Skip to main content

uberAgent-ESA-am-sigma-medium.conf

The following is the uberAgent-ESA-am-sigma-medium.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: medium
#

[ActivityMonitoringRule]
# Detects suspicious DNS queries using base64 encoding
RuleName = Suspicious DNS Query with B64 Encoded String
EventType = Dns.Query
Tag = suspicious-dns-query-with-b64-encoded-string
RiskScore = 50
Query = Dns.QueryRequest like r"%==.%"
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects DNS queries for ip lookup services such as api.ipify.org not originating from a browser process.
RuleName = Suspicious DNS Query for IP Lookup Service APIs
EventType = Dns.Query
Tag = suspicious-dns-query-for-ip-lookup-service-apis
RiskScore = 50
Query = (Dns.QueryRequest in ["canireachthe.net", "ipv4.icanhazip.com", "ip.anysrc.net", "edns.ip-api.com", "wtfismyip.com", "checkip.dyndns.org", "api.2ip.ua", "icanhazip.com", "api.ipify.org", "ip-api.com", "checkip.amazonaws.com", "ipecho.net", "ipinfo.io", "ipv4bot.whatismyipaddress.com", "freegeoip.app"] and not ((Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\iexplore.exe" or Process.Path like r"%\\firefox.exe" or Process.Path like r"%\\brave.exe" or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\vivaldi.exe")))
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
RuleName = Telegram Bot API Request
EventType = Dns.Query
Tag = telegram-bot-api-request
RiskScore = 50
Query = Dns.QueryRequest == "api.telegram.org"
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects when an admin share is mounted using net.exe
RuleName = Mounted Windows Admin Shares with net.exe
EventType = Process.Start
Tag = proc-start-mounted-windows-admin-shares-with-net.exe
RiskScore = 50
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% use %" and Process.CommandLine like r"%\\\*\\%$%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.
RuleName = Suspicious Werfault.exe Network Connection Outbound
EventType = Net.Any
Tag = suspicious-werfault.exe-network-connection-outbound
RiskScore = 50
Query = (Process.Path == "werfault.exe" and not ((Parent.Path == "svchost.exe" and (Net.Target.Ip like r"104.42.151.234" or Net.Target.Ip like r"104.43.193.48" or Net.Target.Ip like r"52.255.188.83" or Net.Target.Ip like r"13.64.90.137" or Net.Target.Ip like r"168.61.161.212" or Net.Target.Ip like r"13.88.21.125" or Net.Target.Ip like r"40.88.32.150" or Net.Target.Ip like r"52.147.198.201" or Net.Target.Ip like r"52.239.207.100" or Net.Target.Ip like r"52.176.224.96" or Net.Target.Ip like r"2607:7700:0:24:0:1:287e:1894" or Net.Target.Ip like r"10.%" or Net.Target.Ip like r"192.168.%" or Net.Target.Ip like r"127.%") and (Net.Target.Name like r"%.windowsupdate.com%" or Net.Target.Name like r"%.microsoft.com%"))))
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol
GenericProperty5 = Net.Source.Ip
GenericProperty6 = Net.Source.Port

[ActivityMonitoringRule]
# Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
RuleName = SyncAppvPublishingServer Execution to Bypass Powershell Restriction
EventType = Process.Start
Tag = proc-start-syncappvpublishingserver-execution-to-bypass-powershell-restriction
RiskScore = 50
Query = Process.Path like r"%\\SyncAppvPublishingServer.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
RuleName = Suspicious System.Drawing Load
EventType = Image.Load
Tag = suspicious-system.drawing-load
RiskScore = 50
Query = (Image.Path like r"%\\System.Drawing.ni.dll" and not (Process.Path like r"%\\WmiPrvSE.exe"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
RuleName = UIPromptForCredentials DLLs
EventType = Image.Load
Tag = uipromptforcredentials-dlls
RiskScore = 50
Query = ((Image.Path like r"%\\credui.dll" or Image.Path like r"%\\wincredui.dll") or Process.Name in ["credui.dll", "wincredui.dll"])
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
RuleName = Suspicious WSMAN Provider Image Loads
EventType = Image.Load
Tag = suspicious-wsman-provider-image-loads
RiskScore = 50
Query = ((((Image.Path like r"%\\WsmSvc.dll" or Image.Path like r"%\\WsmAuto.dll" or Image.Path like r"%\\Microsoft.WSMan.Management.ni.dll") or Process.Name in ["WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"]) and not (Process.Path like r"%\\powershell.exe")) or (Process.Path like r"%\\svchost.exe" and Process.Name == "WsmWmiPl.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
RuleName = Wuauclt Network Connection
EventType = Net.Any
Tag = wuauclt-network-connection
RiskScore = 50
Query = Process.Path like r"%wuauclt%"
GenericProperty1 = Net.Target.Ip
GenericProperty2 = Net.Target.Name
GenericProperty3 = Net.Target.Port
GenericProperty4 = Net.Target.Protocol
GenericProperty5 = Net.Source.Ip
GenericProperty6 = Net.Source.Port

[ActivityMonitoringRule]
# Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
RuleName = Advanced IP Scanner
EventType = Process.Start
Tag = proc-start-advanced-ip-scanner
RiskScore = 50
Query = Process.Path like r"%\\advanced\_ip\_scanner%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
RuleName = Execute From Alternate Data Streams
EventType = Process.Start
Tag = proc-start-execute-from-alternate-data-streams
RiskScore = 50
Query = (Process.CommandLine like r"%txt:%" and ((Process.CommandLine like r"%type %" and Process.CommandLine like r"% > %") or (Process.CommandLine like r"%makecab %" and Process.CommandLine like r"%.cab%") or (Process.CommandLine like r"%reg %" and Process.CommandLine like r"% export %") or (Process.CommandLine like r"%regedit %" and Process.CommandLine like r"% /E %") or (Process.CommandLine like r"%esentutl %" and Process.CommandLine like r"% /y %" and Process.CommandLine like r"% /d %" and Process.CommandLine like r"% /o %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
RuleName = Defrag Deactivation
EventType = Process.Start
Tag = proc-start-defrag-deactivation
RiskScore = 50
Query = (Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"%/delete%" or Process.CommandLine like r"%/change%") and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%\\Microsoft\\Windows\\Defrag\\ScheduledDefrag%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Once established within a system or network, an adversary may use automated techniques for collecting internal data.
RuleName = Automated Collection Command Prompt
EventType = Process.Start
Tag = proc-start-automated-collection-command-prompt
RiskScore = 50
Query = ((Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.docx%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.xlsx%" or Process.CommandLine like r"%.ppt%" or Process.CommandLine like r"%.pptx%" or Process.CommandLine like r"%.rtf%" or Process.CommandLine like r"%.pdf%" or Process.CommandLine like r"%.txt%") and ((Process.CommandLine like r"%dir %" and Process.CommandLine like r"% /b %" and Process.CommandLine like r"% /s %") or (Process.Name == "FINDSTR.EXE" and Process.CommandLine like r"% /e %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
RuleName = Suspicious Load DLL via CertOC.exe
EventType = Process.Start
Tag = proc-start-suspicious-load-dll-via-certoc.exe
RiskScore = 50
Query = (Process.Path like r"%\\certoc.exe" and Process.CommandLine like r"%-LoadDLL%" and Process.CommandLine like r"%.dll%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
RuleName = Discover Private Keys
EventType = Process.Start
Tag = proc-start-discover-private-keys
RiskScore = 50
Query = ((Process.CommandLine like r"%dir %" or Process.CommandLine like r"%findstr %") and (Process.CommandLine like r"%.key%" or Process.CommandLine like r"%.pgp%" or Process.CommandLine like r"%.gpg%" or Process.CommandLine like r"%.ppk%" or Process.CommandLine like r"%.p12%" or Process.CommandLine like r"%.pem%" or Process.CommandLine like r"%.pfx%" or Process.CommandLine like r"%.cer%" or Process.CommandLine like r"%.p7b%" or Process.CommandLine like r"%.asc%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# dotnet.exe will execute any DLL and execute unsigned code
RuleName = Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
EventType = Process.Start
Tag = proc-start-dotnet.exe-exec-dll-and-execute-unsigned-code-lolbin
RiskScore = 50
Query = ((Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.csproj") and (Process.Path like r"%\\dotnet.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
RuleName = InfDefaultInstall.exe .inf Execution
EventType = Process.Start
Tag = proc-start-infdefaultinstall.exe-.inf-execution
RiskScore = 50
Query = (Process.CommandLine like r"%InfDefaultInstall.exe %" and Process.CommandLine like r"%.inf%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects when a user performs data exfiltration by using DataSvcUtil.exe
RuleName = LOLBAS Data Exfiltration by DataSvcUtil.exe
EventType = Process.Start
Tag = proc-start-lolbas-data-exfiltration-by-datasvcutil.exe
RiskScore = 50
Query = (Process.CommandLine like r"%/in:%" and Process.CommandLine like r"%/out:%" and (Process.Path like r"%\\DataSvcUtil.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
RuleName = Suspicious Driver Install by pnputil.exe
EventType = Process.Start
Tag = proc-start-suspicious-driver-install-by-pnputil.exe
RiskScore = 50
Query = ((Process.CommandLine like r"%-i%" or Process.CommandLine like r"%/install%" or Process.CommandLine like r"%-a%" or Process.CommandLine like r"%/add-driver%" or Process.CommandLine like r"%.inf%") and (Process.Path like r"%\\pnputil.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects file execution using the msdeploy.exe lolbin
RuleName = Execute Files with Msdeploy.exe
EventType = Process.Start
Tag = proc-start-execute-files-with-msdeploy.exe
RiskScore = 50
Query = (Process.CommandLine like r"%verb:sync%" and Process.CommandLine like r"%-source:RunCommand%" and Process.CommandLine like r"%-dest:runCommand%" and (Process.Path like r"%\\msdeploy.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.
