", "T1056.004"]}
Query = ((Process.CommandLine like r"% /INJECTRUNNING%" and Process.CommandLine like r"%.dll%") and (Process.Name in ["mavinject32.exe", "mavinject64.exe"] or (Process.Path like r"%\\mavinject32.exe" or Process.Path like r"%\\mavinject64.exe")))

[ActivityMonitoringRule]
# Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
RuleId = df1f26d3-bea7-4700-9ea2-ad3e990cf90e
RuleName = Node Process Executions
EventType = Process.Start
Tag = proc-start-node-process-executions
RiskScore = 50
Annotation = {"mitre_attack": ["T1127", "T1059.007"]}
Query = (Process.Path like r"%\\Adobe Creative Cloud Experience\\libs\\node.exe" and not (Process.CommandLine like r"%Adobe Creative Cloud Experience\\js%"))

[ActivityMonitoringRule]
# Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
RuleId = b7966f4a-b333-455b-8370-8ca53c229762
RuleName = Dropping Of Password Filter DLL
EventType = Process.Start
Tag = proc-start-dropping-of-password-filter-dll
RiskScore = 50
Annotation = {"mitre_attack": ["T1556.002"]}
Query = (Process.CommandLine like r"%HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa%" and Process.CommandLine like r"%scecli\\0%" and Process.CommandLine like r"%reg add%")

[ActivityMonitoringRule]
# Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
RuleId = 213d6a77-3d55-4ce8-ba74-fcfef741974e
RuleName = Discover Private Keys
EventType = Process.Start
Tag = proc-start-discover-private-keys
RiskScore = 50
Annotation = {"mitre_attack": ["T1552.004"]}
Query = ((Process.CommandLine like r"%dir %" or Process.CommandLine like r"%findstr %") and (Process.CommandLine like r"%.key%" or Process.CommandLine like r"%.pgp%" or Process.CommandLine like r"%.gpg%" or Process.CommandLine like r"%.ppk%" or Process.CommandLine like r"%.p12%" or Process.CommandLine like r"%.pem%" or Process.CommandLine like r"%.pfx%" or Process.CommandLine like r"%.cer%" or Process.CommandLine like r"%.p7b%" or Process.CommandLine like r"%.asc%"))

[ActivityMonitoringRule]
# Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service.
# Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain.
# DNS zones used to host the DNS records for a particular domain
RuleId = b6457d63-d2a2-4e29-859d-4e7affc153d1
RuleName = Discovery/Execution via dnscmd.exe
EventType = Process.Start
Tag = proc-start-discovery/execution-via-dnscmd.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1543.003"]}
Query = (Process.Path like r"%\\dnscmd.exe" and ((Process.CommandLine like r"%/enumrecords%" or Process.CommandLine like r"%/enumzones%" or Process.CommandLine like r"%/info%") or (Process.CommandLine like r"%/config%" and Process.CommandLine like r"%/serverlevelplugindll%")))

[ActivityMonitoringRule]
# dotnet.exe will execute any DLL and execute unsigned code
RuleId = d80d5c81-04ba-45b4-84e4-92eba40e0ad3
RuleName = Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
EventType = Process.Start
Tag = proc-start-dotnet.exe-exec-dll-and-execute-unsigned-code-lolbin
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.csproj") and Process.Path like r"%\\dotnet.exe")

[ActivityMonitoringRule]
# Detects usage of Dsacls to grant over permissive permissions
RuleId = 01c42d3c-242d-4655-85b2-34f1739632f7
RuleName = Abusing Permissions Using Dsacls
EventType = Process.Start
Tag = proc-start-abusing-permissions-using-dsacls
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\dsacls.exe" or Process.Name == "DSACLS.EXE") and Process.CommandLine like r"% /G %" and (Process.CommandLine like r"%GR%" or Process.CommandLine like r"%GE%" or Process.CommandLine like r"%GW%" or Process.CommandLine like r"%GA%" or Process.CommandLine like r"%WP%" or Process.CommandLine like r"%WD%"))

[ActivityMonitoringRule]
# Detects possible password spraying attempts using Dsacls
RuleId = bac9fb54-2da7-44e9-988f-11e9a5edbc0c
RuleName = Password Spraying Attempts Using Dsacls
EventType = Process.Start
Tag = proc-start-password-spraying-attempts-using-dsacls
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\dsacls.exe" or Process.Name == "DSACLS.EXE") and (Process.CommandLine like r"%/user:%" and Process.CommandLine like r"%/passwd:%"))

[ActivityMonitoringRule]
# Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
RuleId = 43e32da2-fdd0-4156-90de-50dfd62636f9
RuleName = Dism Remove Online Package
EventType = Process.Start
Tag = proc-start-dism-remove-online-package
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.Path like r"%\\DismHost.exe" and Parent.CommandLine like r"%/online%" and Parent.CommandLine like r"%/Disable-Feature%" and Parent.CommandLine like r"%/FeatureName:%" and Parent.CommandLine like r"%/Remove%") or (Process.Path like r"%\\Dism.exe" and Process.CommandLine like r"%/online%" and Process.CommandLine like r"%/Disable-Feature%" and Process.CommandLine like r"%/FeatureName:%" and Process.CommandLine like r"%/Remove%"))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects events that appear when a user click on a link file with a powershell command in it
RuleId = 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
RuleName = Hidden Powershell in Link File Pattern
EventType = Process.Start
Tag = proc-start-hidden-powershell-in-link-file-pattern
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001"]}
Query = (Parent.Path like r"C:\\Windows\\explorer.exe" and Process.Path like r"C:\\Windows\\System32\\cmd.exe" and Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%.lnk%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects processes that query known 3rd party registry keys that holds credentials via commandline
RuleId = 87a476dc-0079-4583-a985-dee7a20a03de
RuleName = Enumeration for 3rd Party Creds From CLI
EventType = Process.Start
Tag = proc-start-enumeration-for-3rd-party-creds-from-cli
RiskScore = 50
Annotation = {"mitre_attack": ["T1552.002"]}
Query = (Process.CommandLine like r"%\\Software\\SimonTatham\\PuTTY\\Sessions%" or Process.CommandLine like r"%\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\%" or Process.CommandLine like r"%\\Software\\Mobatek\\MobaXterm\\%" or Process.CommandLine like r"%\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin%" or Process.CommandLine like r"%\\Software\\Aerofox\\FoxmailPreview%" or Process.CommandLine like r"%\\Software\\Aerofox\\Foxmail\\V3.1%" or Process.CommandLine like r"%\\Software\\IncrediMail\\Identities%" or Process.CommandLine like r"%\\Software\\Qualcomm\\Eudora\\CommandLine%" or Process.CommandLine like r"%\\Software\\RimArts\\B2\\Settings%" or Process.CommandLine like r"%\\Software\\OpenVPN-GUI\\configs%" or Process.CommandLine like r"%\\Software\\Martin Prikryl\\WinSCP 2\\Sessions%" or Process.CommandLine like r"%\\Software\\FTPWare\\COREFTP\\Sites%" or Process.CommandLine like r"%\\Software\\DownloadManager\\Passwords%" or Process.CommandLine like r"%\\Software\\OpenSSH\\Agent\\Keys%" or Process.CommandLine like r"%\\Software\\TightVNC\\Server%" or Process.CommandLine like r"%\\Software\\ORL\\WinVNC3\\Password%" or Process.CommandLine like r"%\\Software\\RealVNC\\WinVNC4%")

[ActivityMonitoringRule]
# Adversaries may search the Registry on compromised systems for insecurely stored credentials.
# The Windows Registry stores configuration information that can be used by the system or other programs.
# Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
RuleId = e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
RuleName = Enumeration for Credentials in Registry
EventType = Process.Start
Tag = proc-start-enumeration-for-credentials-in-registry
RiskScore = 50
Annotation = {"mitre_attack": ["T1552.002"]}
Query = ((Process.Path like r"%\\reg.exe" and Process.CommandLine like r"% query %" and Process.CommandLine like r"%/t %" and Process.CommandLine like r"%REG\_SZ%" and Process.CommandLine like r"%/s%") and ((Process.CommandLine like r"%/f %" and Process.CommandLine like r"%HKLM%") or (Process.CommandLine like r"%/f %" and Process.CommandLine like r"%HKCU%") or Process.CommandLine like r"%HKCU\\Software\\SimonTatham\\PuTTY\\Sessions%"))

[ActivityMonitoringRule]
# One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
RuleId = 6a69f62d-ce75-4b57-8dce-6351eb55b362
RuleName = Esentutl Steals Browser Information
EventType = Process.Start
Tag = proc-start-esentutl-steals-browser-information
RiskScore = 50
Annotation = {"mitre_attack": ["T1005"]}
Query = ((Process.Path like r"%\\esentutl.exe" or Process.Name == "esentutl.exe") and (Process.CommandLine like r"%/r %" and Process.CommandLine like r"%\\Windows\\WebCache%"))

[ActivityMonitoringRule]
# Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
RuleId = a197e378-d31b-41c0-9635-cfdf1c1bb423
RuleName = WinRM Access with Evil-WinRM
EventType = Process.Start
Tag = proc-start-winrm-access-with-evil-winrm
RiskScore = 50
Annotation = {"mitre_attack": ["T1021.006"]}
Query = (Process.Path like r"%\\ruby.exe" and Process.CommandLine like r"%-i %" and Process.CommandLine like r"%-u %" and Process.CommandLine like r"%-p %")

[ActivityMonitoringRule]
# Execution of well known tools for data exfiltration and tunneling
RuleId = c75309a3-59f8-4a8d-9c2c-4c927ad50555
RuleName = Exfiltration and Tunneling Tools Execution
EventType = Process.Start
Tag = proc-start-exfiltration-and-tunneling-tools-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1041", "T1572", "T1071.001"]}
Query = (Process.Path like r"%\\plink.exe" or Process.Path like r"%\\socat.exe" or Process.Path like r"%\\stunnel.exe" or Process.Path like r"%\\httptunnel.exe")

[ActivityMonitoringRule]
# Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack
RuleId = 9f107a84-532c-41af-b005-8d12a607639f
RuleName = Cabinet File Expansion
EventType = Process.Start
Tag = proc-start-cabinet-file-expansion
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\expand.exe" and (Process.CommandLine like r"%.cab%" or Process.CommandLine like r"%/F:%" or Process.CommandLine like r"%-F:%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Roaming\\Temp\\%"))

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
RuleId = 864403a1-36c9-40a2-a982-4c9a45f7d833
RuleName = Exploit for CVE-2017-0261
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2017-0261
RiskScore = 50
Annotation = {"mitre_attack": ["T1203", "T1204.002", "T1566.001"]}
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\FLTLDR.exe%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Rename as a legitimate Sysinternals Suite tool to evade detection
RuleId = 7cce6fc8-a07f-4d84-a53e-96e1879843c9
RuleName = False Sysinternals Suite Tools
EventType = Process.Start
Tag = proc-start-false-sysinternals-suite-tools
RiskScore = 50
Annotation = {"mitre_attack": ["T1218", "T1202"]}
Query = ((Process.Path like r"%\\accesschk.exe" or Process.Path like r"%\\accesschk64.exe" or Process.Path like r"%\\AccessEnum.exe" or Process.Path like r"%\\ADExplorer.exe" or Process.Path like r"%\\ADExplorer64.exe" or Process.Path like r"%\\ADInsight.exe" or Process.Path like r"%\\ADInsight64.exe" or Process.Path like r"%\\adrestore.exe" or Process.Path like r"%\\adrestore64.exe" or Process.Path like r"%\\Autologon.exe" or Process.Path like r"%\\Autologon64.exe" or Process.Path like r"%\\Autoruns.exe" or Process.Path like r"%\\Autoruns64.exe" or Process.Path like r"%\\autorunsc.exe" or Process.Path like r"%\\autorunsc64.exe" or Process.Path like r"%\\Bginfo.exe" or Process.Path like r"%\\Bginfo64.exe" or Process.Path like r"%\\Cacheset.exe" or Process.Path like r"%\\Cacheset64.exe" or Process.Path like r"%\\Clockres.exe" or Process.Path like r"%\\Clockres64.exe" or Process.Path like r"%\\Contig.exe" or Process.Path like r"%\\Contig64.exe" or Process.Path like r"%\\Coreinfo.exe" or Process.Path like r"%\\Coreinfo64.exe" or Process.Path like r"%\\CPUSTRES.EXE" or Process.Path like r"%\\CPUSTRES64.EXE" or Process.Path like r"%\\ctrl2cap.exe" or Process.Path like r"%\\Dbgview.exe" or Process.Path like r"%\\dbgview64.exe" or Process.Path like r"%\\Desktops.exe" or Process.Path like r"%\\Desktops64.exe" or Process.Path like r"%\\disk2vhd.exe" or Process.Path like r"%\\disk2vhd64.exe" or Process.Path like r"%\\diskext.exe" or Process.Path like r"%\\diskext64.exe" or Process.Path like r"%\\Diskmon.exe" or Process.Path like r"%\\Diskmon64.exe" or Process.Path like r"%\\DiskView.exe" or Process.Path like r"%\\DiskView64.exe" or Process.Path like r"%\\du.exe" or Process.Path like r"%\\du64.exe" or Process.Path like r"%\\efsdump.exe" or Process.Path like r"%\\FindLinks.exe" or Process.Path like r"%\\FindLinks64.exe" or Process.Path like r"%\\handle.exe" or Process.Path like r"%\\handle64.exe" or Process.Path like r"%\\hex2dec.exe" or Process.Path like r"%\\hex2dec64.exe" or Process.Path like r"%\\junction.exe" or Process.Path like r"%\\junction64.exe" or Process.Path like r"%\\ldmdump.exe" or Process.Path like r"%\\listdlls.exe" or Process.Path like r"%\\listdlls64.exe" or Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livekd64.exe" or Process.Path like r"%\\loadOrd.exe" or Process.Path like r"%\\loadOrd64.exe" or Process.Path like r"%\\loadOrdC.exe" or Process.Path like r"%\\loadOrdC64.exe" or Process.Path like r"%\\logonsessions.exe" or Process.Path like r"%\\logonsessions64.exe" or Process.Path like r"%\\movefile.exe" or Process.Path like r"%\\movefile64.exe" or Process.Path like r"%\\notmyfault.exe" or Process.Path like r"%\\notmyfault64.exe" or Process.Path like r"%\\notmyfaultc.exe" or Process.Path like r"%\\notmyfaultc64.exe" or Process.Path like r"%\\ntfsinfo.exe" or Process.Path like r"%\\ntfsinfo64.exe" or Process.Path like r"%\\pendmoves.exe" or Process.Path like r"%\\pendmoves64.exe" or Process.Path like r"%\\pipelist.exe" or Process.Path like r"%\\pipelist64.exe" or Process.Path like r"%\\portmon.exe" or Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe" or Process.Path like r"%\\procexp.exe" or Process.Path like r"%\\procexp64.exe" or Process.Path like r"%\\Procmon.exe" or Process.Path like r"%\\Procmon64.exe" or Process.Path like r"%\\psExec.exe" or Process.Path like r"%\\psExec64.exe" or Process.Path like r"%\\psfile.exe" or Process.Path like r"%\\psfile64.exe" or Process.Path like r"%\\psGetsid.exe" or Process.Path like r"%\\psGetsid64.exe" or Process.Path like r"%\\psInfo.exe" or Process.Path like r"%\\psInfo64.exe" or Process.Path like r"%\\pskill.exe" or Process.Path like r"%\\pskill64.exe" or Process.Path like r"%\\pslist.exe" or Process.Path like r"%\\pslist64.exe" or Process.Path like r"%\\psLoggedon.exe" or Process.Path like r"%\\psLoggedon64.exe" or Process.Path like r"%\\psloglist.exe" or Process.Path like r"%\\psloglist64.exe" or Process.Path like r"%\\pspasswd.exe" or Process.Path like r"%\\pspasswd64.exe" or Process.Path like r"%\\psping.exe" or Process.Path like r"%\\psping64.exe" or Process.Path like r"%\\psService.exe" or Process.Path like r"%\\psService64.exe" or Process.Path like r"%\\psshutdown.exe" or Process.Path like r"%\\psshutdown64.exe" or Process.Path like r"%\\pssuspend.exe" or Process.Path like r"%\\pssuspend64.exe" or Process.Path like r"%\\RAMMap.exe" or Process.Path like r"%\\RDCMan.exe" or Process.Path like r"%\\RegDelNull.exe" or Process.Path like r"%\\RegDelNull64.exe" or Process.Path like r"%\\regjump.exe" or Process.Path like r"%\\ru.exe" or Process.Path like r"%\\ru64.exe" or Process.Path like r"%\\sdelete.exe" or Process.Path like r"%\\sdelete64.exe" or Process.Path like r"%\\ShareEnum.exe" or Process.Path like r"%\\ShareEnum64.exe" or Process.Path like r"%\\shellRunas.exe" or Process.Path like r"%\\sigcheck.exe" or Process.Path like r"%\\sigcheck64.exe" or Process.Path like r"%\\streams.exe" or Process.Path like r"%\\streams64.exe" or Process.Path like r"%\\strings.exe" or Process.Path like r"%\\strings64.exe" or Process.Path like r"%\\sync.exe" or Process.Path like r"%\\sync64.exe" or Process.Path like r"%\\Sysmon.exe" or Process.Path like r"%\\Sysmon64.exe" or Process.Path like r"%\\tcpvcon.exe" or Process.Path like r"%\\tcpvcon64.exe" or Process.Path like r"%\\tcpview.exe" or Process.Path like r"%\\tcpview64.exe" or Process.Path like r"%\\Testlimit.exe" or Process.Path like r"%\\Testlimit64.exe" or Process.Path like r"%\\vmmap.exe" or Process.Path like r"%\\vmmap64.exe" or Process.Path like r"%\\Volumeid.exe" or Process.Path like r"%\\Volumeid64.exe" or Process.Path like r"%\\whois.exe" or Process.Path like r"%\\whois64.exe" or Process.Path like r"%\\Winobj.exe" or Process.Path like r"%\\Winobj64.exe" or Process.Path like r"%\\ZoomIt.exe" or Process.Path like r"%\\ZoomIt64.exe") and not ((Process.Company in ["Sysinternals - www.sysinternals.com", "Sysinternals"]) or (Process.Company == '')))
GenericProperty1 = Process.Company