RuleName = ProtocolHandler.exe Downloaded Suspicious File
EventType = Process.Start
Tag = proc-start-protocolhandler.exe-downloaded-suspicious-file
RiskScore = 50
Query = (Process.Path like r"%\\protocolhandler.exe" and Process.CommandLine like r"%\"ms-word%" and Process.CommandLine like r"%.docx\"%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
RuleName = Root Certificate Installed
EventType = Process.Start
Tag = proc-start-root-certificate-installed
RiskScore = 50
Query = (Process.CommandLine like r"%root%" and ((Process.Path like r"%\\certutil.exe" and Process.CommandLine like r"%-addstore%") or (Process.Path like r"%\\CertMgr.exe" and Process.CommandLine like r"%/add%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Use of SDelete to erase a file not the free space
RuleName = Sysinternals SDelete Delete File
EventType = Process.Start
Tag = proc-start-sysinternals-sdelete-delete-file
RiskScore = 50
Query = (Process.Name == "sdelete.exe" and not ((Process.CommandLine like r"% -h%" or Process.CommandLine like r"% -c%" or Process.CommandLine like r"% -z%" or Process.CommandLine like r"% /_%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
RuleName = Detected Windows Software Discovery
EventType = Process.Start
Tag = proc-start-detected-windows-software-discovery
RiskScore = 50
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%query%" and Process.CommandLine like r"%\\software\\%" and Process.CommandLine like r"%/v%" and Process.CommandLine like r"%svcversion%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
RuleName = Compress Data and Lock With Password for Exfiltration With 7-ZIP
EventType = Process.Start
Tag = proc-start-compress-data-and-lock-with-password-for-exfiltration-with-7-zip
RiskScore = 50
Query = ((Process.CommandLine like r"%7z.exe%" or Process.CommandLine like r"%7za.exe%") and Process.CommandLine like r"% -p%" and (Process.CommandLine like r"% a %" or Process.CommandLine like r"% u %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
RuleName = Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
EventType = Process.Start
Tag = proc-start-abusable-invoke-athremotefxvgpudisablementcommand
RiskScore = 50
Query = (Process.CommandLine like r"%Invoke-ATHRemoteFXvGPUDisablementCommand %" and (Process.CommandLine like r"%-ModuleName %" or Process.CommandLine like r"%-ModulePath %" or Process.CommandLine like r"%-ScriptBlock %" or Process.CommandLine like r"%-RemoteFXvGPUDisablementFilePath%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# suspicious command line to remove exe or dll
RuleName = Suspicious Del in CommandLine
EventType = Process.Start
Tag = proc-start-suspicious-del-in-commandline
RiskScore = 50
Query = (Process.CommandLine like r"%del %" and ((Process.CommandLine like r"%/f %" and Process.CommandLine like r"%/q %" and Process.CommandLine like r"%.exe%") or (Process.CommandLine like r"%C:\\ProgramData\\%" and Process.CommandLine like r"%.dll%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Once established within a system or network, an adversary may use automated techniques for collecting internal data.
RuleName = Recon Information for Export with Command Prompt
EventType = Process.Start
Tag = proc-start-recon-information-for-export-with-command-prompt
RiskScore = 50
Query = ((Process.Path like r"%\\tree.com" or Process.Path like r"%\\WMIC.exe" or Process.Path like r"%\\doskey.exe" or Process.Path like r"%\\sc.exe") and Parent.CommandLine like r"% > \%TEMP\%\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of various web request with commandline tools or Windows PowerShell command,methods (including aliases)
RuleName = Windows Suspicious Use Of Web Request in CommandLine
EventType = Process.Start
Tag = proc-start-windows-suspicious-use-of-web-request-in-commandline
RiskScore = 50
Query = (Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %" or Process.CommandLine like r"%curl %" or Process.CommandLine like r"%Net.WebClient%" or Process.CommandLine like r"%Start-BitsTransfer%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
RuleName = Compress Data and Lock With Password for Exfiltration With WINZIP
EventType = Process.Start
Tag = proc-start-compress-data-and-lock-with-password-for-exfiltration-with-winzip
RiskScore = 50
Query = ((Process.CommandLine like r"%winzip.exe%" or Process.CommandLine like r"%winzip64.exe%") and (Process.CommandLine like r"%-s\"%") and (Process.CommandLine like r"% -min %" or Process.CommandLine like r"% -a %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
RuleName = Zip A Folder With PowerShell For Staging In Temp
EventType = Process.Start
Tag = proc-start-zip-a-folder-with-powershell-for-staging-in-temp
RiskScore = 50
Query = (Process.CommandLine like r"%Compress-Archive %" and Process.CommandLine like r"% -Path %" and Process.CommandLine like r"% -DestinationPath %" and Process.CommandLine like r"%$env:TEMP\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
RuleName = SyncAppvPublishingServer Execute Arbitrary PowerShell Code
EventType = Process.Start
Tag = proc-start-syncappvpublishingserver-execute-arbitrary-powershell-code
RiskScore = 50
Query = (Process.Path like r"%\\SyncAppvPublishingServer.exe" and Process.CommandLine like r"%\"n; %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
RuleName = SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
EventType = Process.Start
Tag = proc-start-syncappvpublishingserver-vbs-execute-arbitrary-powershell-code
RiskScore = 50
Query = (Process.CommandLine like r"%\\SyncAppvPublishingServer.vbs%" and Process.CommandLine like r"%\"n;%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the Installation of a Exchange Transport Agent
RuleName = MSExchange Transport Agent Installation
EventType = Process.Start
Tag = proc-start-msexchange-transport-agent-installation
RiskScore = 50
Query = Process.CommandLine like r"%Install-TransportAgent%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Conti recommendation to its affiliates to use esentult to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
RuleName = Esentutl Gather Credentials
EventType = Process.Start
Tag = proc-start-esentutl-gather-credentials
RiskScore = 50
Query = (Process.CommandLine like r"%esentutl%" and Process.CommandLine like r"% /p%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell
RuleName = Always Install Elevated MSI Spawned Cmd And Powershell
EventType = Process.Start
Tag = proc-start-always-install-elevated-msi-spawned-cmd-and-powershell
RiskScore = 50
Query = ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe") and Parent.Path like r"%\\Windows\\Installer\\%" and Parent.Path like r"%msi%" and (Parent.Path like r"%tmp"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
RuleName = Mavinject Inject DLL Into Running Process
EventType = Process.Start
Tag = proc-start-mavinject-inject-dll-into-running-process
RiskScore = 50
Query = (Process.CommandLine like r"% /INJECTRUNNING%" and Process.CommandLine like r"%.dll%" and Process.Name like r"%mavinject%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack
RuleName = Cabinet File Expansion
EventType = Process.Start
Tag = proc-start-cabinet-file-expansion
RiskScore = 50
Query = ((Process.Path like r"%\\expand.exe") and (Process.CommandLine like r"%.cab%" or Process.CommandLine like r"%/F:%" or Process.CommandLine like r"%-F:%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Roaming\\Temp\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
RuleName = Remove Windows Defender Definition Files
EventType = Process.Start
Tag = proc-start-remove-windows-defender-definition-files
RiskScore = 50
Query = (Process.Name == "MpCmdRun.exe" and Process.CommandLine like r"% -RemoveDefinitions%" and Process.CommandLine like r"% -All%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
RuleName = Sdclt Child Processes
EventType = Process.Start
Tag = proc-start-sdclt-child-processes
RiskScore = 50
Query = Parent.Path like r"%\\sdclt.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
RuleName = Stop Or Remove Antivirus Service
EventType = Process.Start
Tag = proc-start-stop-or-remove-antivirus-service
RiskScore = 50
Query = ((Process.CommandLine like r"%Stop-Service %" or Process.CommandLine like r"%Remove-Service %") and (Process.CommandLine like r"% McAfeeDLPAgentService%" or Process.CommandLine like r"% Trend Micro Deep Security Manager%" or Process.CommandLine like r"% TMBMServer%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
RuleName = Suspicious WebDav Client Execution
EventType = Process.Start
Tag = proc-start-suspicious-webdav-client-execution
RiskScore = 50
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%C:\\windows\\system32\\davclnt.dll,DavSetCookie%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
RuleName = Uninstall Crowdstrike Falcon
EventType = Process.Start
Tag = proc-start-uninstall-crowdstrike-falcon
RiskScore = 50
Query = (Process.CommandLine like r"%\\WindowsSensor.exe%" and Process.CommandLine like r"% /uninstall%" and Process.CommandLine like r"% /quiet%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash
RuleName = SquiblyTwo
EventType = Process.Start
Tag = proc-start-squiblytwo
RiskScore = 50
Query = (Process.CommandLine like r"%http%" and (((Process.Path like r"%\\wmic.exe") and Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%format%") or (Process.Hash.IMP in ["1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206"] and Process.CommandLine like r"%format:%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of cmdkey to look for cached credentials
RuleName = Cmdkey Cached Credentials Recon
EventType = Process.Start
Tag = proc-start-cmdkey-cached-credentials-recon
RiskScore = 50
Query = (Process.Path like r"%\\cmdkey.exe" and Process.CommandLine like r"% /list%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
RuleName = Dropping Of Password Filter DLL
EventType = Process.Start
Tag = proc-start-dropping-of-password-filter-dll
RiskScore = 50
Query = (Process.CommandLine like r"%HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa%" and Process.CommandLine like r"%scecli\\0%" and Process.CommandLine like r"%reg add%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Execution of well known tools for data exfiltration and tunneling
RuleName = Exfiltration and Tunneling Tools Execution
EventType = Process.Start
Tag = proc-start-exfiltration-and-tunneling-tools-execution
RiskScore = 50
Query = (Process.Path like r"%\\plink.exe" or Process.Path like r"%\\socat.exe" or Process.Path like r"%\\stunnel.exe" or Process.Path like r"%\\httptunnel.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
RuleName = Exploit for CVE-2017-0261
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2017-0261
RiskScore = 50
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\FLTLDR.exe%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a file or folder's permissions being modified.
RuleName = File or Folder Permissions Modifications
EventType = Process.Start
Tag = proc-start-file-or-folder-permissions-modifications
RiskScore = 50
Query = (((Process.Path like r"%\\takeown.exe" or Process.Path like r"%\\cacls.exe" or Process.Path like r"%\\icacls.exe") and Process.CommandLine like r"%/grant%") or (Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"%-r%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Dump sam, system or security hives using REG.exe utility
RuleName = Grabbing Sensitive Hives via Reg Utility
EventType = Process.Start
Tag = proc-start-grabbing-sensitive-hives-via-reg-utility
RiskScore = 50
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%save%" or Process.CommandLine like r"%export%" or Process.CommandLine like r"%ˢave%" or Process.CommandLine like r"%eˣport%") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hk˪m%" or Process.CommandLine like r"%hkey\_local\_machine%" or Process.CommandLine like r"%hkey\_˪ocal\_machine%" or Process.CommandLine like r"%hkey\_loca˪\_machine%" or Process.CommandLine like r"%hkey\_˪oca˪\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security" or Process.CommandLine like r"%\\ˢystem" or Process.CommandLine like r"%\\syˢtem" or Process.CommandLine like r"%\\ˢyˢtem" or Process.CommandLine like r"%\\ˢam" or Process.CommandLine like r"%\\ˢecurity"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
RuleName = Monitoring Winget For LOLbin Execution
EventType = Process.Start
Tag = proc-start-monitoring-winget-for-lolbin-execution
RiskScore = 50
Query = (Process.CommandLine like r"%.%(_i)winget install (--m|-m).%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command used by conti to access volume shadow backups
RuleName = Conti Volume Shadow Listing
EventType = Process.Start
Tag = proc-start-conti-volume-shadow-listing
RiskScore = 50
Query = (Process.CommandLine like r"%\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy%" and (Process.CommandLine like r"%\\NTDS.dit%" or Process.CommandLine like r"%\\SYSTEM%" or Process.CommandLine like r"%\\SECURITY%" or Process.CommandLine like r"%C:\\tmp\\log%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
RuleName = Suspicious Usage of the Manage-bde.wsf Script
EventType = Process.Start
Tag = proc-start-suspicious-usage-of-the-manage-bde.wsf-script
RiskScore = 50
Query = (Process.CommandLine like r"%cscript%" and Process.CommandLine like r"%manage-bde.wsf%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detection well-known mimikatz command line arguments
RuleName = Mimikatz Command Line
EventType = Process.Start
Tag = proc-start-mimikatz-command-line
RiskScore = 50
Query = ((Process.CommandLine like r"%DumpCreds%" or Process.CommandLine like r"%invoke-mimikatz%") or ((Process.CommandLine like r"%rpc%" or Process.CommandLine like r"%token%" or Process.CommandLine like r"%crypto%" or Process.CommandLine like r"%dpapi%" or Process.CommandLine like r"%sekurlsa%" or Process.CommandLine like r"%kerberos%" or Process.CommandLine like r"%lsadump%" or Process.CommandLine like r"%privilege%" or Process.CommandLine like r"%process%") and (Process.CommandLine like r"%::%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Allow Incoming Connections by Port or Application on Windows Firewall
RuleName = Netsh Port or Application Allowed
EventType = Process.Start
Tag = proc-start-netsh-port-or-application-allowed
RiskScore = 50
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects capture a network trace via netsh.exe trace functionality
RuleName = Capture a Network Trace with netsh.exe
EventType = Process.Start
Tag = proc-start-capture-a-network-trace-with-netsh.exe
RiskScore = 50
Query = (Process.CommandLine like r"%netsh%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%start%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects netsh commands that configure a port forwarding (PortProxy)
RuleName = Netsh Port Forwarding
EventType = Process.Start
Tag = proc-start-netsh-port-forwarding
RiskScore = 50
Query = (Process.Path like r"%\\netsh.exe" and ((Process.CommandLine like r"%interface%" and Process.CommandLine like r"%portproxy%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%v4tov4%") or (Process.CommandLine like r"%connectp%" and Process.CommandLine like r"%listena%" and Process.CommandLine like r"%c=%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect the harvesting of wifi credentials using netsh.exe
RuleName = Harvesting of Wifi Credentials Using netsh.exe
EventType = Process.Start
Tag = proc-start-harvesting-of-wifi-credentials-using-netsh.exe
RiskScore = 50
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%wlan%" and Process.CommandLine like r"% s%" and Process.CommandLine like r"% p%" and Process.CommandLine like r"% k%" and Process.CommandLine like r"%=clear%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies creation of local users via the net.exe command.
RuleName = Net.exe User Account Creation
EventType = Process.Start
Tag = proc-start-net.exe-user-account-creation
RiskScore = 50
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%" and Process.CommandLine like r"%add%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects nltest commands that can be used for information discovery
RuleName = Recon Activity with NLTEST
EventType = Process.Start
Tag = proc-start-recon-activity-with-nltest
RiskScore = 50
Query = (Process.Path like r"%\\nltest.exe" and ((Process.CommandLine like r"%/server%" and Process.CommandLine like r"%/query%") or (Process.CommandLine like r"%/dclist:%" or Process.CommandLine like r"%/parentdomain%" or Process.CommandLine like r"%/domain\_trusts%" or Process.CommandLine like r"%/trusted\_domains%" or Process.CommandLine like r"%/user%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects audio capture via PowerShell Cmdlet.