[ActivityMonitoringRule]
# Detects a file or folder's permissions being modified.
RuleId = 37ae075c-271b-459b-8d7b-55ad5f993dd8
RuleName = File or Folder Permissions Modifications
EventType = Process.Start
Tag = proc-start-file-or-folder-permissions-modifications
RiskScore = 50
Annotation = {"mitre_attack": ["T1222.001"]}
Query = ((((Process.Path like r"%\\takeown.exe" or Process.Path like r"%\\cacls.exe" or Process.Path like r"%\\icacls.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%/grant%") or (Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"%-r%")) and not ((Process.CommandLine like r"%ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\connectivity.history /reset") or (Process.CommandLine like r"%ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\config.properties /grant :r %" and Process.CommandLine like r"%S-1-5-19:F%") or (Process.CommandLine like r"%\\AppData\\Local\\Programs\\Microsoft VS Code%")))

[ActivityMonitoringRule]
# A symbolic link is a type of file that contains a reference to another file.
# This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt
RuleId = c0b2768a-dd06-4671-8339-b16ca8d1f27f
RuleName = Fsutil Behavior Set SymlinkEvaluation
EventType = Process.Start
Tag = proc-start-fsutil-behavior-set-symlinkevaluation
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = (Process.Path like r"%\\fsutil.exe" and Process.CommandLine like r"%behavior %" and Process.CommandLine like r"%set %" and Process.CommandLine like r"%SymlinkEvaluation%")

[ActivityMonitoringRule]
# Dump sam, system or security hives using REG.exe utility
RuleId = fd877b94-9bb5-4191-bb25-d79cbd93c167
RuleName = Grabbing Sensitive Hives via Reg Utility
EventType = Process.Start
Tag = proc-start-grabbing-sensitive-hives-via-reg-utility
RiskScore = 50
Annotation = {"mitre_attack": ["T1003.002", "T1003.004", "T1003.005"]}
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%save%" or Process.CommandLine like r"%export%" or Process.CommandLine like r"%ˢave%" or Process.CommandLine like r"%eˣport%") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hk˪m%" or Process.CommandLine like r"%hkey\_local\_machine%" or Process.CommandLine like r"%hkey\_˪ocal\_machine%" or Process.CommandLine like r"%hkey\_loca˪\_machine%" or Process.CommandLine like r"%hkey\_˪oca˪\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security" or Process.CommandLine like r"%\\ˢystem" or Process.CommandLine like r"%\\syˢtem" or Process.CommandLine like r"%\\ˢyˢtem" or Process.CommandLine like r"%\\ˢam" or Process.CommandLine like r"%\\ˢecurity"))

[ActivityMonitoringRule]
# Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
RuleId = ae9b0bd7-8888-4606-b444-0ed7410cb728
RuleName = Writing Of Malicious Files To The Fonts Folder
EventType = Process.Start
Tag = proc-start-writing-of-malicious-files-to-the-fonts-folder
RiskScore = 50
Annotation = {"mitre_attack": ["T1211", "T1059"]}
Query = ((Process.CommandLine like r"%echo%" or Process.CommandLine like r"%copy%" or Process.CommandLine like r"%type%" or Process.CommandLine like r"%file createnew%" or Process.CommandLine like r"%cacls%") and Process.CommandLine like r"%C:\\Windows\\Fonts\\%" and (Process.CommandLine like r"%.sh%" or Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.bin%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cmd%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.msh%" or Process.CommandLine like r"%.reg%" or Process.CommandLine like r"%.scr%" or Process.CommandLine like r"%.ps%" or Process.CommandLine like r"%.vb%" or Process.CommandLine like r"%.jar%" or Process.CommandLine like r"%.pl%" or Process.CommandLine like r"%.inf%" or Process.CommandLine like r"%.cpl%" or Process.CommandLine like r"%.hta%" or Process.CommandLine like r"%.msi%" or Process.CommandLine like r"%.vbs%"))

[ActivityMonitoringRule]
# Detect use of icacls to deny acces for everyone in Users folder sometimes used to hide malicious files
RuleId = 4ae81040-fc1c-4249-bfa3-938d260214d9
RuleName = Use Icacls to Hide File to Everyone
EventType = Process.Start
Tag = proc-start-use-icacls-to-hide-file-to-everyone
RiskScore = 50
Annotation = {"mitre_attack": ["T1564.001"]}
Query = ((Process.Name == "iCACLS.EXE" or Process.Path like r"%\\icacls.exe") and (Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%/deny%" and Process.CommandLine like r"%S-1-1-0:%"))

[ActivityMonitoringRule]
# Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
RuleId = ce7cf472-6fcc-490a-9481-3786840b5d9b
RuleName = InfDefaultInstall.exe .inf Execution
EventType = Process.Start
Tag = proc-start-infdefaultinstall.exe-.inf-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.CommandLine like r"%InfDefaultInstall.exe %" and Process.CommandLine like r"%.inf%")

[ActivityMonitoringRule]
# Detects Obfuscated Powershell via COMPRESS OBFUSCATION
RuleId = 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
RuleName = Invoke-Obfuscation COMPRESS OBFUSCATION
EventType = Process.Start
Tag = proc-start-invoke-obfuscation-compress-obfuscation
RiskScore = 50
Annotation = {"mitre_attack": ["T1027", "T1059.001"]}
Query = (Process.CommandLine like r"%new-object%" and Process.CommandLine like r"%text.encoding]::ascii%" and (Process.CommandLine like r"%system.io.compression.deflatestream%" or Process.CommandLine like r"%system.io.streamreader%") and Process.CommandLine like r"%readtoend")

[ActivityMonitoringRule]
# Detects Obfuscated Powershell via RUNDLL LAUNCHER
RuleId = 056a7ee1-4853-4e67-86a0-3fd9ceed7555
RuleName = Invoke-Obfuscation RUNDLL LAUNCHER
EventType = Process.Start
Tag = proc-start-invoke-obfuscation-rundll-launcher
RiskScore = 50
Annotation = {"mitre_attack": ["T1027", "T1059.001"]}
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%shellexec\_rundll%" and Process.CommandLine like r"%powershell%")

[ActivityMonitoringRule]
# Detect the use of Jlaive to execute assemblies in a copied PowerShell
RuleId = 0a99eb3e-1617-41bd-b095-13dc767f3def
RuleName = Jlaive Usage For Assembly Execution In-Memory
EventType = Process.Start
Tag = proc-start-jlaive-usage-for-assembly-execution-in-memory
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.003"]}
Query = ((Parent.Path like r"%\\cmd.exe" and Parent.CommandLine like r"%.bat") and ((Process.Path like r"%\\xcopy.exe" and Process.CommandLine like r"%powershell.exe%" and Process.CommandLine like r"%.bat.exe%") or (Process.Path like r"%\\xcopy.exe" and Process.CommandLine like r"%pwsh.exe%" and Process.CommandLine like r"%.bat.exe%") or (Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"%+s%" and Process.CommandLine like r"%+h%" and Process.CommandLine like r"%.bat.exe%")))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# The "AdPlus.exe" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands
RuleId = 2f869d59-7f6a-4931-992c-cce556ff2d53
RuleName = Use of Adplus.exe
EventType = Process.Start
Tag = proc-start-use-of-adplus.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1003.001"]}
Query = ((Process.Path like r"%\\adplus.exe" or Process.Name == "Adplus.exe") and (Process.CommandLine like r"% -hang %" or Process.CommandLine like r"% -pn %" or Process.CommandLine like r"% -pmn %" or Process.CommandLine like r"% -p %" or Process.CommandLine like r"% -po %" or Process.CommandLine like r"% -c %" or Process.CommandLine like r"% -sc %"))

[ActivityMonitoringRule]
# Execute C# code with the Build Provider and proper folder structure in place.
RuleId = a01b8329-5953-4f73-ae2d-aa01e1f35f00
RuleName = Suspicious aspnet_compiler.exe Execution
EventType = Process.Start
Tag = proc-start-suspicious-aspnet_compiler.exe-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1127"]}
Query = (Process.Path like r"%C:\\Windows\\Microsoft.NET\\Framework%" and Process.Path like r"%aspnet\_compiler.exe%")

[ActivityMonitoringRule]
# Performs execution of specified file, can be used for defensive evasion.
RuleId = 5edc2273-c26f-406c-83f3-f4d948e740dd
RuleName = Suspicious Subsystem for Linux Bash Execution
EventType = Process.Start
Tag = proc-start-suspicious-subsystem-for-linux-bash-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1202"]}
Query = ((Process.CommandLine like r"%bash.exe%" and Process.CommandLine like r"%-c %") and not (((Parent.CommandLine like r"%C:\\Program Files\\Git\\post-install.bat%" or Parent.CommandLine like r"%C:\\Program Files (x86)\\Git\\post-install.bat%"))))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects the use of a Micorsoft signed script to execute commands and bypassing AppLocker.
RuleId = c57872c7-614f-4d7f-a40d-b78c8df2d30d
RuleName = CL_LoadAssembly.ps1 Proxy Execution
EventType = Process.Start
Tag = proc-start-cl_loadassembly.ps1-proxy-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1216"]}
Query = (Process.CommandLine like r"%\\CL\_LoadAssembly.ps1%" or Process.CommandLine like r"%LoadAssemblyFromPath %")

[ActivityMonitoringRule]
# Detects the use of a Micorsoft signed script to execute commands
RuleId = 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
RuleName = CL_Mutexverifiers.ps1 Proxy Execution
EventType = Process.Start
Tag = proc-start-cl_mutexverifiers.ps1-proxy-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1216"]}
Query = (Process.CommandLine like r"%\\CL\_Mutexverifiers.ps1%" and Process.CommandLine like r"%runAfterCancelProcess %")

[ActivityMonitoringRule]
# lolbas Cmdl32 is use to download a payload to evade antivirus
RuleId = f37aba28-a9e6-4045-882c-d5004043b337
RuleName = Suspicious Cmdl32 Execution
EventType = Process.Start
Tag = proc-start-suspicious-cmdl32-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1218", "T1202"]}
Query = ((Process.Path like r"%\\cmdl32.exe" or Process.Name == "CMDL32.EXE") and (Process.CommandLine like r"%/vpn %" and Process.CommandLine like r"%/lan %"))

[ActivityMonitoringRule]
# Upload file, credentials or data exfiltration with Binary part of Windows Defender
RuleId = 1f0f6176-6482-4027-b151-00071af39d7e
RuleName = Suspicious ConfigSecurityPolicy Execution
EventType = Process.Start
Tag = proc-start-suspicious-configsecuritypolicy-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1567"]}
Query = ((Process.CommandLine like r"%ConfigSecurityPolicy.exe%" or Process.Path like r"%\\ConfigSecurityPolicy.exe" or Process.Name == "ConfigSecurityPolicy.exe") and (Process.CommandLine like r"%https://%" or Process.CommandLine like r"%http://%" or Process.CommandLine like r"%ftp://%"))

[ActivityMonitoringRule]
# Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target
RuleId = 575dce0c-8139-4e30-9295-1ee75969f7fe
RuleName = GatherNetworkInfo.vbs Script Usage
EventType = Process.Start
Tag = proc-start-gathernetworkinfo.vbs-script-usage
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.005"]}
Query = (Process.CommandLine like r"%cscript.exe%" and Process.CommandLine like r"%gatherNetworkInfo.vbs%")

[ActivityMonitoringRule]
# Detects when a user performs data exfiltration by using DataSvcUtil.exe
RuleId = e290b10b-1023-4452-a4a9-eb31a9013b3a
RuleName = LOLBAS Data Exfiltration by DataSvcUtil.exe
EventType = Process.Start
Tag = proc-start-lolbas-data-exfiltration-by-datasvcutil.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1567"]}
Query = ((Process.CommandLine like r"%/in:%" or Process.CommandLine like r"%/out:%" or Process.CommandLine like r"%/uri:%") and (Process.Path like r"%\\DataSvcUtil.exe" or Process.Name == "DataSvcUtil.exe"))

[ActivityMonitoringRule]
# Download and compress a remote file and store it in a cab file on local machine.
RuleId = 185d7418-f250-42d0-b72e-0c8b70661e93
RuleName = Suspicious Diantz Download and Compress Into a CAB File
EventType = Process.Start
Tag = proc-start-suspicious-diantz-download-and-compress-into-a-cab-file
RiskScore = 50
Annotation = {"mitre_attack": ["T1105"]}
Query = (Process.CommandLine like r"%diantz.exe%" and Process.CommandLine like r"% \\\*" and Process.CommandLine like r"%.cab%")

[ActivityMonitoringRule]
# Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
RuleId = 313d6012-51a0-4d93-8dfc-de8553239e25
RuleName = Monitoring Winget For LOLbin Execution
EventType = Process.Start
Tag = proc-start-monitoring-winget-for-lolbin-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = (Process.CommandLine like r"%winget%" and Process.CommandLine like r"%install%" and (Process.CommandLine like r"%-m %" or Process.CommandLine like r"%--manifest%"))

[ActivityMonitoringRule]
# Extexport.exe loads dll and is execute from other folder the original path
RuleId = fb0b815b-f5f6-4f50-970f-ffe21f253f7a
RuleName = Suspicious Extexport Execution
EventType = Process.Start
Tag = proc-start-suspicious-extexport-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.CommandLine like r"%Extexport.exe%" or Process.Path like r"%\\Extexport.exe" or Process.Name == "extexport.exe")

[ActivityMonitoringRule]
# Download or Copy file with Extrac32
RuleId = aa8e035d-7be4-48d3-a944-102aec04400d
RuleName = Suspicious Extrac32 Execution
EventType = Process.Start
Tag = proc-start-suspicious-extrac32-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1105"]}
Query = ((Process.CommandLine like r"%extrac32.exe%" or Process.Path like r"%\\extrac32.exe" or Process.Name == "extrac32.exe") and Process.CommandLine like r"%.cab%" and (Process.CommandLine like r"%/C%" or Process.CommandLine like r"%/Y%" or Process.CommandLine like r"% \\\*"))

[ActivityMonitoringRule]
# Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
RuleId = bf6c39fc-e203-45b9-9538-05397c1b4f3f
RuleName = Abusing Findstr for Defense Evasion
EventType = Process.Start
Tag = proc-start-abusing-findstr-for-defense-evasion
RiskScore = 50
Annotation = {"mitre_attack": ["T1218", "T1564.004", "T1552.001", "T1105"]}
Query = ((Process.CommandLine like r"%findstr%" or Process.Path like r"%findstr.exe" or Process.Name == "FINDSTR.EXE") and (((Process.CommandLine like r"%/v%" or Process.CommandLine like r"%-v%") and (Process.CommandLine like r"%/l%" or Process.CommandLine like r"%-l%")) or ((Process.CommandLine like r"%/s%" or Process.CommandLine like r"%-s%") and (Process.CommandLine like r"%/i%" or Process.CommandLine like r"%-i%"))))

[ActivityMonitoringRule]
# Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting.
RuleId = 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
RuleName = Use of Forfiles For Execution
EventType = Process.Start
Tag = proc-start-use-of-forfiles-for-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Process.Path like r"%\\forfiles.exe" or Process.Name == "forfiles.exe") and (Process.CommandLine like r"% /p %" or Process.CommandLine like r"% -p %") and (Process.CommandLine like r"% /m %" or Process.CommandLine like r"% -m %") and (Process.CommandLine like r"% /c %" or Process.CommandLine like r"% -c %"))

[ActivityMonitoringRule]
# The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.
RuleId = b96b2031-7c17-4473-afe7-a30ce714db29
RuleName = Use of FSharp Interpreters
EventType = Process.Start
Tag = proc-start-use-of-fsharp-interpreters
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = (Process.Path like r"%\\fsianycpu.exe" or Process.Name == "fsianycpu.exe" or Process.Path like r"%\\fsi.exe" or Process.Name == "fsi.exe")

[ActivityMonitoringRule]
# Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
RuleId = 1e59c230-6670-45bf-83b0-98903780607e
RuleName = Gpscript Execution
EventType = Process.Start
Tag = proc-start-gpscript-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\gpscript.exe" or Process.Name == "GPSCRIPT.EXE") and (Process.CommandLine like r"% /logon%" or Process.CommandLine like r"% /startup%"))