RuleName = Audio Capture via PowerShell
EventType = Process.Start
Tag = proc-start-audio-capture-via-powershell
RiskScore = 50
Query = Process.CommandLine like r"%WindowsAudioDevice-Powershell-Cmdlet%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect download by BITS jobs via PowerShell
RuleName = Suspicious Bitsadmin Job via PowerShell
EventType = Process.Start
Tag = proc-start-suspicious-bitsadmin-job-via-powershell
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Start-BitsTransfer%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific combinations of encoding methods in the PowerShell command lines
RuleName = Encoded PowerShell Command Line
EventType = Process.Start
Tag = proc-start-encoded-powershell-command-line
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and (((((Process.CommandLine like r"%ToInt%" or Process.CommandLine like r"%ToDecimal%" or Process.CommandLine like r"%ToByte%" or Process.CommandLine like r"%ToUint%" or Process.CommandLine like r"%ToSingle%" or Process.CommandLine like r"%ToSByte%") and (Process.CommandLine like r"%ToChar%" or Process.CommandLine like r"%ToString%" or Process.CommandLine like r"%String%")) or (Process.CommandLine like r"%char%" and Process.CommandLine like r"%join%")) or (Process.CommandLine like r"%split%" and Process.CommandLine like r"%join%")) or (Process.CommandLine like r"%ForEach%" and Process.CommandLine like r"%Xor%") or (Process.CommandLine like r"%cOnvErTTO-SECUreStRIng%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
RuleName = PowerShell Downgrade Attack
EventType = Process.Start
Tag = proc-start-powershell-downgrade-attack
RiskScore = 50
Query = ((Process.CommandLine like r"% -version 2 %" or Process.CommandLine like r"% -versio 2 %" or Process.CommandLine like r"% -versi 2 %" or Process.CommandLine like r"% -vers 2 %" or Process.CommandLine like r"% -ver 2 %" or Process.CommandLine like r"% -ve 2 %") and Process.Path like r"%\\powershell.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Powershell process that contains download commands in its command line string
RuleName = PowerShell Download from URL
EventType = Process.Start
Tag = proc-start-powershell-download-from-url
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%new-object%" and Process.CommandLine like r"%net.webclient).%" and Process.CommandLine like r"%download%" and (Process.CommandLine like r"%string(%" or Process.CommandLine like r"%file(%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects uses of the SysInternals Procdump utility
RuleName = Procdump Usage
EventType = Process.Start
Tag = proc-start-procdump-usage
RiskScore = 50
Query = ((Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe") or (Process.CommandLine like r"% -ma %" and Process.CommandLine like r"%.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file
RuleName = Bitsadmin Download
EventType = Process.Start
Tag = proc-start-bitsadmin-download
RiskScore = 50
Query = (((Process.Path like r"%\\bitsadmin.exe") and (((Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%http%")) or (Process.CommandLine like r"% /transfer %"))) or (Process.CommandLine like r"%copy bitsadmin.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
RuleName = DLL Execution via Rasautou.exe
EventType = Process.Start
Tag = proc-start-dll-execution-via-rasautou.exe
RiskScore = 50
Query = ((Process.Path like r"%\\rasautou.exe" or Process.Name == "rasdlui.exe") and (Process.CommandLine like r"%-d%" and Process.CommandLine like r"%-p%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious command line reg.exe tool adding key to RUN key in Registry
RuleName = Reg Add RUN Key
EventType = Process.Start
Tag = proc-start-reg-add-run-key
RiskScore = 50
Query = (Process.CommandLine like r"%reg%" and Process.CommandLine like r"% ADD %" and Process.CommandLine like r"%Software\\Microsoft\\Windows\\CurrentVersion\\Run%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
RuleName = Remote PowerShell Session Host Process (WinRM)
EventType = Process.Start
Tag = proc-start-remote-powershell-session-host-process-(winrm)
RiskScore = 50
Query = (Process.Path like r"%\\wsmprovhost.exe" or Parent.Path like r"%\\wsmprovhost.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
RuleName = Renamed Binary
EventType = Process.Start
Tag = proc-start-renamed-binary
RiskScore = 50
Query = ((Process.Name like r"cmd.exe" or Process.Name like r"powershell.exe" or Process.Name like r"powershell\_ise.exe" or Process.Name like r"psexec.exe" or Process.Name like r"psexec.c" or Process.Name like r"cscript.exe" or Process.Name like r"wscript.exe" or Process.Name like r"mshta.exe" or Process.Name like r"regsvr32.exe" or Process.Name like r"wmic.exe" or Process.Name like r"certutil.exe" or Process.Name like r"rundll32.exe" or Process.Name like r"cmstp.exe" or Process.Name like r"msiexec.exe" or Process.Name like r"7z.exe" or Process.Name like r"winrar.exe" or Process.Name like r"wevtutil.exe" or Process.Name like r"net.exe" or Process.Name like r"net1.exe" or Process.Name like r"netsh.exe") and not ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\psexec.exe" or Process.Path like r"%\\psexec64.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\7z.exe" or Process.Path like r"%\\winrar.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netsh.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Shadow Copies storage symbolic link creation using operating systems utilities
RuleName = Shadow Copies Access via Symlink
EventType = Process.Start
Tag = proc-start-shadow-copies-access-via-symlink
RiskScore = 50
Query = (Process.CommandLine like r"%mklink%" and Process.CommandLine like r"%HarddiskVolumeShadowCopy%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Shadow Copies creation using operating systems utilities, possible credential access
RuleName = Shadow Copies Creation Using Operating Systems Utilities
EventType = Process.Start
Tag = proc-start-shadow-copies-creation-using-operating-systems-utilities
RiskScore = 50
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe") and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%create%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect attacker collecting audio via SoundRecorder application.
RuleName = Audio Capture via SoundRecorder
EventType = Process.Start
Tag = proc-start-audio-capture-via-soundrecorder
RiskScore = 50
Query = (Process.Path like r"%\\SoundRecorder.exe" and Process.CommandLine like r"%/FILE%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
RuleName = Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access
EventType = Process.Start
Tag = proc-start-using-sticky-keys-to-obtain-unauthenticated,-privileged-console-access
RiskScore = 50
Query = (Process.CommandLine like r"copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a AdFind for Active Directory enumeration
RuleName = Suspicious AdFind Execution
EventType = Process.Start
Tag = proc-start-suspicious-adfind-execution
RiskScore = 50
Query = ((Process.CommandLine like r"%objectcategory%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%dclist%" or Process.CommandLine like r"%computers\_pwdnotreqd%") and Process.Path like r"%\\adfind.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects, possibly, malicious unauthorized usage of bcdedit.exe
RuleName = Possible Ransomware or Unauthorized MBR Modifications
EventType = Process.Start
Tag = proc-start-possible-ransomware-or-unauthorized-mbr-modifications
RiskScore = 50
Query = (Process.Path like r"%\\bcdedit.exe" and (Process.CommandLine like r"%delete%" or Process.CommandLine like r"%deletevalue%" or Process.CommandLine like r"%import%" or Process.CommandLine like r"%safeboot%" or Process.CommandLine like r"%network%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Execute VBscript code that is referenced within the *.bgi file.
RuleName = Application Whitelisting Bypass via Bginfo
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-bginfo
RiskScore = 50
Query = (Process.Path like r"%\\bginfo.exe" and Process.CommandLine like r"%/popup%" and Process.CommandLine like r"%/nolicprompt%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects transferring files from system on a server bitstransfer Powershell cmdlets
RuleName = Suspicious Bitstransfer via PowerShell
EventType = Process.Start
Tag = proc-start-suspicious-bitstransfer-via-powershell
RiskScore = 50
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Get-BitsTransfer%" or Process.CommandLine like r"%Add-BitsFile%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Launch 64-bit shellcode from a debugger script file using cdb.exe.
RuleName = Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
EventType = Process.Start
Tag = proc-start-possible-app-whitelisting-bypass-via-windbg/cdb-as-a-shellcode-runner
RiskScore = 50
Query = (Process.Path like r"%\\cdb.exe" and Process.CommandLine like r"%-cf%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
RuleName = Certutil Encode
EventType = Process.Start
Tag = proc-start-certutil-encode
RiskScore = 50
Query = (Process.Path like r"%\\certutil.exe" and Process.CommandLine like r"%-f%" and Process.CommandLine like r"%-encode%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
RuleName = Command Line Execution with Suspicious URL and AppData Strings
EventType = Process.Start
Tag = proc-start-command-line-execution-with-suspicious-url-and-appdata-strings
RiskScore = 50
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%http%" and Process.CommandLine like r"%://%" and Process.CommandLine like r"%\%AppData\%%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command used by conti to access volume shadow backups
RuleName = Conti Volume Shadow Listing
EventType = Process.Start
Tag = proc-start-conti-volume-shadow-listing
RiskScore = 50
Query = Process.CommandLine like r"%copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a code page switch in command line or batch scripts to a rare language
RuleName = Suspicious Code Page Switch
EventType = Process.Start
Tag = proc-start-suspicious-code-page-switch
RiskScore = 50
Query = (Process.Path like r"%\\chcp.com" and (Process.CommandLine like r"% 936" or Process.CommandLine like r"% 1258"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects process memory dump via comsvcs.dll and rundll32
RuleName = Process Dump via Comsvcs DLL
EventType = Process.Start
Tag = proc-start-process-dump-via-comsvcs-dll
RiskScore = 50
Query = ((Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and (Process.CommandLine like r"%comsvcs%" and Process.CommandLine like r"%MiniDump%" and Process.CommandLine like r"%full%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the conhost execution as parent process. Can be used to evaded defense mechanism.