[ActivityMonitoringRule]
# Detect use of Ilasm.exe to compile c# code into dll or exe.
RuleId = 850d55f9-6eeb-4492-ad69-a72338f65ba4
RuleName = Ilasm Lolbin Use Compile C-Sharp
EventType = Process.Start
Tag = proc-start-ilasm-lolbin-use-compile-c-sharp
RiskScore = 50
Annotation = {"mitre_attack": ["T1127"]}
Query = (Process.Path like r"%\\ilasm.exe" or Process.Name == "ilasm.exe")

[ActivityMonitoringRule]
# Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format
RuleId = 52788a70-f1da-40dd-8fbd-73b5865d6568
RuleName = JSC Convert Javascript To Executable
EventType = Process.Start
Tag = proc-start-jsc-convert-javascript-to-executable
RiskScore = 50
Annotation = {"mitre_attack": ["T1127"]}
Query = (Process.Path like r"%\\jsc.exe" and Process.CommandLine like r"%.js%")

[ActivityMonitoringRule]
# The "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries
RuleId = 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
RuleName = Use of Mftrace.exe
EventType = Process.Start
Tag = proc-start-use-of-mftrace.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1127"]}
Query = (((Process.Path like r"%\\mftrace.exe" or Process.Name == "mftrace.exe") and (Process.CommandLine like r"%.exe %" and Process.CommandLine like r"%.exe")) or Parent.Path like r"%\\mftrace.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
RuleId = 814c95cc-8192-4378-a70a-f1aafd877af1
RuleName = Use of OpenConsole
EventType = Process.Start
Tag = proc-start-use-of-openconsole
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = ((Process.Name == "OpenConsole.exe" or Process.Path like r"%\\OpenConsole.exe") and not (Process.Path like r"C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal%"))

[ActivityMonitoringRule]
# Execute commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This is used as a LOLBIN for example to bypass application whitelisting.
RuleId = 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2
RuleName = Use of Pcalua For Execution
EventType = Process.Start
Tag = proc-start-use-of-pcalua-for-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = (Process.Path like r"%\\pcalua.exe" and Process.CommandLine like r"% -a%")

[ActivityMonitoringRule]
# Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.
RuleId = f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
RuleName = Use of PktMon.exe
EventType = Process.Start
Tag = proc-start-use-of-pktmon.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1040"]}
Query = (Process.Path like r"%PktMon.exe" or Process.Name == "PktMon.exe")

[ActivityMonitoringRule]
# Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files. It can be abused to run malicious ".xbap" files any bypass AWL
RuleId = d22e2925-cfd8-463f-96f6-89cec9d9bc5f
RuleName = Application Whitelisting Bypass via PresentationHost.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-presentationhost.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (((Process.Path like r"%\\presentationhost.exe" or Process.Name == "PresentationHost.exe") and Process.CommandLine like r"%.xbap%") and not ((Process.CommandLine like r"%C:\\Windows\\%" or Process.CommandLine like r"%C:\\Program Files%")))

[ActivityMonitoringRule]
# Detects the use of a Microsoft signed script to execute commands.
RuleId = 1fb76ab8-fa60-4b01-bddd-71e89bf555da
RuleName = Pubprn.vbs Proxy Execution
EventType = Process.Start
Tag = proc-start-pubprn.vbs-proxy-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1216.001"]}
Query = (Process.CommandLine like r"%\\pubprn.vbs%" and Process.CommandLine like r"%script:%")

[ActivityMonitoringRule]
# Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
RuleId = cd3d1298-eb3b-476c-ac67-12847de55813
RuleName = DLL Execution via Rasautou.exe
EventType = Process.Start
Tag = proc-start-dll-execution-via-rasautou.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\rasautou.exe" or Process.Name == "rasdlui.exe") and (Process.CommandLine like r"% -d %" and Process.CommandLine like r"% -p %"))

[ActivityMonitoringRule]
# Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
RuleId = 4eddc365-79b4-43ff-a9d7-99422dc34b93
RuleName = Use of Remote.exe
EventType = Process.Start
Tag = proc-start-use-of-remote.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1127"]}
Query = (Process.Path like r"%\\remote.exe" or Process.Name == "remote.exe")

[ActivityMonitoringRule]
# Detects the use of Replace.exe which can be used to replace file with another file
RuleId = 9292293b-8496-4715-9db6-37028dcda4b3
RuleName = Replace.exe Usage
EventType = Process.Start
Tag = proc-start-replace.exe-usage
RiskScore = 50
Annotation = {"mitre_attack": ["T1105"]}
Query = (Process.Path like r"%\\replace.exe" and (Process.CommandLine like r"%/a%" or Process.CommandLine like r"%-a%"))

[ActivityMonitoringRule]
# An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
RuleId = 15bd98ea-55f4-4d37-b09a-e7caa0fa2221
RuleName = Rundll32 InstallScreenSaver Execution
EventType = Process.Start
Tag = proc-start-rundll32-installscreensaver-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%InstallScreenSaver%")

[ActivityMonitoringRule]
# The "ScriptRunner.exe" binary can be abused to porxy execution through it and bypass possible whitelisting
RuleId = 64760eef-87f7-4ed3-93fd-655668ea9420
RuleName = Use of Scriptrunner.exe
EventType = Process.Start
Tag = proc-start-use-of-scriptrunner.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\ScriptRunner.exe" or Process.Name == "ScriptRunner.exe") and Process.CommandLine like r"% -appvscript %")

[ActivityMonitoringRule]
# The "Squirrel.exe" binary that is part of multiple softwares (Slack, Teams, Discord...etc) can be used as a LOLBIN
RuleId = 45239e6a-b035-4aaf-b339-8ad379fcb67e
RuleName = Use of Squirrel.exe
EventType = Process.Start
Tag = proc-start-use-of-squirrel.exe
RiskScore = 50
Query = (Process.Path like r"%\\squirrel.exe" and (Process.CommandLine like r"% --download %" or Process.CommandLine like r"% --update %" or Process.CommandLine like r"% --updateRollback=%") and Process.CommandLine like r"%http%")

[ActivityMonitoringRule]
# Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
RuleId = a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
RuleName = Suspicious Driver Install by pnputil.exe
EventType = Process.Start
Tag = proc-start-suspicious-driver-install-by-pnputil.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1547"]}
Query = ((Process.CommandLine like r"%-i%" or Process.CommandLine like r"%/install%" or Process.CommandLine like r"%-a%" or Process.CommandLine like r"%/add-driver%" or Process.CommandLine like r"%.inf%") and Process.Path like r"%\\pnputil.exe")

[ActivityMonitoringRule]
# Detects execution of of Dxcap.exe
RuleId = 60f16a96-db70-42eb-8f76-16763e333590
RuleName = Application Whitelisting Bypass via Dxcap.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dxcap.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\DXCap.exe" or Process.Name == "DXCap.exe") and Process.CommandLine like r"% -c %")

[ActivityMonitoringRule]
# Detects process dump via legitimate sqldumper.exe binary
RuleId = 23ceaf5c-b6f1-4a32-8559-f2ff734be516
RuleName = Dumping Process via Sqldumper.exe
EventType = Process.Start
Tag = proc-start-dumping-process-via-sqldumper.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1003.001"]}
Query = (Process.Path like r"%\\sqldumper.exe" and (Process.CommandLine like r"%0x0110%" or Process.CommandLine like r"%0x01100:40%"))

[ActivityMonitoringRule]
# Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
RuleId = dec44ca7-61ad-493c-bfd7-8819c5faa09b
RuleName = WSL Execution
EventType = Process.Start
Tag = proc-start-wsl-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1218", "T1202"]}
Query = ((Process.Path like r"%\\wsl.exe" or Process.Name == "wsl.exe") and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% --exec %" or Process.CommandLine like r"% --system %" or Process.CommandLine like r"% /mnt/c%"))

[ActivityMonitoringRule]
# Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
RuleId = fbd7c32d-db2a-4418-b92c-566eb8911133
RuleName = SyncAppvPublishingServer Execute Arbitrary PowerShell Code
EventType = Process.Start
Tag = proc-start-syncappvpublishingserver-execute-arbitrary-powershell-code
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\SyncAppvPublishingServer.exe" and Process.CommandLine like r"%\"n; %")

[ActivityMonitoringRule]
# Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
RuleId = 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
RuleName = SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
EventType = Process.Start
Tag = proc-start-syncappvpublishingserver-vbs-execute-arbitrary-powershell-code
RiskScore = 50
Annotation = {"mitre_attack": ["T1218", "T1216"]}
Query = (Process.CommandLine like r"%\\SyncAppvPublishingServer.vbs%" and Process.CommandLine like r"%;%")

[ActivityMonitoringRule]
# Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
RuleId = b27077d6-23e6-45d2-81a0-e2b356eea5fd
RuleName = Use of TTDInject.exe
EventType = Process.Start
Tag = proc-start-use-of-ttdinject.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1127"]}
Query = (Process.Path like r"%ttdinject.exe" or Process.Name == "TTDInject.EXE")

[ActivityMonitoringRule]
# Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
RuleId = 0403d67d-6227-4ea8-8145-4e72db7da120
RuleName = UtilityFunctions.ps1 Proxy Dll
EventType = Process.Start
Tag = proc-start-utilityfunctions.ps1-proxy-dll
RiskScore = 50
Annotation = {"mitre_attack": ["T1216"]}
Query = (Process.CommandLine like r"%UtilityFunctions.ps1%" or Process.CommandLine like r"%RegSnapin %")

[ActivityMonitoringRule]
# VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
RuleId = b30a8bc5-e21b-4ca2-9420-0a94019ac56a
RuleName = Use of VisualUiaVerifyNative.exe
EventType = Process.Start
Tag = proc-start-use-of-visualuiaverifynative.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\VisualUiaVerifyNative.exe" or Process.Name == "VisualUiaVerifyNative.exe")

[ActivityMonitoringRule]
# The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
RuleId = 18749301-f1c5-4efc-a4c3-276ff1f5b6f8
RuleName = Use of VSIISExeLauncher.exe
EventType = Process.Start
Tag = proc-start-use-of-vsiisexelauncher.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1127"]}
Query = ((Process.Path like r"%\\VSIISExeLauncher.exe" or Process.Name == "VSIISExeLauncher.exe") and (Process.CommandLine like r"% -p %" or Process.CommandLine like r"% -a %"))

[ActivityMonitoringRule]
# The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
RuleId = 49be8799-7b4d-4fda-ad23-cafbefdebbc5
RuleName = Use of Wfc.exe
EventType = Process.Start
Tag = proc-start-use-of-wfc.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1127"]}
Query = (Process.Path like r"%\\wfc.exe" or Process.Name == "wfc.exe")

[ActivityMonitoringRule]
# Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute
RuleId = 9cfc00b6-bfb7-49ce-9781-ef78503154bb
RuleName = Wlrmdr Lolbin Use as Laucher
EventType = Process.Start
Tag = proc-start-wlrmdr-lolbin-use-as-laucher
RiskScore = 50
Query = ((Process.Path like r"%\\wlrmdr.exe" and Process.CommandLine like r"%-s %" and Process.CommandLine like r"%-f %" and Process.CommandLine like r"%-t %" and Process.CommandLine like r"%-m %" and Process.CommandLine like r"%-a %" and Process.CommandLine like r"%-u %") and not (Parent.Path like r"C:\\Windows\\System32\\winlogon.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a command that accesses password storing registry hives via volume shadow backups
RuleId = f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
RuleName = Sensitive Registry Access via Volume Shadow Copy
EventType = Process.Start
Tag = proc-start-sensitive-registry-access-via-volume-shadow-copy
RiskScore = 50
Annotation = {"mitre_attack": ["T1490"]}
Query = (Process.CommandLine like r"%\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy%" and (Process.CommandLine like r"%\\NTDS.dit%" or Process.CommandLine like r"%\\SYSTEM%" or Process.CommandLine like r"%\\SECURITY%" or Process.CommandLine like r"%C:\\tmp\\log%"))

[ActivityMonitoringRule]
# Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
RuleId = c363385c-f75d-4753-a108-c1a8e28bdbda
RuleName = Suspicious Usage of the Manage-bde.wsf Script
EventType = Process.Start
Tag = proc-start-suspicious-usage-of-the-manage-bde.wsf-script
RiskScore = 50
Annotation = {"mitre_attack": ["T1216"]}
Query = (Process.CommandLine like r"%cscript%" and Process.CommandLine like r"%manage-bde.wsf%")

[ActivityMonitoringRule]
# Detection well-known mimikatz command line arguments
RuleId = a642964e-bead-4bed-8910-1bb4d63e3b4d
RuleName = Mimikatz Command Line
EventType = Process.Start
Tag = proc-start-mimikatz-command-line
RiskScore = 50
Annotation = {"mitre_attack": ["T1003.001", "T1003.002", "T1003.004", "T1003.005", "T1003.006"]}
Query = ((((Process.CommandLine like r"%DumpCreds%" or Process.CommandLine like r"%invoke-mimikatz%") or ((Process.CommandLine like r"%rpc%" or Process.CommandLine like r"%token%" or Process.CommandLine like r"%crypto%" or Process.CommandLine like r"%dpapi%" or Process.CommandLine like r"%sekurlsa%" or Process.CommandLine like r"%kerberos%" or Process.CommandLine like r"%lsadump%" or Process.CommandLine like r"%privilege%" or Process.CommandLine like r"%process%" or Process.CommandLine like r"%vault%") and Process.CommandLine like r"%::%")) or ((Process.CommandLine like r"%aadcookie%" or Process.CommandLine like r"%detours%" or Process.CommandLine like r"%memssp%" or Process.CommandLine like r"%mflt%" or Process.CommandLine like r"%ncroutemon%" or Process.CommandLine like r"%ngcsign%" or Process.CommandLine like r"%printnightmare%" or Process.CommandLine like r"%skeleton%" or Process.CommandLine like r"%preshutdown%" or Process.CommandLine like r"%mstsc%" or Process.CommandLine like r"%multirdp%") and Process.CommandLine like r"%::%")) and not ((Process.CommandLine like r"%function Convert-GuidToCompressedGuid%")))

[ActivityMonitoringRule]
# Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.
RuleId = 38879043-7e1e-47a9-8d46-6bec88e201df
RuleName = Modification Of Existing Services For Persistence
EventType = Process.Start
Tag = proc-start-modification-of-existing-services-for-persistence
RiskScore = 50
Annotation = {"mitre_attack": ["T1543.003", "T1574.011"]}
Query = ((Process.CommandLine like r"%sc %" and Process.CommandLine like r"%config %" and Process.CommandLine like r"%binpath=%") or (Process.CommandLine like r"%sc %" and Process.CommandLine like r"%failure%" and Process.CommandLine like r"%command=%") or (Process.CommandLine like r"%reg %" and Process.CommandLine like r"%add %" and Process.CommandLine like r"%FailureCommand%" and (Process.CommandLine like r"%.sh%" or Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.bin$%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cmd%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.msh$%" or Process.CommandLine like r"%.reg$%" or Process.CommandLine like r"%.scr%" or Process.CommandLine like r"%.ps%" or Process.CommandLine like r"%.vb%" or Process.CommandLine like r"%.jar%" or Process.CommandLine like r"%.pl%")) or (Process.CommandLine like r"%reg %" and Process.CommandLine like r"%add %" and Process.CommandLine like r"%ImagePath%" and (Process.CommandLine like r"%.sh%" or Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.bin$%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cmd%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.msh$%" or Process.CommandLine like r"%.reg$%" or Process.CommandLine like r"%.scr%" or Process.CommandLine like r"%.ps%" or Process.CommandLine like r"%.vb%" or Process.CommandLine like r"%.jar%" or Process.CommandLine like r"%.pl%")))

[ActivityMonitoringRule]
# BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded
RuleId = b9cbbc17-d00d-4e3d-a827-b06d03d2380d
RuleName = Monitoring For Persistence Via BITS
EventType = Process.Start
Tag = proc-start-monitoring-for-persistence-via-bits
RiskScore = 50
Annotation = {"mitre_attack": ["T1197"]}
Query = ((Process.CommandLine like r"%bitsadmin%" and Process.CommandLine like r"%/SetNotifyCmdLine%" and (Process.CommandLine like r"%\%COMSPEC\%%" or Process.CommandLine like r"%cmd.exe%" or Process.CommandLine like r"%regsvr32.exe%")) or (Process.CommandLine like r"%bitsadmin%" and Process.CommandLine like r"%/Addfile%" and (Process.CommandLine like r"%http:%" or Process.CommandLine like r"%https:%" or Process.CommandLine like r"%ftp:%" or Process.CommandLine like r"%ftps:%")))

[ActivityMonitoringRule]
# Detects file execution using the msdeploy.exe lolbin
RuleId = 646bc99f-6682-4b47-a73a-17b1b64c9d34
RuleName = Execute Files with Msdeploy.exe
EventType = Process.Start
Tag = proc-start-execute-files-with-msdeploy.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.CommandLine like r"%verb:sync%" and Process.CommandLine like r"%-source:RunCommand%" and Process.CommandLine like r"%-dest:runCommand%" and Process.Path like r"%\\msdeploy.exe")

[ActivityMonitoringRule]
# Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
RuleId = dc4576d4-7467-424f-9eee-fd2b02855fe0
RuleName = MSDT.EXE Execution With Suspicious Cab Option
EventType = Process.Start
Tag = proc-start-msdt.exe-execution-with-suspicious-cab-option
RiskScore = 50
Annotation = {"mitre_attack": ["T1202"]}
Query = ((Process.Path like r"%\\msdt.exe" or Process.Name == "msdt.exe") and (Process.CommandLine like r"% /cab %" or Process.CommandLine like r"% -cab %"))