RuleName = Conhost Parent Process Executions
EventType = Process.Start
Tag = proc-start-conhost-parent-process-executions
RiskScore = 50
Query = Parent.Path like r"%\\conhost.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
RuleName = Suspicious Copy From or To System32
EventType = Process.Start
Tag = proc-start-suspicious-copy-from-or-to-system32
RiskScore = 50
Query = ((Process.CommandLine like r"% /c copy%" or Process.CommandLine like r"%xcopy%") and Process.CommandLine like r"%\\System32\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
RuleName = Suspicious Csi.exe Usage
EventType = Process.Start
Tag = proc-start-suspicious-csi.exe-usage
RiskScore = 50
Query = ((Process.Path like r"%\\csi.exe" or Process.Path like r"%\\rcsi.exe" or Process.Name == "csi.exe" or Process.Name == "rcsi.exe") and Process.Company == "Microsoft Corporation")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious curl process start the adds a file to a web request
RuleName = Suspicious Curl File Upload
EventType = Process.Start
Tag = proc-start-suspicious-curl-file-upload
RiskScore = 50
Query = (Process.Path like r"%\\curl.exe" and Process.CommandLine like r"% -F %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
RuleName = Curl Start Combination
EventType = Process.Start
Tag = proc-start-curl-start-combination
RiskScore = 50
Query = (Process.CommandLine like r"%curl%" and Process.CommandLine like r"% start %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
RuleName = Direct Autorun Keys Modification
EventType = Process.Start
Tag = proc-start-direct-autorun-keys-modification
RiskScore = 50
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%add%" and (Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Run%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders%" or Process.CommandLine like r"%\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Execute C# code located in the consoleapp folder
RuleName = Application Whitelisting Bypass via Dnx.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dnx.exe
RiskScore = 50
Query = Process.Path like r"%\\dnx.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of of Dxcap.exe
RuleName = Application Whitelisting Bypass via Dxcap.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dxcap.exe
RiskScore = 50
Query = (Process.Path like r"%\\dxcap.exe" and Process.CommandLine like r"%-c%" and Process.CommandLine like r"%.exe%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious program execution in a web service root folder (filter out false positives)
RuleName = Execution in Webserver Root Folder
EventType = Process.Start
Tag = proc-start-execution-in-webserver-root-folder
RiskScore = 50
Query = ((Process.Path like r"%\\wwwroot\\%" or Process.Path like r"%\\wmpub\\%" or Process.Path like r"%\\htdocs\\%") and not ((Process.Path like r"%bin\\%" or Process.Path like r"%\\Tools\\%" or Process.Path like r"%\\SMSComponent\\%") and (Parent.Path like r"%\\services.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer
RuleName = Explorer Root Flag Process Tree Break
EventType = Process.Start
Tag = proc-start-explorer-root-flag-process-tree-break
RiskScore = 50
Query = (Process.CommandLine like r"%explorer.exe%" and Process.CommandLine like r"% /root,%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects when GfxDownloadWrapper.exe downloads file from non standard URL
RuleName = GfxDownloadWrapper.exe Downloads File from Suspicious URL
EventType = Process.Start
Tag = proc-start-gfxdownloadwrapper.exe-downloads-file-from-suspicious-url
RiskScore = 50
Query = ((Process.Path like r"%\\GfxDownloadWrapper.exe" and not (Process.CommandLine like r"%gameplayapi.intel.com%")) and not (Parent.Path like r"%\\GfxDownloadWrapper.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
RuleName = Abusing Findstr for Defense Evasion
EventType = Process.Start
Tag = proc-start-abusing-findstr-for-defense-evasion
RiskScore = 50
Query = ((Process.CommandLine like r"%findstr%") and ((Process.CommandLine like r"%/V%" and Process.CommandLine like r"%/L%") or (Process.CommandLine like r"%/S%" and Process.CommandLine like r"%/I%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
RuleName = Findstr Launching .lnk File
EventType = Process.Start
Tag = proc-start-findstr-launching-.lnk-file
RiskScore = 50
Query = (Process.Path like r"%\\findstr.exe" and Process.CommandLine like r"%.lnk")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects netsh commands that turns off the Windows firewall
RuleName = Firewall Disabled via Netsh
EventType = Process.Start
Tag = proc-start-firewall-disabled-via-netsh
RiskScore = 50
Query = (Process.CommandLine like r"netsh firewall set opmode mode=disable" or Process.CommandLine like r"netsh advfirewall set % state off")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe
RuleName = Suspicious ftp.exe
EventType = Process.Start
Tag = proc-start-suspicious-ftp.exe
RiskScore = 50
Query = ((Process.CommandLine like r"%-s:%" and (Process.Path like r"%ftp.exe" or Process.Name like r"%ftp.exe%")) or (Process.Name like r"%ftp.exe%" and not (Process.Path like r"%ftp.exe")) or Parent.Path like r"%ftp.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious IIS native-code module installations via command line
RuleName = IIS Native-Code Module Command Line Installation
EventType = Process.Start
Tag = proc-start-iis-native-code-module-command-line-installation
RiskScore = 50
Query = (Process.Path like r"%\\appcmd.exe" and Process.CommandLine like r"%install%" and Process.CommandLine like r"%module%" and Process.CommandLine like r"%/name:%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious msiexec process starts with web addresses as parameter
RuleName = MsiExec Web Install
EventType = Process.Start
Tag = proc-start-msiexec-web-install
RiskScore = 50
Query = (Process.CommandLine like r"% msiexec%" and Process.CommandLine like r"%://%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
RuleName = Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
EventType = Process.Start
Tag = proc-start-invocation-of-active-directory-diagnostic-tool-(ntdsutil.exe)
RiskScore = 50
Query = Process.Path like r"%\\ntdsutil.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects defence evasion attempt via odbcconf.exe execution to load DLL
RuleName = Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dll-loaded-by-odbcconf.exe
RiskScore = 50
Query = ((Process.Path like r"%\\odbcconf.exe" and (Process.CommandLine like r"%-f%" or Process.CommandLine like r"%regsvr%")) or (Parent.Path like r"%\\odbcconf.exe" and Process.Path like r"%\\rundll32.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
RuleName = Code Execution via Pcwutl.dll
EventType = Process.Start
Tag = proc-start-code-execution-via-pcwutl.dll
RiskScore = 50
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%pcwutl%" and Process.CommandLine like r"%LaunchApplication%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
RuleName = Execute Code with Pester.bat
EventType = Process.Start
Tag = proc-start-execute-code-with-pester.bat
RiskScore = 50
Query = ((Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Pester%" and Process.CommandLine like r"%Get-Help%") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%pester%" and Process.CommandLine like r"%;%" and (Process.CommandLine like r"%help%" or Process.CommandLine like r"%_%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Attackers can use print.exe for remote file copy
RuleName = Abusing Print Executable
EventType = Process.Start
Tag = proc-start-abusing-print-executable
RiskScore = 50
Query = (((Process.Path like r"%\\print.exe") and (Process.CommandLine like r"print%") and (Process.CommandLine like r"%/D%") and (Process.CommandLine like r"%.exe%")) and not ((Process.CommandLine like r"%print.exe%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect ed user accept agreement execution in psexec commandline
RuleName = Psexec Accepteula Condition
EventType = Process.Start
Tag = proc-start-psexec-accepteula-condition
RiskScore = 50
Query = (Process.Path like r"%\\psexec.exe" and Process.CommandLine like r"%accepteula%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# The psr.exe captures desktop screenshots and saves them on the local machine
RuleName = Psr.exe Capture Screenshots
EventType = Process.Start
Tag = proc-start-psr.exe-capture-screenshots
RiskScore = 50
Query = (Process.Path like r"%\\Psr.exe" and Process.CommandLine like r"%/start%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
RuleName = PowerShell Script Run in AppData
EventType = Process.Start
Tag = proc-start-powershell-script-run-in-appdata
RiskScore = 50
Query = (Process.CommandLine like r"%/c%" and Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%\\AppData\\%" and (Process.CommandLine like r"%Local\\%" or Process.CommandLine like r"%Roaming\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
RuleName = Rar with Password or Compression Level
EventType = Process.Start
Tag = proc-start-rar-with-password-or-compression-level
RiskScore = 50
Query = ((Process.CommandLine like r"% -hp%") and (Process.CommandLine like r"% -m%" or Process.CommandLine like r"% a %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process related to rasdial.exe
RuleName = Suspicious RASdial Activity
EventType = Process.Start
Tag = proc-start-suspicious-rasdial-activity
RiskScore = 50
Query = (Process.Path like r"%rasdial.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious command line activity on Windows systems
RuleName = Suspicious Reconnaissance Activity
EventType = Process.Start
Tag = proc-start-suspicious-reconnaissance-activity
RiskScore = 50
Query = Process.CommandLine in ["net group \"domain admins\" /dom", "net localgroup administrators", "net group \"enterprise admins\" /dom", "net accounts /dom"]
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using register-cimprovider.exe to execute arbitrary dll file.