[ActivityMonitoringRule]
# Detects MsiExec loading a DLL and calling its DllUnregisterServer function
RuleId = 84f52741-8834-4a8c-a413-2eb2269aa6c8
RuleName = Suspicious Msiexec Load DLL
EventType = Process.Start
Tag = proc-start-suspicious-msiexec-load-dll
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.007"]}
Query = (Process.Path like r"%\\msiexec.exe" and Process.CommandLine like r"% /z %" and Process.CommandLine like r"%.dll%")

[ActivityMonitoringRule]
# Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
RuleId = 4a2a2c3e-209f-4d01-b513-4155a540b469
RuleName = Suspicious MsiExec Embedding Parent
EventType = Process.Start
Tag = proc-start-suspicious-msiexec-embedding-parent
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.007"]}
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe") and Parent.CommandLine like r"%MsiExec.exe%" and Parent.CommandLine like r"%-Embedding %") and not ((Process.Path like r"%:\\Windows\\System32\\cmd.exe" and Process.CommandLine like r"%C:\\Program Files\\SplunkUniversalForwarder\\bin\\%") or (Process.CommandLine like r"%\\DismFoDInstall.cmd%" or Parent.CommandLine like r"%\\MsiExec.exe -Embedding %" and Parent.CommandLine like r"%Global\\MSI0000%")))
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
# Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
RuleId = 6f4191bb-912b-48a8-9ce7-682769541e6d
RuleName = Suspicious Msiexec Execute Arbitrary DLL
EventType = Process.Start
Tag = proc-start-suspicious-msiexec-execute-arbitrary-dll
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.007"]}
Query = ((Process.Path like r"%\\msiexec.exe" and Process.CommandLine like r"% /y%") and not (((Process.CommandLine like r"%\\MsiExec.exe\" /Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll%" or Process.CommandLine like r"%\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll%" or Process.CommandLine like r"%\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll%" or Process.CommandLine like r"%\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll%" or Process.CommandLine like r"%\\MsiExec.exe\" /Y \"C:\\Windows\\CCM\\%" or Process.CommandLine like r"%\\MsiExec.exe\" /Y C:\\Windows\\CCM\\%"))))

[ActivityMonitoringRule]
# Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
RuleId = 954f0af7-62dd-418f-b3df-a84bc2c7a774
RuleName = Remote Desktop Protocol Use Mstsc
EventType = Process.Start
Tag = proc-start-remote-desktop-protocol-use-mstsc
RiskScore = 50
Annotation = {"mitre_attack": ["T1021.001"]}
Query = (((Process.Path like r"%\\mstsc.exe" or Process.Name == "mstsc.exe") and Process.CommandLine like r"% /v:%") or ((Process.Path like r"%\\cmdkey.exe" or Process.Name == "cmdkey.exe") and (Process.CommandLine like r"% /g%" and Process.CommandLine like r"% /u%" and Process.CommandLine like r"% /p%")))

[ActivityMonitoringRule]
# Allow Incoming Connections by Port or Application on Windows Firewall
RuleId = cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
RuleName = Netsh Port or Application Allowed
EventType = Process.Start
Tag = proc-start-netsh-port-or-application-allowed
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.004"]}
Query = ((Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%") and not (((Process.CommandLine like r"%\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any%" or Process.CommandLine like r"%\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any%"))))

[ActivityMonitoringRule]
# Adversaries may  modify system firewalls in order to bypass controls limiting network usage
RuleId = 347906f3-e207-4d18-ae5b-a9403d6bcdef
RuleName = Netsh Allow Group Policy on Microsoft Defender Firewall
EventType = Process.Start
Tag = proc-start-netsh-allow-group-policy-on-microsoft-defender-firewall
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.004"]}
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%advfirewall%" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%set%" and Process.CommandLine like r"%rule%" and Process.CommandLine like r"%group=%" and Process.CommandLine like r"%new%" and Process.CommandLine like r"%enable=Yes%")

[ActivityMonitoringRule]
# Detects capture a network trace via netsh.exe trace functionality
RuleId = d3c3861d-c504-4c77-ba55-224ba82d0118
RuleName = Capture a Network Trace with netsh.exe
EventType = Process.Start
Tag = proc-start-capture-a-network-trace-with-netsh.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1040"]}
Query = (Process.CommandLine like r"%netsh%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%start%")

[ActivityMonitoringRule]
# Detects netsh commands that configure a port forwarding (PortProxy)
RuleId = 322ed9ec-fcab-4f67-9a34-e7c6aef43614
RuleName = Netsh Port Forwarding
EventType = Process.Start
Tag = proc-start-netsh-port-forwarding
RiskScore = 50
Annotation = {"mitre_attack": ["T1090"]}
Query = ((Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%interface%" and Process.CommandLine like r"%portproxy%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%v4tov4%") or (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%connectp%" and Process.CommandLine like r"%listena%" and Process.CommandLine like r"%c=%"))

[ActivityMonitoringRule]
# Detect the harvesting of wifi credentials using netsh.exe
RuleId = 42b1a5b8-353f-4f10-b256-39de4467faff
RuleName = Harvesting of Wifi Credentials Using netsh.exe
EventType = Process.Start
Tag = proc-start-harvesting-of-wifi-credentials-using-netsh.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1040"]}
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%wlan%" and Process.CommandLine like r"% s%" and Process.CommandLine like r"% p%" and Process.CommandLine like r"% k%" and Process.CommandLine like r"%=clear%")

[ActivityMonitoringRule]
# Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
RuleId = f8ad2e2c-40b6-4117-84d7-20b89896ab23
RuleName = Suspicious Scan Loop Network
EventType = Process.Start
Tag = proc-start-suspicious-scan-loop-network
RiskScore = 50
Annotation = {"mitre_attack": ["T1059", "T1018"]}
Query = ((Process.CommandLine like r"%for %" or Process.CommandLine like r"%foreach %") and (Process.CommandLine like r"%nslookup%" or Process.CommandLine like r"%ping%"))

[ActivityMonitoringRule]
# Identifies creation of local users via the net.exe command.
RuleId = cd219ff3-fa99-45d4-8380-a7d15116c6dc
RuleName = Net.exe User Account Creation
EventType = Process.Start
Tag = proc-start-net.exe-user-account-creation
RiskScore = 50
Annotation = {"mitre_attack": ["T1136.001"]}
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%" and Process.CommandLine like r"%add%")

[ActivityMonitoringRule]
# Detects when an admin share is mounted using net.exe
RuleId = 3abd6094-7027-475f-9630-8ab9be7b9725
RuleName = Mounted Windows Admin Shares with net.exe
EventType = Process.Start
Tag = proc-start-mounted-windows-admin-shares-with-net.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1021.002"]}
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% use %" and Process.CommandLine like r"%\\\*\\%$%")

[ActivityMonitoringRule]
# Detects nltest commands that can be used for information discovery
RuleId = 5cc90652-4cbd-4241-aa3b-4b462fa5a248
RuleName = Recon Activity with NLTEST
EventType = Process.Start
Tag = proc-start-recon-activity-with-nltest
RiskScore = 50
Annotation = {"mitre_attack": ["T1016", "T1482"]}
Query = (Process.Path like r"%\\nltest.exe" and ((Process.CommandLine like r"%/server%" and Process.CommandLine like r"%/query%") or (Process.CommandLine like r"%/dclist:%" or Process.CommandLine like r"%/parentdomain%" or Process.CommandLine like r"%/domain\_trusts%" or Process.CommandLine like r"%/trusted\_domains%" or Process.CommandLine like r"%/user%")))

[ActivityMonitoringRule]
# Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
RuleId = 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
RuleName = Suspicious Execution Of PDQDeployRunner
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-pdqdeployrunner
RiskScore = 50
Query = (Parent.Path like r"%PDQDeployRunner-%" and ((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\csc.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\wsl.exe") or (Process.Path like r"%C:\\Users\\Public\\%" or Process.Path like r"%C:\\ProgramData\\%" or Process.Path like r"%C:\\Windows\\TEMP\\%" or Process.Path like r"%\\AppData\\Local\\Temp%") or (Process.CommandLine like r"%iex %" or Process.CommandLine like r"%Invoke-%" or Process.CommandLine like r"%DownloadString%" or Process.CommandLine like r"%http%" or Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -encodedcommand %" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% -w hidden%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects audio capture via PowerShell Cmdlet.
RuleId = 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
RuleName = Audio Capture via PowerShell
EventType = Process.Start
Tag = proc-start-audio-capture-via-powershell
RiskScore = 50
Annotation = {"mitre_attack": ["T1123"]}
Query = Process.CommandLine like r"%WindowsAudioDevice-Powershell-Cmdlet%"

[ActivityMonitoringRule]
# Detects specific combinations of encoding methods in the PowerShell command lines
RuleId = 5b572dcf-254b-425c-a8c5-d9af6bea35a6
RuleName = Suspicious Encoded PowerShell Command Line
EventType = Process.Start
Tag = proc-start-suspicious-encoded-powershell-command-line
RiskScore = 50
Annotation = {"mitre_attack": ["T1027", "T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%ForEach%" and Process.CommandLine like r"%Xor%")

[ActivityMonitoringRule]
# Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
RuleId = 17769c90-230e-488b-a463-e05c08e9d48f
RuleName = Powershell Defender Exclusion
EventType = Process.Start
Tag = proc-start-powershell-defender-exclusion
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.CommandLine like r"%Add-MpPreference %" or Process.CommandLine like r"%Set-MpPreference %") and (Process.CommandLine like r"% -ExclusionPath %" or Process.CommandLine like r"% -ExclusionExtension %" or Process.CommandLine like r"% -ExclusionProcess %" or Process.CommandLine like r"% -ExclusionIpAddress %"))

[ActivityMonitoringRule]
# Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
RuleId = b3512211-c67e-4707-bedc-66efc7848863
RuleName = PowerShell Downgrade Attack
EventType = Process.Start
Tag = proc-start-powershell-downgrade-attack
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% -version 2 %" or Process.CommandLine like r"% -versio 2 %" or Process.CommandLine like r"% -versi 2 %" or Process.CommandLine like r"% -vers 2 %" or Process.CommandLine like r"% -ver 2 %" or Process.CommandLine like r"% -ve 2 %"))

[ActivityMonitoringRule]
# Detects a Powershell process that contains download commands in its command line string
RuleId = 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
RuleName = PowerShell Download from URL
EventType = Process.Start
Tag = proc-start-powershell-download-from-url
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%new-object%" and Process.CommandLine like r"%net.webclient).%" and Process.CommandLine like r"%download%" and (Process.CommandLine like r"%string(%" or Process.CommandLine like r"%file(%"))

[ActivityMonitoringRule]
# Detects usage of the 'Get-Clipboard' cmdlet via CLI
RuleId = b9aeac14-2ffd-4ad3-b967-1354a4e628c3
RuleName = PowerShell Get-Clipboard Cmdlet Via CLI
EventType = Process.Start
Tag = proc-start-powershell-get-clipboard-cmdlet-via-cli
RiskScore = 50
Annotation = {"mitre_attack": ["T1115"]}
Query = Process.CommandLine like r"%Get-Clipboard%"

[ActivityMonitoringRule]
# Detects uses of the SysInternals Procdump utility
RuleId = 2e65275c-8288-4ab4-aeb7-6274f58b6b20
RuleName = Procdump Usage
EventType = Process.Start
Tag = proc-start-procdump-usage
RiskScore = 50
Annotation = {"mitre_attack": ["T1036", "T1003.001"]}
Query = ((Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe") or (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"%.exe%"))

[ActivityMonitoringRule]
# Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.
RuleId = 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
RuleName = ProtocolHandler.exe Downloaded Suspicious File
EventType = Process.Start
Tag = proc-start-protocolhandler.exe-downloaded-suspicious-file
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\protocolhandler.exe" and Process.CommandLine like r"%\"ms-word%" and Process.CommandLine like r"%.docx\"%")

[ActivityMonitoringRule]
# Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
RuleId = 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2
RuleName = Query Usage To Exfil Data
EventType = Process.Start
Tag = proc-start-query-usage-to-exfil-data
RiskScore = 50
Query = (Process.Path like r"%\\Windows\\System32\\query.exe" and (Process.CommandLine like r"%session >%" or Process.CommandLine like r"%process >%"))

[ActivityMonitoringRule]
# Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session
RuleId = 70e68156-6571-427b-a6e9-4476a173a9b6
RuleName = Cmd Stream Redirection
EventType = Process.Start
Tag = proc-start-cmd-stream-redirection
RiskScore = 50
Annotation = {"mitre_attack": ["T1564.004"]}
Query = ((Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%> %" and Process.CommandLine like r"%:%") and not (Process.CommandLine like r"%:\\%"))

[ActivityMonitoringRule]
# Detects suspicious command line reg.exe tool adding key to RUN key in Registry
RuleId = de587dce-915e-4218-aac4-835ca6af6f70
RuleName = Reg Add RUN Key
EventType = Process.Start
Tag = proc-start-reg-add-run-key
RiskScore = 50
Annotation = {"mitre_attack": ["T1547.001"]}
Query = (Process.CommandLine like r"%reg%" and Process.CommandLine like r"% ADD %" and Process.CommandLine like r"%Software\\Microsoft\\Windows\\CurrentVersion\\Run%")

[ActivityMonitoringRule]
# Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.
RuleId = 48917adc-a28e-4f5d-b729-11e75da8941f
RuleName = Registry Defender Exclusions
EventType = Process.Start
Tag = proc-start-registry-defender-exclusions
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths%" or Process.CommandLine like r"%HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths%") and Process.CommandLine like r"%ADD %" and Process.CommandLine like r"%/t %" and Process.CommandLine like r"%REG\_DWORD %" and Process.CommandLine like r"%/v %" and Process.CommandLine like r"%/d %" and Process.CommandLine like r"%0%")

[ActivityMonitoringRule]
# Detects the import of the '.reg' files from suspicious paths using the 'reg.exe' utility
RuleId = 62e0298b-e994-4189-bc87-bc699aa62d97
RuleName = Imports Registry Key From a File Using Reg.exe
EventType = Process.Start
Tag = proc-start-imports-registry-key-from-a-file-using-reg.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1112"]}
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"% import %" and (Process.CommandLine like r"%C:\\Users\\%" or Process.CommandLine like r"%\%temp\%%" or Process.CommandLine like r"%\%appdata\%%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%" or Process.CommandLine like r"%C:\\ProgramData\\%"))

[ActivityMonitoringRule]
# Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
# Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
# Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
RuleId = 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
RuleName = Service ImagePath Change with Reg.exe
EventType = Process.Start
Tag = proc-start-service-imagepath-change-with-reg.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1574.011"]}
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%add %" and Process.CommandLine like r"%SYSTEM\\CurrentControlSet\\Services\\%" and Process.CommandLine like r"% ImagePath %" and (Process.CommandLine like r"% /d %" or Process.CommandLine like r"% -d %"))

[ActivityMonitoringRule]
# Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
RuleId = 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
RuleName = Remote PowerShell Session Host Process (WinRM)
EventType = Process.Start
Tag = proc-start-remote-powershell-session-host-process-(winrm)
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001", "T1021.006"]}
Query = (Process.Path like r"%\\wsmprovhost.exe" or Parent.Path like r"%\\wsmprovhost.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
RuleId = 9719a8aa-401c-41af-8108-ced7ec9cd75c
RuleName = Remove Windows Defender Definition Files
EventType = Process.Start
Tag = proc-start-remove-windows-defender-definition-files
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.Name == "MpCmdRun.exe" and Process.CommandLine like r"% -RemoveDefinitions%" and Process.CommandLine like r"% -All%")

[ActivityMonitoringRule]
# Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
RuleId = 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
RuleName = Renamed Binary
EventType = Process.Start
Tag = proc-start-renamed-binary
RiskScore = 50
Annotation = {"mitre_attack": ["T1036.003"]}
Query = ((Process.Name like r"Cmd.Exe" or Process.Name like r"CONHOST.EXE" or Process.Name like r"PowerShell.EXE" or Process.Name like r"pwsh.dll" or Process.Name like r"powershell\_ise.EXE" or Process.Name like r"psexec.exe" or Process.Name like r"psexec.c" or Process.Name like r"cscript.exe" or Process.Name like r"wscript.exe" or Process.Name like r"MSHTA.EXE" or Process.Name like r"REGSVR32.EXE" or Process.Name like r"wmic.exe" or Process.Name like r"CertUtil.exe" or Process.Name like r"RUNDLL32.EXE" or Process.Name like r"CMSTP.EXE" or Process.Name like r"msiexec.exe" or Process.Name like r"7z.exe" or Process.Name like r"WinRAR.exe" or Process.Name like r"wevtutil.exe" or Process.Name like r"net.exe" or Process.Name like r"net1.exe" or Process.Name like r"netsh.exe") and not ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\psexec.exe" or Process.Path like r"%\\psexec64.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\WMIC.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\7z.exe" or Process.Path like r"%\\WinRAR.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netsh.exe")))

[ActivityMonitoringRule]
# Execution of a renamed version of the Plink binary
RuleId = 1c12727d-02bf-45ff-a9f3-d49806a3cf43
RuleName = Execution Of Renamed Plink Binary
EventType = Process.Start
Tag = proc-start-execution-of-renamed-plink-binary
RiskScore = 50
Annotation = {"mitre_attack": ["T1036"]}
Query = (Process.Name == "Plink" and not (Process.Path like r"%\\plink.exe"))