RuleName = DLL Execution Via Register-cimprovider.exe
EventType = Process.Start
Tag = proc-start-dll-execution-via-register-cimprovider.exe
RiskScore = 50
Query = (Process.Path like r"%\\register-cimprovider.exe" and Process.CommandLine like r"%-path%" and Process.CommandLine like r"%dll%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
RuleName = Capture Credentials with Rpcping.exe
EventType = Process.Start
Tag = proc-start-capture-credentials-with-rpcping.exe
RiskScore = 50
Query = ((Process.Path like r"%\\rpcping.exe" and (Process.CommandLine like r"%-s%" or Process.CommandLine like r"%/s%")) and ((Process.CommandLine like r"%-u%" and Process.CommandLine like r"%NTLM%") or (Process.CommandLine like r"%/u%" and Process.CommandLine like r"%NTLM%") or (Process.CommandLine like r"%-t%" and Process.CommandLine like r"%ncacn\_np%") or (Process.CommandLine like r"%/t%" and Process.CommandLine like r"%ncacn\_np%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on arguments
RuleName = Suspicious Rundll32 Activity
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-activity
RiskScore = 50
Query = ((Process.CommandLine like r"%javascript:%" or Process.CommandLine like r"%.RegisterXLL%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%OpenURLA%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%FileProtocolHandler%") or (Process.CommandLine like r"%zipfldr.dll%" and Process.CommandLine like r"%RouteTheCall%") or (Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%Control\_RunDLL%") or (Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%ShellExec\_RunDLL%") or (Process.CommandLine like r"%mshtml.dll%" and Process.CommandLine like r"%PrintHTML%") or (Process.CommandLine like r"%advpack.dll%" and Process.CommandLine like r"%LaunchINFSection%") or (Process.CommandLine like r"%advpack.dll%" and Process.CommandLine like r"%RegisterOCX%") or (Process.CommandLine like r"%ieadvpack.dll%" and Process.CommandLine like r"%LaunchINFSection%") or (Process.CommandLine like r"%ieadvpack.dll%" and Process.CommandLine like r"%RegisterOCX%") or (Process.CommandLine like r"%ieframe.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%shdocvw.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%syssetup.dll%" and Process.CommandLine like r"%SetupInfObjectInstallAction'%") or (Process.CommandLine like r"%setupapi.dll%" and Process.CommandLine like r"%InstallHinfSection%") or (Process.CommandLine like r"%pcwutl.dll%" and Process.CommandLine like r"%LaunchApplication%") or (Process.CommandLine like r"%dfshim.dll%" and Process.CommandLine like r"%ShOpenVerbApplication%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
RuleName = Suspicious Rundll32 Setupapi.dll Activity
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-setupapi.dll-activity
RiskScore = 50
Query = (Process.Path like r"%\\runonce.exe" and Parent.Path like r"%\\rundll32.exe" and Parent.CommandLine like r"%setupapi.dll%" and Parent.CommandLine like r"%InstallHinfSection%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of powershell scripts via Runscripthelper.exe
RuleName = Suspicious Runscripthelper.exe
EventType = Process.Start
Tag = proc-start-suspicious-runscripthelper.exe
RiskScore = 50
Query = (Process.Path like r"%\\Runscripthelper.exe" and Process.CommandLine like r"%surfacecheck%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process run from unusual locations
RuleName = Suspicious Process Start Locations
EventType = Process.Start
Tag = proc-start-suspicious-process-start-locations
RiskScore = 50
Query = ((Process.Path like r"%:\\RECYCLER\\%" or Process.Path like r"%:\\SystemVolumeInformation\\%") or (Process.Path like r"C:\\Windows\\Tasks\\%" or Process.Path like r"C:\\Windows\\debug\\%" or Process.Path like r"C:\\Windows\\fonts\\%" or Process.Path like r"C:\\Windows\\help\\%" or Process.Path like r"C:\\Windows\\drivers\\%" or Process.Path like r"C:\\Windows\\addins\\%" or Process.Path like r"C:\\Windows\\cursors\\%" or Process.Path like r"C:\\Windows\\system32\\tasks\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may establish persistence by executing malicious content triggered by user inactivity.
# Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
RuleName = Suspicious ScreenSave Change by Reg.exe
EventType = Process.Start
Tag = proc-start-suspicious-screensave-change-by-reg.exe
RiskScore = 50
Query = (Process.Path like r"%reg.exe" and (Process.CommandLine like r"%HKEY\_CURRENT\_USER\\Control Panel\\Desktop%" or Process.CommandLine like r"%HKCU\\Control Panel\\Desktop%") and Process.CommandLine like r"%/t REG\_SZ%" and Process.CommandLine like r"%/f%" and ((Process.CommandLine like r"%/v ScreenSaveActive%" and Process.CommandLine like r"%/d 1%") or (Process.CommandLine like r"%/v ScreenSaveTimeout%" and Process.CommandLine like r"%/d %") or (Process.CommandLine like r"%/v ScreenSaverIsSecure%" and Process.CommandLine like r"%/d 0%") or (Process.CommandLine like r"%/v SCRNSAVE.EXE%" and Process.CommandLine like r"%/d %" and Process.CommandLine like r"%.scr%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious file execution by wscript and cscript
RuleName = WSF/JSE/JS/VBA/VBE File Execution
EventType = Process.Start
Tag = proc-start-wsf/jse/js/vba/vbe-file-execution
RiskScore = 50
Query = ((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%.jse%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.vba%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects process dump via legitimate sqldumper.exe binary
RuleName = Dumping Process via Sqldumper.exe
EventType = Process.Start
Tag = proc-start-dumping-process-via-sqldumper.exe
RiskScore = 50
Query = (Process.Path like r"%\\sqldumper.exe" and (Process.CommandLine like r"%0x0110%" or Process.CommandLine like r"%0x01100:40%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
RuleName = Sysprep on AppData Folder
EventType = Process.Start
Tag = proc-start-sysprep-on-appdata-folder
RiskScore = 50
Query = ((Process.Path like r"%\\sysprep.exe") and (Process.CommandLine like r"%\\AppData\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Access to Domain Group Policies stored in SYSVOL
RuleName = Suspicious SYSVOL Domain Group Policy Access
EventType = Process.Start
Tag = proc-start-suspicious-sysvol-domain-group-policy-access
RiskScore = 50
Query = (Process.CommandLine like r"%\\SYSVOL\\%" and Process.CommandLine like r"%\\policies\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious child process of userinit
RuleName = Suspicious Userinit Child Process
EventType = Process.Start
Tag = proc-start-suspicious-userinit-child-process
RiskScore = 50
Query = ((Parent.Path like r"%\\userinit.exe" and not (Process.CommandLine like r"%\\netlogon\\%")) and not (Process.Path like r"%\\explorer.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
RuleName = Detection of PowerShell Execution via Sqlps.exe
EventType = Process.Start
Tag = proc-start-detection-of-powershell-execution-via-sqlps.exe
RiskScore = 50
Query = ((Process.Path like r"%\\sqlps.exe" or Parent.Path like r"%\\sqlps.exe") or (Process.Name like r"\\sqlps.exe" and not (Parent.Path like r"%\\sqlagent.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
RuleName = SQL Client Tools PowerShell Session Detection
EventType = Process.Start
Tag = proc-start-sql-client-tools-powershell-session-detection
RiskScore = 50
Query = ((Process.Path like r"%\\sqltoolsps.exe" or Parent.Path like r"%\\sqltoolsps.exe") or (Process.Name like r"\\sqltoolsps.exe" and not (Parent.Path like r"%\\smss.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
RuleName = Malicious PE Execution by Microsoft Visual Studio Debugger
EventType = Process.Start
Tag = proc-start-malicious-pe-execution-by-microsoft-visual-studio-debugger
RiskScore = 50
Query = (Parent.Path like r"%\\vsjitdebugger.exe" and not ((Process.Path like r"%\\vsimmersiveactivatehelper%.exe" or Process.Path like r"%\\devenv.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
RuleName = Suspicious VBoxDrvInst.exe Parameters
EventType = Process.Start
Tag = proc-start-suspicious-vboxdrvinst.exe-parameters
RiskScore = 50
Query = (Process.Path like r"%\\VBoxDrvInst.exe" and Process.CommandLine like r"%driver%" and Process.CommandLine like r"%executeinf%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators
RuleName = Whoami Execution
EventType = Process.Start
Tag = proc-start-whoami-execution
RiskScore = 50
Query = Process.Path like r"%\\whoami.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
RuleName = AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
EventType = Process.Start
Tag = proc-start-awl-bypass-with-winrm.vbs-and-malicious-wsmpty.xsl/wsmtxt.xsl
RiskScore = 50
Query = (Process.CommandLine like r"%winrm%" and (Process.CommandLine like r"%format:pretty%" or Process.CommandLine like r"%format:\"pretty\"%" or Process.CommandLine like r"%format:\"text\"%" or Process.CommandLine like r"%format:text%") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects an attempt to execute code or create service on remote host via winrm.vbs.
RuleName = Remote Code Execute via Winrm.vbs
EventType = Process.Start
Tag = proc-start-remote-code-execute-via-winrm.vbs
RiskScore = 50
Query = (Process.Path like r"%\\cscript.exe" and Process.CommandLine like r"%winrm%" and Process.CommandLine like r"%invoke Create wmicimv2/Win32\_%" and Process.CommandLine like r"%-r:http%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects deinstallation of security products using WMIC utility
RuleName = Wmic Uninstall Security Product
EventType = Process.Start
Tag = proc-start-wmic-uninstall-security-product
RiskScore = 50
Query = (Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%product where name=%" and Process.CommandLine like r"%call uninstall%" and Process.CommandLine like r"%/nointeractive%" and (Process.CommandLine like r"%Antivirus%" or Process.CommandLine like r"%AVG %" or Process.CommandLine like r"%Crowdstrike Sensor%" or Process.CommandLine like r"%DLP Endpoint%" or Process.CommandLine like r"%Endpoint Detection%" or Process.CommandLine like r"%Endpoint Protection%" or Process.CommandLine like r"%Endpoint Security%" or Process.CommandLine like r"%Endpoint Sensor%" or Process.CommandLine like r"%ESET File Security%" or Process.CommandLine like r"%Malwarebytes%" or Process.CommandLine like r"%McAfee Agent%" or Process.CommandLine like r"%Microsoft Security Client%" or Process.CommandLine like r"%Threat Protection%" or Process.CommandLine like r"%VirusScan%" or Process.CommandLine like r"%Webroot SecureAnywhere%" or Process.CommandLine like r"%Windows Defender%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI executing suspicious commands
RuleName = Suspicious WMI Execution
EventType = Process.Start
Tag = proc-start-suspicious-wmi-execution
RiskScore = 50
Query = (Process.Path like r"%\\wmic.exe" and ((Process.CommandLine like r"%process%" and Process.CommandLine like r"%call%" and Process.CommandLine like r"%create %") or (Process.CommandLine like r"% path %" and (Process.CommandLine like r"%AntiVirus%" or Process.CommandLine like r"%Firewall%") and Process.CommandLine like r"%Product%" and Process.CommandLine like r"% get %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
RuleName = WSL Execution
EventType = Process.Start
Tag = proc-start-wsl-execution
RiskScore = 50
Query = ((Process.Path like r"%\\wsl.exe") and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% --exec %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
RuleName = Tap Installer Execution
EventType = Process.Start
Tag = proc-start-tap-installer-execution
RiskScore = 50
Query = Process.Path like r"%\\tapinstall.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
RuleName = Domain Trust Discovery
EventType = Process.Start
Tag = proc-start-domain-trust-discovery
RiskScore = 50
Query = ((Process.Path like r"%\\nltest.exe" and (Process.CommandLine like r"%domain\_trusts%" or Process.CommandLine like r"%all\_trusts%" or Process.CommandLine like r"%/trusted\_domains%" or Process.CommandLine like r"%/dclist%")) or (Process.Path like r"%\\dsquery.exe" and Process.CommandLine like r"%trustedDomain%") or (Process.Path like r"%\\dsquery.exe" and Process.CommandLine like r"%-filter%" and Process.CommandLine like r"%trustedDomain%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects when verclsid.exe is used to run COM object via GUID
RuleName = Verclsid.exe Runs COM Object
EventType = Process.Start
Tag = proc-start-verclsid.exe-runs-com-object
RiskScore = 50
Query = (Process.Path like r"%\\verclsid.exe" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%/S%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a JAVA process running with remote debugging allowing more than just localhost to connect
RuleName = Java Running with Remote Debugging
EventType = Process.Start
Tag = proc-start-java-running-with-remote-debugging
RiskScore = 50
Query = (Process.CommandLine like r"%transport=dt\_socket,address=%" and not (Process.CommandLine like r"%address=127.0.0.1%" or Process.CommandLine like r"%address=localhost%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Winword.exe loading of custmom dll via /l cmd switch
RuleName = Winword.exe Loads Suspicious DLL
EventType = Process.Start
Tag = proc-start-winword.exe-loads-suspicious-dll
RiskScore = 50
Query = (Process.Path like r"%\\winword.exe" and Process.CommandLine like r"%/l%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
RuleName = XSL Script Processing
EventType = Process.Start
Tag = proc-start-xsl-script-processing
RiskScore = 50
Query = ((Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%/format%") or Process.Path like r"%\\msxsl.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects modification of autostart extensibility point (ASEP) in registry.
RuleName = Autorun Keys Modification
EventType = Reg.Any
Tag = autorun-keys-modification
RiskScore = 50
Query = (((((((((((((Reg.Key.Target like r"%\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart%" or Reg.Key.Target like r"%\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun%" or Reg.Key.Target like r"%\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components%" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect%" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect%" or Reg.Key.Target like r"%\\SYSTEM\\Setup\\CmdLine%" or Reg.Key.Target like r"%\\Software\\Microsoft\\Ctf\\LangBarAddin%" or Reg.Key.Target like r"%\\Software\\Microsoft\\Command Processor\\Autorun%" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components%" or Reg.Key.Target like r"%\\SOFTWARE\\Classes\\Protocols\\Handler%" or Reg.Key.Target like r"%\\SOFTWARE\\Classes\\Protocols\\Filter%" or Reg.Key.Target like r"%\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)%" or Reg.Key.Target like r"%\\Environment\\UserInitMprLogonScript%" or Reg.Key.Target like r"%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe%" or Reg.Key.Target like r"%\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks%" or Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components%" or Reg.Key.Target like r"%\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32%" or Reg.Key.Target like r"%\\Control Panel\\Desktop\\Scrnsave.exe%") or (Reg.Key.Target like r"%\\System\\CurrentControlSet\\Control\\Session Manager%" and (Reg.Key.Target like r"%\\SetupExecute%" or Reg.Key.Target like r"%\\S0InitialCommand%" or Reg.Key.Target like r"%\\KnownDlls%" or Reg.Key.Target like r"%\\Execute%" or Reg.Key.Target like r"%\\BootExecute%" or Reg.Key.Target like r"%\\AppCertDlls%"))) or (Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion%" and (Reg.Key.Target like r"%\\ShellServiceObjectDelayLoad%" or Reg.Key.Target like r"%\\Run%" or Reg.Key.Target like r"%\\Policies\\System\\Shell%" or Reg.Key.Target like r"%\\Policies\\Explorer\\Run%" or Reg.Key.Target like r"%\\Group Policy\\Scripts\\Startup%" or Reg.Key.Target like r"%\\Group Policy\\Scripts\\Shutdown%" or Reg.Key.Target like r"%\\Group Policy\\Scripts\\Logon%" or Reg.Key.Target like r"%\\Group Policy\\Scripts\\Logoff%" or Reg.Key.Target like r"%\\Explorer\\ShellServiceObjects%" or Reg.Key.Target like r"%\\Explorer\\ShellIconOverlayIdentifiers%" or Reg.Key.Target like r"%\\Explorer\\ShellExecuteHooks%" or Reg.Key.Target like r"%\\Explorer\\SharedTaskScheduler%" or Reg.Key.Target like r"%\\Explorer\\Browser Helper Objects%" or Reg.Key.Target like r"%\\Authentication\\PLAP Providers%" or Reg.Key.Target like r"%\\Authentication\\Credential Providers%" or Reg.Key.Target like r"%\\Authentication\\Credential Provider Filters%"))) or (Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion%" and (Reg.Key.Target like r"%\\Winlogon\\VmApplet%" or Reg.Key.Target like r"%\\Winlogon\\Userinit%" or Reg.Key.Target like r"%\\Winlogon\\Taskman%" or Reg.Key.Target like r"%\\Winlogon\\Shell%" or Reg.Key.Target like r"%\\Winlogon\\GpExtensions%" or Reg.Key.Target like r"%\\Winlogon\\AppSetup%" or Reg.Key.Target like r"%\\Winlogon\\AlternateShells\\AvailableShells%" or Reg.Key.Target like r"%\\Windows\\IconServiceLib%" or Reg.Key.Target like r"%\\Windows\\Appinit\_Dlls%" or Reg.Key.Target like r"%\\Image File Execution