[ActivityMonitoringRule]
# Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
RuleId = 46591fae-7a4c-46ea-aec3-dff5e6d785dc
RuleName = Root Certificate Installed
EventType = Process.Start
Tag = proc-start-root-certificate-installed
RiskScore = 50
Annotation = {"mitre_attack": ["T1553.004"]}
Query = ((Process.Path like r"%\\certutil.exe" and Process.CommandLine like r"%-addstore%" and Process.CommandLine like r"%root%") or (Process.Path like r"%\\CertMgr.exe" and Process.CommandLine like r"%/add%" and Process.CommandLine like r"%root%"))

[ActivityMonitoringRule]
# Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.
RuleId = 1723e720-616d-4ddc-ab02-f7e3685a4713
RuleName = Rundll32 With Suspicious Parent Process
EventType = Process.Start
Tag = proc-start-rundll32-with-suspicious-parent-process
RiskScore = 50
Query = ((Process.Path like r"%\\rundll32.exe" and Parent.Path like r"%\\explorer.exe") and not (Process.CommandLine like r"%\\shell32.dll,OpenAs\_RunDLL%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Payloads may be compressed, archived, or encrypted in order to avoid detection
RuleId = 1a70042a-6622-4a2b-8958-267625349abf
RuleName = Run from a Zip File
EventType = Process.Start
Tag = proc-start-run-from-a-zip-file
RiskScore = 50
Annotation = {"mitre_attack": ["T1485"]}
Query = Process.Path like r"%.zip\\%"

[ActivityMonitoringRule]
# A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
RuleId = da2738f2-fadb-4394-afa7-0a0674885afa
RuleName = Sdclt Child Processes
EventType = Process.Start
Tag = proc-start-sdclt-child-processes
RiskScore = 50
Annotation = {"mitre_attack": ["T1548.002"]}
Query = Parent.Path like r"%\\sdclt.exe"
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Use of SDelete to erase a file not the free space
RuleId = a4824fca-976f-4964-b334-0621379e84c4
RuleName = Sysinternals SDelete Delete File
EventType = Process.Start
Tag = proc-start-sysinternals-sdelete-delete-file
RiskScore = 50
Annotation = {"mitre_attack": ["T1485"]}
Query = (Process.Name == "sdelete.exe" and not ((Process.CommandLine like r"% -h%" or Process.CommandLine like r"% -c%" or Process.CommandLine like r"% -z%" or Process.CommandLine like r"% /_%")))

[ActivityMonitoringRule]
# Detects use of executionpolicy option to set a unsecure policies
RuleId = 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
RuleName = Change PowerShell Policies to an Unsecure Level
EventType = Process.Start
Tag = proc-start-change-powershell-policies-to-an-unsecure-level
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.CommandLine like r"% -executionpolicy %" or Process.CommandLine like r"% -ep %" or Process.CommandLine like r"% -exec %") and (Process.CommandLine like r"%Unrestricted%" or Process.CommandLine like r"%bypass%" or Process.CommandLine like r"%RemoteSigned%"))

[ActivityMonitoringRule]
# Shadow Copies storage symbolic link creation using operating systems utilities
RuleId = 40b19fa6-d835-400c-b301-41f3a2baacaf
RuleName = Shadow Copies Access via Symlink
EventType = Process.Start
Tag = proc-start-shadow-copies-access-via-symlink
RiskScore = 50
Annotation = {"mitre_attack": ["T1003.002", "T1003.003"]}
Query = (Process.CommandLine like r"%mklink%" and Process.CommandLine like r"%HarddiskVolumeShadowCopy%")

[ActivityMonitoringRule]
# Shadow Copies creation using operating systems utilities, possible credential access
RuleId = b17ea6f7-6e90-447e-a799-e6c0a493d6ce
RuleName = Shadow Copies Creation Using Operating Systems Utilities
EventType = Process.Start
Tag = proc-start-shadow-copies-creation-using-operating-systems-utilities
RiskScore = 50
Annotation = {"mitre_attack": ["T1003", "T1003.002", "T1003.003"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe") and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%create%")

[ActivityMonitoringRule]
# Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
RuleId = dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
RuleName = Shells Spawned by Java
EventType = Process.Start
Tag = proc-start-shells-spawned-by-java
RiskScore = 50
Query = ((Parent.Path like r"%\\java.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe")) and not (Parent.Path like r"%build%" and Process.CommandLine like r"%build%"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
RuleId = e13f668e-7f95-443d-98d2-1816a7648a7b
RuleName = Detected Windows Software Discovery
EventType = Process.Start
Tag = proc-start-detected-windows-software-discovery
RiskScore = 50
Annotation = {"mitre_attack": ["T1518"]}
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%query%" and Process.CommandLine like r"%\\software\\%" and Process.CommandLine like r"%/v%" and Process.CommandLine like r"%svcversion%")

[ActivityMonitoringRule]
# Detect attacker collecting audio via SoundRecorder application.
RuleId = 83865853-59aa-449e-9600-74b9d89a6d6e
RuleName = Audio Capture via SoundRecorder
EventType = Process.Start
Tag = proc-start-audio-capture-via-soundrecorder
RiskScore = 50
Annotation = {"mitre_attack": ["T1123"]}
Query = (Process.Path like r"%\\SoundRecorder.exe" and Process.CommandLine like r"%/FILE%")

[ActivityMonitoringRule]
# By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
RuleId = 1070db9a-3e5d-412e-8e7b-7183b616e1b3
RuleName = Sticky-Key Backdoor Copy Cmd.exe
EventType = Process.Start
Tag = proc-start-sticky-key-backdoor-copy-cmd.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1546.008"]}
Query = Process.CommandLine like r"copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"

[ActivityMonitoringRule]
# Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
RuleId = fdfcbd78-48f1-4a4b-90ac-d82241e368c5
RuleName = PsExec Service Execution
EventType = Process.Start
Tag = proc-start-psexec-service-execution
RiskScore = 50
Query = (Process.Path like r"C:\\Windows\\PSEXESVC.exe" or Process.Name == "psexesvc.exe")

[ActivityMonitoringRule]
# Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
RuleId = 16905e21-66ee-42fe-b256-1318ada2d770
RuleName = Start of NT Virtual DOS Machine
EventType = Process.Start
Tag = proc-start-start-of-nt-virtual-dos-machine
RiskScore = 50
Query = (Process.Path like r"%\\ntvdm.exe" or Process.Path like r"%\\csrstub.exe")

[ActivityMonitoringRule]
# An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
RuleId = 9fbf5927-5261-4284-a71d-f681029ea574
RuleName = Compress Data and Lock With Password for Exfiltration With 7-ZIP
EventType = Process.Start
Tag = proc-start-compress-data-and-lock-with-password-for-exfiltration-with-7-zip
RiskScore = 50
Annotation = {"mitre_attack": ["T1560.001"]}
Query = ((Process.CommandLine like r"%7z.exe%" or Process.CommandLine like r"%7za.exe%") and Process.CommandLine like r"% -p%" and (Process.CommandLine like r"% a %" or Process.CommandLine like r"% u %"))

[ActivityMonitoringRule]
# Detects the execution of a AdFind for Active Directory enumeration
RuleId = 75df3b17-8bcc-4565-b89b-c9898acef911
RuleName = Suspicious AdFind Execution
EventType = Process.Start
Tag = proc-start-suspicious-adfind-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1018", "T1087.002", "T1482", "T1069.002"]}
Query = ((Process.CommandLine like r"%objectcategory%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%dclist%" or Process.CommandLine like r"%computers\_pwdnotreqd%") and Process.Path like r"%\\adfind.exe")

[ActivityMonitoringRule]
# Detects the execution of a AdFind for enumeration
RuleId = 455b9d50-15a1-4b99-853f-8d37655a4c1b
RuleName = Suspicious AdFind Enumerate
EventType = Process.Start
Tag = proc-start-suspicious-adfind-enumerate
RiskScore = 50
Annotation = {"mitre_attack": ["T1087.002"]}
Query = (Process.Path like r"%\\adfind.exe" and ((Process.CommandLine like r"%lockoutduration%" or Process.CommandLine like r"%lockoutthreshold%" or Process.CommandLine like r"%lockoutobservationwindow%" or Process.CommandLine like r"%maxpwdage%" or Process.CommandLine like r"%minpwdage%" or Process.CommandLine like r"%minpwdlength%" or Process.CommandLine like r"%pwdhistorylength%" or Process.CommandLine like r"%pwdproperties%") or Process.CommandLine like r"%-sc admincountdmp%" or Process.CommandLine like r"%-sc exchaddresses%"))

[ActivityMonitoringRule]
# Detects the execution of AdvancedRun utitlity
RuleId = d2b749ee-4225-417e-b20e-a8d2193cbb84
RuleName = Suspicious AdvancedRun Execution
EventType = Process.Start
Tag = proc-start-suspicious-advancedrun-execution
RiskScore = 50
Query = (Process.Name == "AdvancedRun.exe" or (Process.CommandLine like r"% /EXEFilename %" and Process.CommandLine like r"% /Run%") or (Process.CommandLine like r"% /WindowState 0%" and Process.CommandLine like r"% /RunAs %" and Process.CommandLine like r"% /CommandLine %"))

[ActivityMonitoringRule]
# RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
RuleId = a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
RuleName = Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
EventType = Process.Start
Tag = proc-start-abusable-invoke-athremotefxvgpudisablementcommand
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.CommandLine like r"%Invoke-ATHRemoteFXvGPUDisablementCommand %" and (Process.CommandLine like r"%-ModuleName %" or Process.CommandLine like r"%-ModulePath %" or Process.CommandLine like r"%-ScriptBlock %" or Process.CommandLine like r"%-RemoteFXvGPUDisablementFilePath%"))

[ActivityMonitoringRule]
# Detects, possibly, malicious unauthorized usage of bcdedit.exe
RuleId = c9fbe8e9-119d-40a6-9b59-dd58a5d84429
RuleName = Possible Ransomware or Unauthorized MBR Modifications
EventType = Process.Start
Tag = proc-start-possible-ransomware-or-unauthorized-mbr-modifications
RiskScore = 50
Annotation = {"mitre_attack": ["T1070", "T1542.003"]}
Query = (Process.Path like r"%\\bcdedit.exe" and (Process.CommandLine like r"%delete%" or Process.CommandLine like r"%deletevalue%" or Process.CommandLine like r"%import%" or Process.CommandLine like r"%safeboot%" or Process.CommandLine like r"%network%"))

[ActivityMonitoringRule]
# Execute VBscript code that is referenced within the *.bgi file.
RuleId = aaf46cdc-934e-4284-b329-34aa701e3771
RuleName = Application Whitelisting Bypass via Bginfo
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-bginfo
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.005", "T1218", "T1202"]}
Query = (Process.Path like r"%\\bginfo.exe" and Process.CommandLine like r"%/popup%" and Process.CommandLine like r"%/nolicprompt%")

[ActivityMonitoringRule]
# Detects transferring files from system on a server bitstransfer Powershell cmdlets
RuleId = cd5c8085-4070-4e22-908d-a5b3342deb74
RuleName = Suspicious Bitstransfer via PowerShell
EventType = Process.Start
Tag = proc-start-suspicious-bitstransfer-via-powershell
RiskScore = 50
Annotation = {"mitre_attack": ["T1197"]}
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Get-BitsTransfer%" or Process.CommandLine like r"%Add-BitsFile%"))

[ActivityMonitoringRule]
# Launch 64-bit shellcode from a debugger script file using cdb.exe.
RuleId = b5c7395f-e501-4a08-94d4-57fe7a9da9d2
RuleName = Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
EventType = Process.Start
Tag = proc-start-possible-app-whitelisting-bypass-via-windbg/cdb-as-a-shellcode-runner
RiskScore = 50
Annotation = {"mitre_attack": ["T1106", "T1218", "T1127"]}
Query = ((Process.Path like r"%\\cdb.exe" or Process.Name == "CDB.Exe") and (Process.CommandLine like r"% -c %" or Process.CommandLine like r"% -cf %"))

[ActivityMonitoringRule]
# Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
RuleId = e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
RuleName = Certutil Encode
EventType = Process.Start
Tag = proc-start-certutil-encode
RiskScore = 50
Annotation = {"mitre_attack": ["T1027"]}
Query = (Process.Path like r"%\\certutil.exe" and Process.CommandLine like r"%-f%" and Process.CommandLine like r"%-encode%")

[ActivityMonitoringRule]
# Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
# Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
RuleId = 4b046706-5789-4673-b111-66f25fe99534
RuleName = Overwrite Deleted Data with Cipher
EventType = Process.Start
Tag = proc-start-overwrite-deleted-data-with-cipher
RiskScore = 50
Annotation = {"mitre_attack": ["T1485"]}
Query = (Process.Path like r"%\\cipher.exe" and Process.CommandLine like r"% /w:%")

[ActivityMonitoringRule]
# Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
RuleId = 1ac8666b-046f-4201-8aba-1951aaec03a3
RuleName = Command Line Execution with Suspicious URL and AppData Strings
EventType = Process.Start
Tag = proc-start-command-line-execution-with-suspicious-url-and-appdata-strings
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.003", "T1059.001", "T1105"]}
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%http%" and Process.CommandLine like r"%://%" and Process.CommandLine like r"%\%AppData\%%")

[ActivityMonitoringRule]
# Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)
RuleId = c73124a7-3e89-44a3-bdc1-25fe4df754b1
RuleName = Copy from Volume Shadow Copy
EventType = Process.Start
Tag = proc-start-copy-from-volume-shadow-copy
RiskScore = 50
Annotation = {"mitre_attack": ["T1490"]}
Query = Process.CommandLine like r"%copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy%"

[ActivityMonitoringRule]
# Detects a code page switch in command line or batch scripts to a rare language
RuleId = c7942406-33dd-4377-a564-0f62db0593a3
RuleName = Suspicious Code Page Switch
EventType = Process.Start
Tag = proc-start-suspicious-code-page-switch
RiskScore = 50
Annotation = {"mitre_attack": ["T1036"]}
Query = (Process.Path like r"%\\chcp.com" and (Process.CommandLine like r"% 936" or Process.CommandLine like r"% 1258"))

[ActivityMonitoringRule]
# Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
RuleId = fff9d2b7-e11c-4a69-93d3-40ef66189767
RuleName = Suspicious Copy From or To System32
EventType = Process.Start
Tag = proc-start-suspicious-copy-from-or-to-system32
RiskScore = 50
Annotation = {"mitre_attack": ["T1036.003"]}
Query = (Process.CommandLine like r"%xcopy%\\System32\\%" or Process.CommandLine like r"%cmd.exe%/c%copy%\\System32\\%")

[ActivityMonitoringRule]
# Adversaries may abuse Visual Basic (VB) for execution
RuleId = 23250293-eed5-4c39-b57a-841c8933a57d
RuleName = Cscript Visual Basic Script Execution
EventType = Process.Start
Tag = proc-start-cscript-visual-basic-script-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.005"]}
Query = (Process.Path like r"%\\cscript.exe" and Process.CommandLine like r"%.vbs%")

[ActivityMonitoringRule]
# Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
RuleId = dcaa3f04-70c3-427a-80b4-b870d73c94c4
RuleName = Suspicious Csc.exe Source File Folder
EventType = Process.Start
Tag = proc-start-suspicious-csc.exe-source-file-folder
RiskScore = 50
Annotation = {"mitre_attack": ["T1027.004"]}
Query = ((Process.Path like r"%\\csc.exe" and (Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%")) and not (Parent.Path like r"C:\\Program Files%" or (Parent.Path like r"%\\sdiagnhost.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\choco.exe") or (Parent.CommandLine like r"%\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection%")))
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
RuleId = 40b95d31-1afc-469e-8d34-9a3a667d058e
RuleName = Suspicious Csi.exe Usage
EventType = Process.Start
Tag = proc-start-suspicious-csi.exe-usage
RiskScore = 50
Annotation = {"mitre_attack": ["T1072", "T1218"]}
Query = (((Process.Path like r"%\\csi.exe" or Process.Path like r"%\\rcsi.exe") or Process.Name in ["csi.exe", "rcsi.exe"]) and Process.Company == "Microsoft Corporation")
GenericProperty1 = Process.Company

[ActivityMonitoringRule]
# suspicious command line to remove exe or dll
RuleId = 204b17ae-4007-471b-917b-b917b315c5db
RuleName = Suspicious Del in CommandLine
EventType = Process.Start
Tag = proc-start-suspicious-del-in-commandline
RiskScore = 50
Annotation = {"mitre_attack": ["T1070.004"]}
Query = ((Process.CommandLine like r"%del %.exe%" and Process.CommandLine like r"%/f %" and Process.CommandLine like r"%/q %") or (Process.CommandLine like r"%del %.dll%" and Process.CommandLine like r"%C:\\ProgramData\\%"))

[ActivityMonitoringRule]
# Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
RuleId = 24357373-078f-44ed-9ac4-6d334a668a11
RuleName = Direct Autorun Keys Modification
EventType = Process.Start
Tag = proc-start-direct-autorun-keys-modification
RiskScore = 50
Annotation = {"mitre_attack": ["T1547.001"]}
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%add%" and (Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Run%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders%" or Process.CommandLine like r"%\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell%"))

[ActivityMonitoringRule]
# Execute C# code located in the consoleapp folder
RuleId = 81ebd28b-9607-4478-bf06-974ed9d53ed7
RuleName = Application Whitelisting Bypass via Dnx.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dnx.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218", "T1027.004"]}
Query = Process.Path like r"%\\dnx.exe"

[ActivityMonitoringRule]
# Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
RuleId = 7df1713a-1a5b-4a4b-a071-dc83b144a101
RuleName = Esentutl Gather Credentials
EventType = Process.Start
Tag = proc-start-esentutl-gather-credentials
RiskScore = 50
Annotation = {"mitre_attack": ["T1003", "T1003.003"]}
Query = (Process.CommandLine like r"%esentutl%" and Process.CommandLine like r"% /p%")

[ActivityMonitoringRule]
# Detects a suspicious program execution in a web service root folder (filter out false positives)
RuleId = 35efb964-e6a5-47ad-bbcd-19661854018d
RuleName = Execution in Webserver Root Folder
EventType = Process.Start
Tag = proc-start-execution-in-webserver-root-folder
RiskScore = 50
Annotation = {"mitre_attack": ["T1505.003"]}
Query = ((Process.Path like r"%\\wwwroot\\%" or Process.Path like r"%\\wmpub\\%" or Process.Path like r"%\\htdocs\\%") and not ((Process.Path like r"%bin\\%" or Process.Path like r"%\\Tools\\%" or Process.Path like r"%\\SMSComponent\\%") and Parent.Path like r"%\\services.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
RuleId = 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
RuleName = Explorer Process Tree Break
EventType = Process.Start
Tag = proc-start-explorer-process-tree-break
RiskScore = 50
Annotation = {"mitre_attack": ["T1036"]}
Query = Process.CommandLine like r"%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%"

[ActivityMonitoringRule]
# Detects when GfxDownloadWrapper.exe downloads file from non standard URL
RuleId = eee00933-a761-4cd0-be70-c42fe91731e7
RuleName = GfxDownloadWrapper.exe Downloads File from Suspicious URL
EventType = Process.Start
Tag = proc-start-gfxdownloadwrapper.exe-downloads-file-from-suspicious-url
RiskScore = 50
Annotation = {"mitre_attack": ["T1105"]}
Query = (Process.Path like r"%\\GfxDownloadWrapper.exe" and not (Process.CommandLine like r"%gameplayapi.intel.com%" and Parent.Path like r"%\\GfxDownloadWrapper.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
RuleId = 33339be3-148b-4e16-af56-ad16ec6c7e7b
RuleName = Findstr Launching .lnk File
EventType = Process.Start
Tag = proc-start-findstr-launching-.lnk-file
RiskScore = 50
Annotation = {"mitre_attack": ["T1036", "T1202", "T1027.003"]}
Query = (Process.Path like r"%\\findstr.exe" and Process.CommandLine like r"%.lnk")

[ActivityMonitoringRule]
# Detects netsh commands that turns off the Windows firewall
RuleId = 57c4bf16-227f-4394-8ec7-1b745ee061c3
RuleName = Firewall Disabled via Netsh
EventType = Process.Start
Tag = proc-start-firewall-disabled-via-netsh
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.004"]}
Query = ((Process.CommandLine like r"%netsh%" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%set%" and Process.CommandLine like r"%opmode%" and Process.CommandLine like r"%mode=disable%") or (Process.CommandLine like r"%netsh%" and Process.CommandLine like r"%advfirewall%" and Process.CommandLine like r"%set%" and Process.CommandLine like r"%state%" and Process.CommandLine like r"%off%"))

[ActivityMonitoringRule]
# Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe
RuleId = 06b401f4-107c-4ff9-947f-9ec1e7649f1e
RuleName = Suspicious ftp.exe
EventType = Process.Start
Tag = proc-start-suspicious-ftp.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1059", "T1202"]}
Query = (((Process.Path like r"%ftp.exe" and Process.CommandLine like r"%-s:%") or (Process.Name == "ftp.exe" and Process.CommandLine like r"%-s:%")) or (Process.Name == "ftp.exe" and not (Process.Path like r"%ftp.exe")) or Parent.Path like r"%ftp.exe")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
RuleId = e56d3073-83ff-4021-90fe-c658e0709e72
RuleName = Gpresult Display Group Policy Information
EventType = Process.Start
Tag = proc-start-gpresult-display-group-policy-information
RiskScore = 50
Annotation = {"mitre_attack": ["T1615"]}
Query = (Process.Path like r"%\\gpresult.exe" and (Process.CommandLine like r"%/z%" or Process.CommandLine like r"%/v%"))

[ActivityMonitoringRule]
# Uses the .NET InstallUtil.exe application in order to execute image without log
RuleId = d042284c-a296-4988-9be5-f424fadcc28c
RuleName = Suspicious Execution of InstallUtil Without Log
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-installutil-without-log
RiskScore = 50
Query = (Process.Path like r"%\\InstallUtil.exe" and Process.Path like r"%Microsoft.NET\\Framework%" and Process.CommandLine like r"%/logfile= %" and Process.CommandLine like r"%/LogToConsole=false%")

[ActivityMonitoringRule]
# Detects suspicious IIS native-code module installations via command line
RuleId = 9465ddf4-f9e4-4ebd-8d98-702df3a93239
RuleName = IIS Native-Code Module Command Line Installation
EventType = Process.Start
Tag = proc-start-iis-native-code-module-command-line-installation
RiskScore = 50
Annotation = {"mitre_attack": ["T1505.003"]}
Query = (Process.Path like r"%\\appcmd.exe" and Process.CommandLine like r"%install%" and Process.CommandLine like r"%module%" and Process.CommandLine like r"%/name:%")

[ActivityMonitoringRule]
# Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.
# The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
# Attackers abuse this utility to install malicious MOF scripts
RuleId = 1dd05363-104e-4b4a-b963-196a534b03a1
RuleName = Suspicious Mofcomp Execution
EventType = Process.Start
Tag = proc-start-suspicious-mofcomp-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\mofcomp.exe" and ((Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\wsl.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe") or (Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\WINDOWS\\Temp\\%" or Process.CommandLine like r"%\%temp\%%" or Process.CommandLine like r"%\%appdata\%%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects suspicious msiexec process starts with web addresses as parameter
RuleId = f7b5f842-a6af-4da5-9e95-e32478f3cd2f
RuleName = MsiExec Web Install
EventType = Process.Start
Tag = proc-start-msiexec-web-install
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.007", "T1105"]}
Query = (Process.CommandLine like r"% msiexec%" and Process.CommandLine like r"%://%")

[ActivityMonitoringRule]
# Detects a when net.exe is called with a password in the command line
RuleId = d4498716-1d52-438f-8084-4a603157d131
RuleName = Password Provided In Command Line Of Net.exe
EventType = Process.Start
Tag = proc-start-password-provided-in-command-line-of-net.exe
RiskScore = 50
Query = ((Process.Path like r"C:\\Windows\\System32\\net.exe" and Process.CommandLine like r"%net%" and Process.CommandLine like r"% use %" and Process.CommandLine like r"%:%\\\*" and Process.CommandLine like r"%/USER:% %") and not ((Process.CommandLine like r"% ")))

[ActivityMonitoringRule]
# Detects creation of a new service (kernel driver) with the type "kernel"
RuleId = 431a1fdb-4799-4f3b-91c3-a683b003fc49
RuleName = New Kernel Driver Via SC.EXE
EventType = Process.Start
Tag = proc-start-new-kernel-driver-via-sc.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1543.003"]}
Query = (Process.Path like r"%\\sc.exe" and (Process.CommandLine like r"%create%" or Process.CommandLine like r"%config%") and Process.CommandLine like r"%binPath=%" and Process.CommandLine like r"%type=%" and Process.CommandLine like r"%kernel%")

[ActivityMonitoringRule]
# Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
RuleId = 2afafd61-6aae-4df4-baed-139fa1f4c345
RuleName = Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
EventType = Process.Start
Tag = proc-start-invocation-of-active-directory-diagnostic-tool-(ntdsutil.exe)
RiskScore = 50
Annotation = {"mitre_attack": ["T1003.003"]}
Query = Process.Path like r"%\\ntdsutil.exe"

[ActivityMonitoringRule]
# Detects defence evasion attempt via odbcconf.exe execution to load DLL
RuleId = 65d2be45-8600-4042-b4c0-577a1ff8a60e
RuleName = Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dll-loaded-by-odbcconf.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.008"]}
Query = ((Process.Path like r"%\\odbcconf.exe" and (Process.CommandLine like r"%-f%" or Process.CommandLine like r"%regsvr%")) or (Parent.Path like r"%\\odbcconf.exe" and Process.Path like r"%\\rundll32.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
RuleId = 9386d78a-7207-4048-9c9f-a93a7c2d1c05
RuleName = Code Execution via Pcwutl.dll
EventType = Process.Start
Tag = proc-start-code-execution-via-pcwutl.dll
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%pcwutl%" and Process.CommandLine like r"%LaunchApplication%")

[ActivityMonitoringRule]
# Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
RuleId = 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
RuleName = Execute Code with Pester.bat
EventType = Process.Start
Tag = proc-start-execute-code-with-pester.bat
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001", "T1216"]}
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Pester%" and Process.CommandLine like r"%Get-Help%") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%pester%" and Process.CommandLine like r"%;%" and (Process.CommandLine like r"%help%" or Process.CommandLine like r"%_%")))

[ActivityMonitoringRule]
# Detects suspicious ways to download files or content using PowerShell
RuleId = 6e897651-f157-4d8f-aaeb-df8151488385
RuleName = PowerShell Web Download
EventType = Process.Start
Tag = proc-start-powershell-web-download
RiskScore = 50
Query = (Process.CommandLine like r"%.DownloadString(%" or Process.CommandLine like r"%.DownloadFile(%")

[ActivityMonitoringRule]
# Commandline to lauch powershell with a base64 payload
RuleId = fb843269-508c-4b76-8b8d-88679db22ce7
RuleName = Suspicious Execution of Powershell with Base64
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-powershell-with-base64
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001"]}
Query = (((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% -en %" or Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -enco%" or Process.CommandLine like r"% -ec %")) and not (Process.CommandLine like r"% -Encoding %"))

[ActivityMonitoringRule]
# Attackers can use print.exe for remote file copy
RuleId = bafac3d6-7de9-4dd9-8874-4a1194b493ed
RuleName = Abusing Print Executable
EventType = Process.Start
Tag = proc-start-abusing-print-executable
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\print.exe" and Process.CommandLine like r"print%" and Process.CommandLine like r"%/D%" and Process.CommandLine like r"%.exe%") and not (Process.CommandLine like r"%print.exe%"))

[ActivityMonitoringRule]
# Detects user accept agreement execution in psexec commandline
RuleId = 730fc21b-eaff-474b-ad23-90fd265d4988
RuleName = Psexec Accepteula Condition
EventType = Process.Start
Tag = proc-start-psexec-accepteula-condition
RiskScore = 50
Annotation = {"mitre_attack": ["T1569", "T1021"]}
Query = (Process.Path like r"%\\psexec.exe" and Process.CommandLine like r"%accepteula%")

[ActivityMonitoringRule]
# Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.
RuleId = aae1243f-d8af-40d8-ab20-33fc6d0c55bc
RuleName = Suspicious Use of PsLogList
EventType = Process.Start
Tag = proc-start-suspicious-use-of-psloglist
RiskScore = 50
Annotation = {"mitre_attack": ["T1087", "T1087.001", "T1087.002"]}
Query = ((Process.Name == "psloglist.exe" or (Process.Path like r"%\\psloglist.exe" or Process.Path like r"%\\psloglist64.exe")) or (Process.CommandLine like r"%security%" and Process.CommandLine like r"%accepteula%" and (Process.CommandLine like r"% -d%" or Process.CommandLine like r"% /d%" or Process.CommandLine like r"% -x%" or Process.CommandLine like r"% /x%" or Process.CommandLine like r"% -s%" or Process.CommandLine like r"% /s%")))

[ActivityMonitoringRule]
# The psr.exe captures desktop screenshots and saves them on the local machine
RuleId = 2158f96f-43c2-43cb-952a-ab4580f32382
RuleName = Psr.exe Capture Screenshots
EventType = Process.Start
Tag = proc-start-psr.exe-capture-screenshots
RiskScore = 50
Annotation = {"mitre_attack": ["T1113"]}
Query = (Process.Path like r"%\\Psr.exe" and Process.CommandLine like r"%/start%")

[ActivityMonitoringRule]
# Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
RuleId = ac175779-025a-4f12-98b0-acdaeb77ea85
RuleName = PowerShell Script Run in AppData
EventType = Process.Start
Tag = proc-start-powershell-script-run-in-appdata
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001"]}
Query = ((Process.CommandLine like r"%powershell.exe%" or Process.CommandLine like r"%\\powershell%" or Process.CommandLine like r"%\\pwsh%" or Process.CommandLine like r"%pwsh.exe%") and Process.CommandLine like r"%/c %" and Process.CommandLine like r"%\\AppData\\%" and (Process.CommandLine like r"%Local\\%" or Process.CommandLine like r"%Roaming\\%"))

[ActivityMonitoringRule]
# Detects suspicious process related to rasdial.exe
RuleId = 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
RuleName = Suspicious RASdial Activity
EventType = Process.Start
Tag = proc-start-suspicious-rasdial-activity
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = Process.Path like r"%rasdial.exe"

[ActivityMonitoringRule]
# Once established within a system or network, an adversary may use automated techniques for collecting internal data.
RuleId = aa2efee7-34dd-446e-8a37-40790a66efd7
RuleName = Recon Information for Export with Command Prompt
EventType = Process.Start
Tag = proc-start-recon-information-for-export-with-command-prompt
RiskScore = 50
Annotation = {"mitre_attack": ["T1119"]}
Query = (((Process.Path like r"%\\tree.com" or Process.Path like r"%\\WMIC.exe" or Process.Path like r"%\\doskey.exe" or Process.Path like r"%\\sc.exe") or Process.Name in ["wmic.exe", "DOSKEY.EXE", "sc.exe"]) and Parent.CommandLine like r"% > \%TEMP\%\\%")
GenericProperty1 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects suspicious command line activity on Windows systems
RuleId = d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
RuleName = Suspicious Reconnaissance Activity
EventType = Process.Start
Tag = proc-start-suspicious-reconnaissance-activity
RiskScore = 50
Annotation = {"mitre_attack": ["T1087.001", "T1087.002"]}
Query = (Process.CommandLine like r"%net group \"domain admins\"%" or Process.CommandLine like r"%net localgroup administrators%" or Process.CommandLine like r"%net group \"enterprise admins\"%" or Process.CommandLine like r"%net accounts /do%")

[ActivityMonitoringRule]
# Detects using register-cimprovider.exe to execute arbitrary dll file.
RuleId = a2910908-e86f-4687-aeba-76a5f996e652
RuleName = DLL Execution Via Register-cimprovider.exe
EventType = Process.Start
Tag = proc-start-dll-execution-via-register-cimprovider.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1574"]}
Query = (Process.Path like r"%\\register-cimprovider.exe" and Process.CommandLine like r"%-path%" and Process.CommandLine like r"%dll%")

[ActivityMonitoringRule]
# Detects when the registration of a VSS/VDS Provider as a COM+ application.
RuleId = 28c8f68b-098d-45af-8d43-8089f3e35403
RuleName = Suspicious Registration via cscript.exe
EventType = Process.Start
Tag = proc-start-suspicious-registration-via-cscript.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Process.Path like r"%\\cscript.exe" and Process.CommandLine like r"%-register%" and (Process.CommandLine like r"%\\Windows Kits\\10\\bin\\10.0.22000.0\\x64%" or Process.CommandLine like r"%\\Windows Kits\\10\\bin\\10.0.19041.0\\x64%" or Process.CommandLine like r"%\\Windows Kits\\10\\bin\\10.0.17763.0\\x64%"))

[ActivityMonitoringRule]
# Suspicious add key for BitLocker
RuleId = 0e0255bf-2548-47b8-9582-c0955c9283f5
RuleName = Suspicious Reg Add BitLocker
EventType = Process.Start
Tag = proc-start-suspicious-reg-add-bitlocker
RiskScore = 50
Annotation = {"mitre_attack": ["T1486"]}
Query = (Process.CommandLine like r"%REG%" and Process.CommandLine like r"%ADD%" and Process.CommandLine like r"%HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE%" and Process.CommandLine like r"%/v%" and Process.CommandLine like r"%/f%" and (Process.CommandLine like r"%EnableBDEWithNoTPM%" or Process.CommandLine like r"%UseAdvancedStartup%" or Process.CommandLine like r"%UseTPM%" or Process.CommandLine like r"%UseTPMKey%" or Process.CommandLine like r"%UseTPMKeyPIN%" or Process.CommandLine like r"%RecoveryKeyMessageSource%" or Process.CommandLine like r"%UseTPMPIN%" or Process.CommandLine like r"%RecoveryKeyMessage%"))