Options%" or Reg.Key.Target like r"%\\Font Drivers%" or Reg.Key.Target like r"%\\Drivers32%" or Reg.Key.Target like r"%\\Windows\\Run%" or Reg.Key.Target like r"%\\Windows\\Load%"))) or (Reg.Key.Target like r"%\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion%" and (Reg.Key.Target like r"%\\ShellServiceObjectDelayLoad%" or Reg.Key.Target like r"%\\Run%" or Reg.Key.Target like r"%\\Explorer\\ShellServiceObjects%" or Reg.Key.Target like r"%\\Explorer\\ShellIconOverlayIdentifiers%" or Reg.Key.Target like r"%\\Explorer\\ShellExecuteHooks%" or Reg.Key.Target like r"%\\Explorer\\SharedTaskScheduler%" or Reg.Key.Target like r"%\\Explorer\\Browser Helper Objects%"))) or (Reg.Key.Target like r"%\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion%" and (Reg.Key.Target like r"%\\Windows\\Appinit\_Dlls%" or Reg.Key.Target like r"%\\Image File Execution Options%" or Reg.Key.Target like r"%\\Drivers32%"))) or ((Reg.Key.Target like r"%\\Software\\Wow6432Node\\Microsoft\\Office%" or Reg.Key.Target like r"%\\Software\\Microsoft\\Office%") and (Reg.Key.Target like r"%\\Word\\Addins%" or Reg.Key.Target like r"%\\PowerPoint\\Addins%" or Reg.Key.Target like r"%\\Outlook\\Addins%" or Reg.Key.Target like r"%\\Onenote\\Addins%" or Reg.Key.Target like r"%\\Excel\\Addins%" or Reg.Key.Target like r"%\\Access\\Addins%" or Reg.Key.Target like r"%test\\Special\\Perf%"))) or ((Reg.Key.Target like r"%\\Software\\Wow6432Node\\Microsoft\\Internet Explorer%" or Reg.Key.Target like r"%\\Software\\Microsoft\\Internet Explorer%") and (Reg.Key.Target like r"%\\Toolbar%" or Reg.Key.Target like r"%\\Extensions%" or Reg.Key.Target like r"%\\Explorer Bars%"))) or (Reg.Key.Target like r"%\\Software\\Wow6432Node\\Classes%" and (Reg.Key.Target like r"%\\Folder\\ShellEx\\ExtShellFolderViews%" or Reg.Key.Target like r"%\\Folder\\ShellEx\\DragDropHandlers%" or Reg.Key.Target like r"%\\Folder\\ShellEx\\ColumnHandlers%" or Reg.Key.Target like r"%\\Directory\\Shellex\\DragDropHandlers%" or Reg.Key.Target like r"%\\Directory\\Shellex\\CopyHookHandlers%" or Reg.Key.Target like r"%\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance%" or Reg.Key.Target like r"%\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance%" or Reg.Key.Target like r"%\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance%" or Reg.Key.Target like r"%\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance%" or Reg.Key.Target like r"%\\AllFileSystemObjects\\ShellEx\\DragDropHandlers%" or Reg.Key.Target like r"%\\ShellEx\\PropertySheetHandlers%" or Reg.Key.Target like r"%\\ShellEx\\ContextMenuHandlers%"))) or (Reg.Key.Target like r"%\\Software\\Classes%" and (Reg.Key.Target like r"%\\Folder\\ShellEx\\ExtShellFolderViews%" or Reg.Key.Target like r"%\\Folder\\ShellEx\\DragDropHandlers%" or Reg.Key.Target like r"%\\Folder\\Shellex\\ColumnHandlers%" or Reg.Key.Target like r"%\\Filter%" or Reg.Key.Target like r"%\\Exefile\\Shell\\Open\\Command\\(Default)%" or Reg.Key.Target like r"%\\Directory\\Shellex\\DragDropHandlers%" or Reg.Key.Target like r"%\\Directory\\Shellex\\CopyHookHandlers%" or Reg.Key.Target like r"%\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance%" or Reg.Key.Target like r"%\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance%" or Reg.Key.Target like r"%\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance%" or Reg.Key.Target like r"%\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance%" or Reg.Key.Target like r"%\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers%" or Reg.Key.Target like r"%\\.exe%" or Reg.Key.Target like r"%\\.cmd%" or Reg.Key.Target like r"%\\ShellEx\\PropertySheetHandlers%" or Reg.Key.Target like r"%\\ShellEx\\ContextMenuHandlers%"))) or (Reg.Key.Target like r"%\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts%" and (Reg.Key.Target like r"%\\Startup%" or Reg.Key.Target like r"%\\Shutdown%" or Reg.Key.Target like r"%\\Logon%" or Reg.Key.Target like r"%\\Logoff%"))) or (Reg.Key.Target like r"%\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters%" and (Reg.Key.Target like r"%\\Protocol\_Catalog9\\Catalog\_Entries%" or Reg.Key.Target like r"%\\NameSpace\_Catalog5\\Catalog\_Entries%"))) or (Reg.Key.Target like r"%\\SYSTEM\\CurrentControlSet\\Control%" and (Reg.Key.Target like r"%\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram%" or Reg.Key.Target like r"%\\Terminal Server\\Wds\\rdpwd\\StartupPrograms%" or Reg.Key.Target like r"%\\SecurityProviders\\SecurityProviders%" or Reg.Key.Target like r"%\\SafeBoot\\AlternateShell%" or Reg.Key.Target like r"%\\Print\\Providers%" or Reg.Key.Target like r"%\\Print\\Monitors%" or Reg.Key.Target like r"%\\NetworkProvider\\Order%" or Reg.Key.Target like r"%\\Lsa\\Notification Packages%" or Reg.Key.Target like r"%\\Lsa\\Authentication Packages%" or Reg.Key.Target like r"%\\BootVerificationProgram\\ImagePath%")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects value modification of registry key containing path to binary used as screensaver.
RuleName = Path To Screensaver Binary Modified
EventType = Reg.Any
Tag = path-to-screensaver-binary-modified
RiskScore = 50
Query = (Reg.Key.Target like r"%\\Control Panel\\Desktop\\SCRNSAVE.EXE" and not ((Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\explorer.exe")))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
RuleName = New DLL Added to AppCertDlls Registry Key
EventType = Reg.Any
Tag = new-dll-added-to-appcertdlls-registry-key
RiskScore = 50
Query = (Reg.Key.Target like r"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" or Reg.Key.Path.New like r"HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
RuleName = New DLL Added to AppInit_DLLs Registry Key
EventType = Reg.Any
Tag = new-dll-added-to-appinit_dlls-registry-key
RiskScore = 50
Query = ((Reg.Key.Target like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit\_Dlls" or Reg.Key.Target like r"%\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit\_Dlls") or (Reg.Key.Path.New like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit\_Dlls" or Reg.Key.Path.New like r"%\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit\_Dlls"))
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
RuleName = Office Application Startup - Office Test
EventType = Reg.Any
Tag = office-application-startup-office-test
RiskScore = 50
Query = (Reg.Key.Target like r"HKCU\\Software\\Microsoft\\Office test\\Special\\Perf" or Reg.Key.Target like r"HKLM\\Software\\Microsoft\\Office test\\Special\\Perf")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Alerts on trust record modification within the registry, indicating usage of macros
RuleName = Windows Registry Trust Record Modification
EventType = Reg.Any
Tag = windows-registry-trust-record-modification
RiskScore = 50
Query = Reg.Key.Target like r"%TrustRecords%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
RuleName = Run Once Task Configuration in Registry
EventType = Reg.Any
Tag = run-once-task-configuration-in-registry
RiskScore = 50
Query = (Reg.Key.Target like r"HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components%" and Reg.Key.Target like r"%\\StubPath")
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
RuleName = Sysinternals SDelete Registry Keys
EventType = Reg.Any
Tag = sysinternals-sdelete-registry-keys
RiskScore = 50
Query = Reg.Key.Target like r"%\\Software\\Sysinternals\\SDelete%"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

[ActivityMonitoringRule]
# Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.
RuleName = PortProxy Registry Key
EventType = Reg.Any
Tag = portproxy-registry-key
RiskScore = 50
Query = Reg.Key.Target like r"HKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp"
Hive = HKLM,HKU
GenericProperty1 = Reg.Key.Path
GenericProperty2 = Reg.Key.Path.New
GenericProperty3 = Reg.Key.Path.Old
GenericProperty4 = Reg.Key.Name
GenericProperty5 = Reg.Parent.Key.Path
GenericProperty6 = Reg.Value.Name
GenericProperty7 = Reg.File.Name
GenericProperty8 = Reg.Key.Sddl
GenericProperty9 = Reg.Key.Hive
GenericProperty10 = Reg.Key.Target

Comments

Your email address will not be published. Required fields are marked *