[ActivityMonitoringRule]
# Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
RuleId = dd3ee8cc-f751-41c9-ba53-5a32ed47e563
RuleName = Suspicious Reg Add Open Command
EventType = Process.Start
Tag = proc-start-suspicious-reg-add-open-command
RiskScore = 50
Annotation = {"mitre_attack": ["T1003"]}
Query = ((Process.CommandLine like r"%reg%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%hkcu\\software\\classes\\ms-settings\\shell\\open\\command%" and Process.CommandLine like r"%/ve %" and Process.CommandLine like r"%/d%") or (Process.CommandLine like r"%reg%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%hkcu\\software\\classes\\ms-settings\\shell\\open\\command%" and Process.CommandLine like r"%/v%" and Process.CommandLine like r"%DelegateExecute%") or (Process.CommandLine like r"%reg%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%hkcu\\software\\classes\\ms-settings%"))

[ActivityMonitoringRule]
# Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
RuleId = 93671f99-04eb-4ab4-a161-70d446a84003
RuleName = Capture Credentials with Rpcping.exe
EventType = Process.Start
Tag = proc-start-capture-credentials-with-rpcping.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1003"]}
Query = ((Process.Path like r"%\\rpcping.exe" and (Process.CommandLine like r"%-s%" or Process.CommandLine like r"%/s%")) and ((Process.CommandLine like r"%-u%" and Process.CommandLine like r"%NTLM%") or (Process.CommandLine like r"%/u%" and Process.CommandLine like r"%NTLM%") or (Process.CommandLine like r"%-t%" and Process.CommandLine like r"%ncacn\_np%") or (Process.CommandLine like r"%/t%" and Process.CommandLine like r"%ncacn\_np%")))

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on arguments
RuleId = e593cf51-88db-4ee1-b920-37e89012a3c9
RuleName = Suspicious Rundll32 Activity
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-activity
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (((Process.CommandLine like r"%javascript:%" and Process.CommandLine like r"%.RegisterXLL%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%OpenURLA%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%FileProtocolHandler%") or (Process.CommandLine like r"%zipfldr.dll%" and Process.CommandLine like r"%RouteTheCall%") or (Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%Control\_RunDLL%") or (Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%ShellExec\_RunDLL%") or (Process.CommandLine like r"%mshtml.dll%" and Process.CommandLine like r"%PrintHTML%") or (Process.CommandLine like r"%advpack.dll%" and Process.CommandLine like r"%LaunchINFSection%") or (Process.CommandLine like r"%advpack.dll%" and Process.CommandLine like r"%RegisterOCX%") or (Process.CommandLine like r"%ieadvpack.dll%" and Process.CommandLine like r"%LaunchINFSection%") or (Process.CommandLine like r"%ieadvpack.dll%" and Process.CommandLine like r"%RegisterOCX%") or (Process.CommandLine like r"%ieframe.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%shdocvw.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%syssetup.dll%" and Process.CommandLine like r"%SetupInfObjectInstallAction%") or (Process.CommandLine like r"%setupapi.dll%" and Process.CommandLine like r"%InstallHinfSection%") or (Process.CommandLine like r"%pcwutl.dll%" and Process.CommandLine like r"%LaunchApplication%") or (Process.CommandLine like r"%dfshim.dll%" and Process.CommandLine like r"%ShOpenVerbApplication%") or (Process.CommandLine like r"%dfshim.dll%" and Process.CommandLine like r"%ShOpenVerbShortcut%")) and not (Process.CommandLine like r"%shell32.dll,Control\_RunDLL desk.cpl,screensaver,@screensaver%"))

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on arguments
RuleId = 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
RuleName = Suspicious Rundll32 Script in CommandLine
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-script-in-commandline
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%mshtml,RunHTMLApplication%" and (Process.CommandLine like r"%javascript:%" or Process.CommandLine like r"%vbscript:%"))

[ActivityMonitoringRule]
# setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
RuleId = 285b85b1-a555-4095-8652-a8a4106af63f
RuleName = Suspicious Rundll32 Setupapi.dll Activity
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-setupapi.dll-activity
RiskScore = 50
Annotation = {"mitre_attack": ["T1218.011"]}
Query = (Process.Path like r"%\\runonce.exe" and Parent.Path like r"%\\rundll32.exe" and Parent.CommandLine like r"%setupapi.dll%" and Parent.CommandLine like r"%InstallHinfSection%")
GenericProperty1 = Parent.Path
GenericProperty2 = Parent.CommandLine

[ActivityMonitoringRule]
# Detects a suspicious call to the user32.dll function that locks the user workstation
RuleId = 3b5b0213-0460-4e3f-8937-3abf98ff7dcc
RuleName = Suspicious Workstation Locking via Rundll32
EventType = Process.Start
Tag = proc-start-suspicious-workstation-locking-via-rundll32
RiskScore = 50
Query = (Process.Path like r"%\\rundll32.exe" and Parent.Path like r"%\\cmd.exe" and Process.CommandLine like r"%user32.dll,%" and Process.CommandLine like r"%LockWorkStation%")
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects execution of powershell scripts via Runscripthelper.exe
RuleId = eca49c87-8a75-4f13-9c73-a5a29e845f03
RuleName = Suspicious Runscripthelper.exe
EventType = Process.Start
Tag = proc-start-suspicious-runscripthelper.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1059", "T1202"]}
Query = (Process.Path like r"%\\Runscripthelper.exe" and Process.CommandLine like r"%surfacecheck%")

[ActivityMonitoringRule]
# Detects suspicious process run from unusual locations
RuleId = 15b75071-74cc-47e0-b4c6-b43744a62a2b
RuleName = Suspicious Process Start Locations
EventType = Process.Start
Tag = proc-start-suspicious-process-start-locations
RiskScore = 50
Annotation = {"mitre_attack": ["T1036"]}
Query = ((Process.Path like r"%:\\RECYCLER\\%" or Process.Path like r"%:\\SystemVolumeInformation\\%") or (Process.Path like r"C:\\Windows\\Tasks\\%" or Process.Path like r"C:\\Windows\\debug\\%" or Process.Path like r"C:\\Windows\\fonts\\%" or Process.Path like r"C:\\Windows\\help\\%" or Process.Path like r"C:\\Windows\\drivers\\%" or Process.Path like r"C:\\Windows\\addins\\%" or Process.Path like r"C:\\Windows\\cursors\\%" or Process.Path like r"C:\\Windows\\system32\\tasks\\%"))

[ActivityMonitoringRule]
# Detects suspicious scheduled task creations from a parent stored in a temporary folder
RuleId = 9494479d-d994-40bf-a8b1-eea890237021
RuleName = Suspicious Add Scheduled Task Parent
EventType = Process.Start
Tag = proc-start-suspicious-add-scheduled-task-parent
RiskScore = 50
Annotation = {"mitre_attack": ["T1053.005"]}
Query = ((Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create %" and (Parent.Path like r"%\\AppData\\Local\\%" or Parent.Path like r"%\\AppData\\Roaming\\%" or Parent.Path like r"%\\Temporary Internet%" or Parent.Path like r"%\\Users\\Public\\%")) and not (((Process.CommandLine like r"%update\_task.xml%" or Process.CommandLine like r"%unattended.ini%"))))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Adversaries may establish persistence by executing malicious content triggered by user inactivity.
# Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
RuleId = 0fc35fc3-efe6-4898-8a37-0b233339524f
RuleName = Suspicious ScreenSave Change by Reg.exe
EventType = Process.Start
Tag = proc-start-suspicious-screensave-change-by-reg.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1546.002"]}
Query = ((Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%HKEY\_CURRENT\_USER\\Control Panel\\Desktop%" or Process.CommandLine like r"%HKCU\\Control Panel\\Desktop%")) and ((Process.CommandLine like r"%/v ScreenSaveActive%" and Process.CommandLine like r"%/t REG\_SZ%" and Process.CommandLine like r"%/d 1%" and Process.CommandLine like r"%/f%") or (Process.CommandLine like r"%/v ScreenSaveTimeout%" and Process.CommandLine like r"%/t REG\_SZ%" and Process.CommandLine like r"%/d %" and Process.CommandLine like r"%/f%") or (Process.CommandLine like r"%/v ScreenSaverIsSecure%" and Process.CommandLine like r"%/t REG\_SZ%" and Process.CommandLine like r"%/d 0%" and Process.CommandLine like r"%/f%") or (Process.CommandLine like r"%/v SCRNSAVE.EXE%" and Process.CommandLine like r"%/t REG\_SZ%" and Process.CommandLine like r"%/d %" and Process.CommandLine like r"%.scr%" and Process.CommandLine like r"%/f%")))

[ActivityMonitoringRule]
# Detects suspicious file execution by wscript and cscript
RuleId = 1e33157c-53b1-41ad-bbcc-780b80b58288
RuleName = WSF/JSE/JS/VBA/VBE File Execution
EventType = Process.Start
Tag = proc-start-wsf/jse/js/vba/vbe-file-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.005", "T1059.007"]}
Query = ((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%.jse%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.vba%"))

[ActivityMonitoringRule]
# Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
RuleId = 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
RuleName = Stop Or Remove Antivirus Service
EventType = Process.Start
Tag = proc-start-stop-or-remove-antivirus-service
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.001"]}
Query = ((Process.CommandLine like r"%Stop-Service %" or Process.CommandLine like r"%Remove-Service %") and (Process.CommandLine like r"% McAfeeDLPAgentService%" or Process.CommandLine like r"% Trend Micro Deep Security Manager%" or Process.CommandLine like r"% TMBMServer%"))

[ActivityMonitoringRule]
# Use of the commandline to shutdown or reboot windows
RuleId = 34ebb878-1b15-4895-b352-ca2eeb99b274
RuleName = Suspicious Execution of Shutdown
EventType = Process.Start
Tag = proc-start-suspicious-execution-of-shutdown
RiskScore = 50
Annotation = {"mitre_attack": ["T1529"]}
Query = (Process.Path like r"%\\shutdown.exe" and (Process.CommandLine like r"%/r %" or Process.CommandLine like r"%/s %"))

[ActivityMonitoringRule]
# Detects Possible Squirrel Packages Manager as Lolbin
RuleId = fa4b21c9-0057-4493-b289-2556416ae4d7
RuleName = Squirrel Lolbin
EventType = Process.Start
Tag = proc-start-squirrel-lolbin
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\update.exe" and Process.CommandLine like r"%.exe%" and (Process.CommandLine like r"%--processStart%" or Process.CommandLine like r"%--processStartAndWait%" or Process.CommandLine like r"%--createShortcut%")) and not ((Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\AppData\\Local\\Discord\\Update.exe%" and Process.CommandLine like r"% --processStart Discord.exe%" or Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\AppData\\Local\\GitHubDesktop\\Update.exe --createShortcut GitHubDesktop.exe%")))

[ActivityMonitoringRule]
# Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
RuleId = d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
RuleName = Sysprep on AppData Folder
EventType = Process.Start
Tag = proc-start-sysprep-on-appdata-folder
RiskScore = 50
Annotation = {"mitre_attack": ["T1059"]}
Query = (Process.Path like r"%\\sysprep.exe" and Process.CommandLine like r"%\\AppData\\%")

[ActivityMonitoringRule]
# Detects Access to Domain Group Policies stored in SYSVOL
RuleId = 05f3c945-dcc8-4393-9f3d-af65077a8f86
RuleName = Suspicious SYSVOL Domain Group Policy Access
EventType = Process.Start
Tag = proc-start-suspicious-sysvol-domain-group-policy-access
RiskScore = 50
Annotation = {"mitre_attack": ["T1552.006"]}
Query = (Process.CommandLine like r"%\\SYSVOL\\%" and Process.CommandLine like r"%\\policies\\%")

[ActivityMonitoringRule]
# Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
RuleId = 554601fb-9b71-4bcc-abf4-21a611be4fde
RuleName = Suspicious Recursif Takeown
EventType = Process.Start
Tag = proc-start-suspicious-recursif-takeown
RiskScore = 50
Annotation = {"mitre_attack": ["T1222.001"]}
Query = (Process.Path like r"%\\takeown.exe" and Process.CommandLine like r"%/f %" and Process.CommandLine like r"%/r%")

[ActivityMonitoringRule]
# This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
RuleId = 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
RuleName = Detection of PowerShell Execution via Sqlps.exe
EventType = Process.Start
Tag = proc-start-detection-of-powershell-execution-via-sqlps.exe
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001", "T1127"]}
Query = ((Process.Path like r"%\\sqlps.exe" or Parent.Path like r"%\\sqlps.exe" or Process.Name like r"\\sqlps.exe") and not (Parent.Path like r"%\\sqlagent.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
RuleId = a746c9b8-a2fb-4ee5-a428-92bee9e99060
RuleName = SQL Client Tools PowerShell Session Detection
EventType = Process.Start
Tag = proc-start-sql-client-tools-powershell-session-detection
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001", "T1127"]}
Query = ((Process.Path like r"%\\sqltoolsps.exe" or Parent.Path like r"%\\sqltoolsps.exe" or Process.Name like r"\\sqltoolsps.exe") and not (Parent.Path like r"%\\smss.exe"))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
RuleId = 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
RuleName = Malicious PE Execution by Microsoft Visual Studio Debugger
EventType = Process.Start
Tag = proc-start-malicious-pe-execution-by-microsoft-visual-studio-debugger
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = (Parent.Path like r"%\\vsjitdebugger.exe" and not ((Process.Path like r"%\\vsimmersiveactivatehelper%.exe" or Process.Path like r"%\\devenv.exe")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
RuleId = 58f50261-c53b-4c88-bd12-1d71f12eda4c
RuleName = Windows Credential Manager Access via VaultCmd
EventType = Process.Start
Tag = proc-start-windows-credential-manager-access-via-vaultcmd
RiskScore = 50
Annotation = {"mitre_attack": ["T1555.004"]}
Query = ((Process.Path like r"%\\VaultCmd.exe" or Process.Name == "VAULTCMD.EXE") and Process.CommandLine like r"%/listcreds:%")

[ActivityMonitoringRule]
# Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
RuleId = b7b19cb6-9b32-4fc4-a108-73f19acfe262
RuleName = Suspicious VBoxDrvInst.exe Parameters
EventType = Process.Start
Tag = proc-start-suspicious-vboxdrvinst.exe-parameters
RiskScore = 50
Annotation = {"mitre_attack": ["T1112"]}
Query = (Process.Path like r"%\\VBoxDrvInst.exe" and Process.CommandLine like r"%driver%" and Process.CommandLine like r"%executeinf%")

[ActivityMonitoringRule]
# A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
RuleId = 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
RuleName = Suspicious WebDav Client Execution
EventType = Process.Start
Tag = proc-start-suspicious-webdav-client-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1048.003"]}
Query = ((Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine like r"%C:\\windows\\system32\\davclnt.dll,DavSetCookie%")

[ActivityMonitoringRule]
# Detects the use of various web request with commandline tools or Windows PowerShell command,methods (including aliases)
RuleId = 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
RuleName = Windows Suspicious Use Of Web Request in CommandLine
EventType = Process.Start
Tag = proc-start-windows-suspicious-use-of-web-request-in-commandline
RiskScore = 50
Annotation = {"mitre_attack": ["T1059.001"]}
Query = (Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %" or Process.CommandLine like r"%curl %" or Process.CommandLine like r"%Net.WebClient%" or Process.CommandLine like r"%Start-BitsTransfer%")

[ActivityMonitoringRule]
# Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators
RuleId = e28a5a99-da44-436d-b7a0-2afc20a5f413
RuleName = Whoami Execution
EventType = Process.Start
Tag = proc-start-whoami-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1033"]}
Query = (Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe")

[ActivityMonitoringRule]
# Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
RuleId = 074e0ded-6ced-4ebd-8b4d-53f55908119d
RuleName = AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
EventType = Process.Start
Tag = proc-start-awl-bypass-with-winrm.vbs-and-malicious-wsmpty.xsl/wsmtxt.xsl
RiskScore = 50
Annotation = {"mitre_attack": ["T1216"]}
Query = (Process.CommandLine like r"%winrm%" and (Process.CommandLine like r"%format:pretty%" or Process.CommandLine like r"%format:\"pretty\"%" or Process.CommandLine like r"%format:\"text\"%" or Process.CommandLine like r"%format:text%") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")))

[ActivityMonitoringRule]
# Detects an attempt to execute code or create service on remote host via winrm.vbs.
RuleId = 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
RuleName = Remote Code Execute via Winrm.vbs
EventType = Process.Start
Tag = proc-start-remote-code-execute-via-winrm.vbs
RiskScore = 50
Annotation = {"mitre_attack": ["T1216"]}
Query = ((Process.Path like r"%\\cscript.exe" or Process.Name == "cscript.exe") and (Process.CommandLine like r"%winrm%" and Process.CommandLine like r"%invoke Create wmicimv2/Win32\_%" and Process.CommandLine like r"%-r:http%"))

[ActivityMonitoringRule]
# An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
RuleId = e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
RuleName = Compress Data and Lock With Password for Exfiltration With WINZIP
EventType = Process.Start
Tag = proc-start-compress-data-and-lock-with-password-for-exfiltration-with-winzip
RiskScore = 50
Annotation = {"mitre_attack": ["T1560.001"]}
Query = ((Process.CommandLine like r"%winzip.exe%" or Process.CommandLine like r"%winzip64.exe%") and Process.CommandLine like r"%-s\"%" and (Process.CommandLine like r"% -min %" or Process.CommandLine like r"% -a %"))

[ActivityMonitoringRule]
# Detects deinstallation of security products using WMIC utility
RuleId = 847d5ff3-8a31-4737-a970-aeae8fe21765
RuleName = Wmic Uninstall Security Product
EventType = Process.Start
Tag = proc-start-wmic-uninstall-security-product
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%product where %" and Process.CommandLine like r"%call uninstall%" and Process.CommandLine like r"%/nointeractive%" and (Process.CommandLine like r"% name=%" or Process.CommandLine like r"%caption like %") and (Process.CommandLine like r"%Antivirus%" or Process.CommandLine like r"%AVG %" or Process.CommandLine like r"%Crowdstrike Sensor%" or Process.CommandLine like r"%DLP Endpoint%" or Process.CommandLine like r"%Endpoint Detection%" or Process.CommandLine like r"%Endpoint Protection%" or Process.CommandLine like r"%Endpoint Security%" or Process.CommandLine like r"%Endpoint Sensor%" or Process.CommandLine like r"%ESET File Security%" or Process.CommandLine like r"%Malwarebytes%" or Process.CommandLine like r"%McAfee Agent%" or Process.CommandLine like r"%Microsoft Security Client%" or Process.CommandLine like r"%Threat Protection%" or Process.CommandLine like r"%VirusScan%" or Process.CommandLine like r"%Webroot SecureAnywhere%" or Process.CommandLine like r"%Windows Defender%" or Process.CommandLine like r"%CarbonBlack%" or Process.CommandLine like r"%Carbon Black%" or Process.CommandLine like r"%Cb Defense Sensor 64-bit%" or Process.CommandLine like r"%Dell Threat Defense%" or Process.CommandLine like r"%Cylance %" or Process.CommandLine like r"%LogRhythm System Monitor Service%"))

[ActivityMonitoringRule]
# Detects WMI executing suspicious commands
RuleId = 526be59f-a573-4eea-b5f7-f0973207634d
RuleName = Suspicious WMI Execution
EventType = Process.Start
Tag = proc-start-suspicious-wmi-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1047"]}
Query = (((Process.Path like r"%\\wmic.exe" or Process.Name == "wmic.exe") and (Process.CommandLine like r"%process%" and Process.CommandLine like r"%call%" and Process.CommandLine like r"%create %")) or ((Process.Path like r"%\\wmic.exe" or Process.Name == "wmic.exe") and Process.CommandLine like r"% path %" and (Process.CommandLine like r"%AntiVirus%" or Process.CommandLine like r"%Firewall%") and (Process.CommandLine like r"%Product%" and Process.CommandLine like r"% get %")))

[ActivityMonitoringRule]
# ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
RuleId = 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
RuleName = Suspicious ZipExec Execution
EventType = Process.Start
Tag = proc-start-suspicious-zipexec-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1218", "T1202"]}
Query = ((Process.CommandLine like r"%/generic:Microsoft\_Windows\_Shell\_ZipFolder:filename=%" and Process.CommandLine like r"%.zip%" and Process.CommandLine like r"%/pass:%" and Process.CommandLine like r"%/user:%") or (Process.CommandLine like r"%/delete%" and Process.CommandLine like r"%Microsoft\_Windows\_Shell\_ZipFolder:filename=%" and Process.CommandLine like r"%.zip%"))

[ActivityMonitoringRule]
# Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
RuleId = 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
RuleName = Zip A Folder With PowerShell For Staging In Temp
EventType = Process.Start
Tag = proc-start-zip-a-folder-with-powershell-for-staging-in-temp
RiskScore = 50
Annotation = {"mitre_attack": ["T1074.001"]}
Query = (Process.CommandLine like r"%Compress-Archive %" and Process.CommandLine like r"% -Path %" and Process.CommandLine like r"% -DestinationPath %" and Process.CommandLine like r"%$env:TEMP\\%")

[ActivityMonitoringRule]
# Detects usage of Sysinternals PsService for service reconnaissance or tamper
RuleId = 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
RuleName = Use of Sysinternals PsService
EventType = Process.Start
Tag = proc-start-use-of-sysinternals-psservice
RiskScore = 50
Annotation = {"mitre_attack": ["T1543.003"]}
Query = (Process.Name == "psservice.exe" or (Process.Path like r"%\\PsService.exe" or Process.Path like r"%\\PsService64.exe"))

[ActivityMonitoringRule]
# Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
RuleId = 99793437-3e16-439b-be0f-078782cf953d
RuleName = Tap Installer Execution
EventType = Process.Start
Tag = proc-start-tap-installer-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1048"]}
Query = Process.Path like r"%\\tapinstall.exe"

[ActivityMonitoringRule]
# Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
RuleId = 4e2ed651-1906-4a59-a78a-18220fca1b22
RuleName = NirCmd Tool Execution
EventType = Process.Start
Tag = proc-start-nircmd-tool-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1569.002"]}
Query = ((Process.Name == "NirCmd.exe" or (Process.CommandLine like r"% execmd %" or Process.CommandLine like r"%.exe script %" or Process.CommandLine like r"%.exe shexec %" or Process.CommandLine like r"% runinteractive %")) or ((Process.CommandLine like r"% exec %" or Process.CommandLine like r"% exec2 %") and (Process.CommandLine like r"% show %" or Process.CommandLine like r"% hide %")))

[ActivityMonitoringRule]
# Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
RuleId = 3bad990e-4848-4a78-9530-b427d854aac0
RuleName = Domain Trust Discovery
EventType = Process.Start
Tag = proc-start-domain-trust-discovery
RiskScore = 50
Annotation = {"mitre_attack": ["T1482"]}
Query = ((Process.Path like r"%\\nltest.exe" and (Process.CommandLine like r"%domain\_trusts%" or Process.CommandLine like r"%all\_trusts%" or Process.CommandLine like r"%/trusted\_domains%" or Process.CommandLine like r"%/dclist%")) or (Process.Path like r"%\\dsquery.exe" and Process.CommandLine like r"%trustedDomain%") or (Process.Path like r"%\\dsquery.exe" and Process.CommandLine like r"%-filter%" and Process.CommandLine like r"%trustedDomain%"))

[ActivityMonitoringRule]
# Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
RuleId = f0f7be61-9cf5-43be-9836-99d6ef448a18
RuleName = Uninstall Crowdstrike Falcon
EventType = Process.Start
Tag = proc-start-uninstall-crowdstrike-falcon
RiskScore = 50
Annotation = {"mitre_attack": ["T1562.001"]}
Query = (Process.CommandLine like r"%\\WindowsSensor.exe%" and Process.CommandLine like r"% /uninstall%" and Process.CommandLine like r"% /quiet%")

[ActivityMonitoringRule]
# Detects when verclsid.exe is used to run COM object via GUID
RuleId = d06be4b9-8045-428b-a567-740a26d9db25
RuleName = Verclsid.exe Runs COM Object
EventType = Process.Start
Tag = proc-start-verclsid.exe-runs-com-object
RiskScore = 50
Annotation = {"mitre_attack": ["T1218"]}
Query = ((Process.Path like r"%\\verclsid.exe" or Process.Name == "verclsid.exe") and (Process.CommandLine like r"%/S%" and Process.CommandLine like r"%/C%"))

[ActivityMonitoringRule]
# Detects a JAVA process running with remote debugging allowing more than just localhost to connect
RuleId = 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
RuleName = Java Running with Remote Debugging
EventType = Process.Start
Tag = proc-start-java-running-with-remote-debugging
RiskScore = 50
Annotation = {"mitre_attack": ["T1203"]}
Query = (Process.CommandLine like r"%transport=dt\_socket,address=%" and not (Process.CommandLine like r"%address=127.0.0.1%" or Process.CommandLine like r"%address=localhost%"))

[ActivityMonitoringRule]
# Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see referneces section)
RuleId = 8de89e52-f6e1-4b5b-afd1-41ecfa300d48
RuleName = Suspicious WindowsTerminal Child Processes
EventType = Process.Start
Tag = proc-start-suspicious-windowsterminal-child-processes
RiskScore = 50
Query = ((Parent.Path like r"%\\WindowsTerminal.exe" and ((Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\csc.exe") or (Process.Path like r"%C:\\Users\\Public\\%" or Process.Path like r"%\\Downloads\\%" or Process.Path like r"%\\Desktop\\%" or Process.Path like r"%\\AppData\\Local\\Temp\\%" or Process.Path like r"%\\Windows\\TEMP\\%") or (Process.CommandLine like r"% iex %" or Process.CommandLine like r"%Invoke-%" or Process.CommandLine like r"%Import-Module%" or Process.CommandLine like r"%DownloadString(%" or Process.CommandLine like r"% /c %" or Process.CommandLine like r"% /k %"))) and not ((Process.CommandLine like r"%Import-Module%" and Process.CommandLine like r"%Microsoft.VisualStudio.DevShell.dll%" and Process.CommandLine like r"%Enter-VsDevShell%") or (Process.CommandLine like r"%\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal\_%" and Process.CommandLine like r"%\\LocalState\\settings.json%")))
GenericProperty1 = Parent.Path

[ActivityMonitoringRule]
# Detects the Installation of a Exchange Transport Agent
RuleId = 83809e84-4475-4b69-bc3e-4aad8568612f
RuleName = MSExchange Transport Agent Installation
EventType = Process.Start
Tag = proc-start-msexchange-transport-agent-installation
RiskScore = 50
Annotation = {"mitre_attack": ["T1505.002"]}
Query = Process.CommandLine like r"%Install-TransportAgent%"

[ActivityMonitoringRule]
# Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts
RuleId = dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
RuleName = WMIC Hotfix Recon
EventType = Process.Start
Tag = proc-start-wmic-hotfix-recon
RiskScore = 50
Annotation = {"mitre_attack": ["T1047"]}
Query = ((Process.Name == "wmic.exe" or Process.Path like r"%\\WMIC.exe") and (Process.CommandLine like r"% qfe %" and Process.CommandLine like r"% get %" and Process.CommandLine like r"%Caption,Description,HotFixID,InstalledOn%"))

[ActivityMonitoringRule]
# An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.
RuleId = 221b251a-357a-49a9-920a-271802777cc0
RuleName = Suspicious WMI Reconnaissance
EventType = Process.Start
Tag = proc-start-suspicious-wmi-reconnaissance
RiskScore = 50
Annotation = {"mitre_attack": ["T1047"]}
Query = (((Process.Path like r"%\\WMIC.exe" or Process.Name == "wmic.exe") and (Process.CommandLine like r"%process%" or Process.CommandLine like r"%qfe%")) and not (Process.CommandLine like r"%call%" and Process.CommandLine like r"%create%"))

[ActivityMonitoringRule]
# An adversary might use WMI to execute commands on a remote system
RuleId = e42af9df-d90b-4306-b7fb-05c863847ebd
RuleName = WMI Remote Command Execution
EventType = Process.Start
Tag = proc-start-wmi-remote-command-execution
RiskScore = 50
Annotation = {"mitre_attack": ["T1047"]}
Query = ((Process.Path like r"%\\WMIC.exe" or Process.Name == "wmic.exe") and (Process.CommandLine like r"%/node:%" and Process.CommandLine like r"%process%" and Process.CommandLine like r"%call%" and Process.CommandLine like r"%create%"))

[ActivityMonitoringRule]
# An adversary might use WMI to check if a certain Remote Service is running on a remote device.
# When the test completes, a service information will be displayed on the screen if it exists.
# A common feedback message is that "No instance(s) Available" if the service queried is not running.
# A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable
RuleId = 09af397b-c5eb-4811-b2bb-08b3de464ebf
RuleName = WMI Reconnaissance List Remote Services
EventType = Process.Start
Tag = proc-start-wmi-reconnaissance-list-remote-services
RiskScore = 50
Annotation = {"mitre_attack": ["T1047"]}
Query = ((Process.Path like r"%\\WMIC.exe" or Process.Name == "wmic.exe") and (Process.CommandLine like r"%/node:%" and Process.CommandLine like r"%service%"))

[ActivityMonitoringRule]
# Uninstall an application with wmic
RuleId = b53317a0-8acf-4fd1-8de8-a5401e776b96
RuleName = WMI Uninstall An Application
EventType = Process.Start
Tag = proc-start-wmi-uninstall-an-application
RiskScore = 50
Annotation = {"mitre_attack": ["T1047"]}
Query = ((Process.Path like r"%\\WMIC.exe" or Process.Name == "wmic.exe") and Process.CommandLine like r"%call uninstall%")

[ActivityMonitoringRule]
# Detects usage of wmic to start or stop a service
RuleId = 0b7163dc-7eee-4960-af17-c0cd517f92da
RuleName = WMIC Service Start/Stop
EventType = Process.Start
Tag = proc-start-wmic-service-start/stop
RiskScore = 50
Annotation = {"mitre_attack": ["T1047"]}
Query = ((Process.Name == "wmic.exe" or Process.Path like r"%\\WMIC.exe") and (Process.CommandLine like r"% service %" and Process.CommandLine like r"% call %" and (Process.CommandLine like r"%stopservice%" or Process.CommandLine like r"%startservice%")))

[ActivityMonitoringRule]
# Detects wmic known recon method to look for unquoted serivce paths, often used by pentest and attackers enum scripts
RuleId = 68bcd73b-37ef-49cb-95fc-edc809730be6
RuleName = WMIC Unquoted Services Path Lookup
EventType = Process.Start
Tag = proc-start-wmic-unquoted-services-path-lookup
RiskScore = 50
Annotation = {"mitre_attack": ["T1047"]}
Query = ((Process.Name == "wmic.exe" or Process.Path like r"%\\WMIC.exe") and (Process.CommandLine like r"% service %" and Process.CommandLine like r"% get %" and (Process.CommandLine like r"%name%" or Process.CommandLine like r"%displayname%" or Process.CommandLine like r"%pathname%" or Process.CommandLine like r"%startmode%")))

[ActivityMonitoringRule]
# Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
RuleId = 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
RuleName = Write Protect For Storage Disabled
EventType = Process.Start
Tag = proc-start-write-protect-for-storage-disabled
RiskScore = 50
Annotation = {"mitre_attack": ["T1562"]}
Query = (Process.CommandLine like r"%reg add%" and Process.CommandLine like r"%hklm\\system\\currentcontrolset\\control%" and Process.CommandLine like r"%write protection%" and Process.CommandLine like r"%0%" and (Process.CommandLine like r"%storage%" or Process.CommandLine like r"%storagedevicepolicies%"))

[ActivityMonitoringRule]
# Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
RuleId = 05c36dd6-79d6-4a9a-97da-3db20298ab2d
RuleName = XSL Script Processing
EventType = Process.Start
Tag = proc-start-xsl-script-processing
RiskScore = 50
Annotation = {"mitre_attack": ["T1220"]}
Query = (((Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%/format%") and not ((Process.CommandLine like r"%/Format:List%" or Process.CommandLine like r"%/Format:htable%" or Process.CommandLine like r"%/Format:hform%" or Process.CommandLine like r"%/Format:table%" or Process.CommandLine like r"%/Format:mof%" or Process.CommandLine like r"%/Format:value%" or Process.CommandLine like r"%/Format:rawxml%" or Process.CommandLine like r"%/Format:xml%" or Process.CommandLine like r"%/Format:csv%"))) or Process.Path like r"%\\msxsl.exe")

[ActivityMonitoringRule]
# Detects value modification of registry key containing path to binary used as screensaver.
RuleId = 67a6c006-3fbe-46a7-9074-2ba3b82c3000
RuleName = Path To Screensaver Binary Modified
EventType = Reg.Any
Tag = path-to-screensaver-binary-modified
RiskScore = 50
Annotation = {"mitre_attack": ["T1546.002"]}
Query = (Reg.Key.Target like r"%\\Control Panel\\Desktop\\SCRNSAVE.EXE" and not ((Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\explorer.exe")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
RuleId = 6aa1d992-5925-4e9f-a49b-845e51d1de01
RuleName = New DLL Added to AppCertDlls Registry Key
EventType = Reg.Any
Tag = new-dll-added-to-appcertdlls-registry-key
RiskScore = 50
Annotation = {"mitre_attack": ["T1546.009"]}
Query = (Reg.Key.Target like r"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" or Reg.Key.Path.New like r"HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target
GenericProperty2 = Reg.Key.Path.New

[ActivityMonitoringRule]
# Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
RuleId = 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
RuleName = Office Application Startup - Office Test
EventType = Reg.Any
Tag = office-application-startup-office-test
RiskScore = 50
Annotation = {"mitre_attack": ["T1137.002"]}
Query = (Reg.Key.Target like r"HKCU\\Software\\Microsoft\\Office test\\Special\\Perf" or Reg.Key.Target like r"HKLM\\Software\\Microsoft\\Office test\\Special\\Perf")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.
RuleId = a54f842a-3713-4b45-8c84-5f136fdebd3c
RuleName = PortProxy Registry Key
EventType = Reg.Any
Tag = portproxy-registry-key
RiskScore = 50
Annotation = {"mitre_attack": ["T1090"]}
Query = Reg.Key.Target like r"HKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target

[ActivityMonitoringRule]
# Alerts on trust record modification within the registry, indicating usage of macros
RuleId = 295a59c1-7b79-4b47-a930-df12c15fc9c2
RuleName = Windows Registry Trust Record Modification
EventType = Reg.Any
Tag = windows-registry-trust-record-modification
RiskScore = 50
Annotation = {"mitre_attack": ["T1566.001"]}
Query = Reg.Key.Target like r"%TrustRecords%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Target


Comments

Your email address will not be published. Required fields are marked *