Documentation

Contents
Contents
Contents
Contents

uberAgent-ESA-am-sigma-proc-creation-high.conf

The following is the uberAgent-ESA-am-sigma-proc-creation-high.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: high
#

[ActivityMonitoringRule]
# Detects wannacry killswitch domain dns queries
RuleName = Wannacry Killswitch Domain
EventType = Dns.Query
Tag = wannacry-killswitch-domain
RiskScore = 75
Query = Dns.QueryRequest in ["ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing", "ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test", "ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com", "ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com", "iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com", ""]
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM
RuleName = Exchange PowerShell Snap-Ins Used by HAFNIUM
EventType = Process.Start
Tag = proc-start-exchange-powershell-snap-ins-used-by-hafnium
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%add-pssnapin microsoft.exchange.powershell.snapin%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
RuleName = MMC20 Lateral Movement
EventType = Process.Start
Tag = proc-start-mmc20-lateral-movement
RiskScore = 75
Query = (Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mmc.exe" and Process.CommandLine like r"%-Embedding%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
RuleName = MSHTA Suspicious Execution 01
EventType = Process.Start
Tag = proc-start-mshta-suspicious-execution-01
RiskScore = 75
Query = (Process.Path like r"%\\mshta.exe" and (Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.lnk%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.zip%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
RuleName = Suspicious Esentutl Use
EventType = Process.Start
Tag = proc-start-suspicious-esentutl-use
RiskScore = 75
Query = (Process.CommandLine like r"% /vss %" and Process.CommandLine like r"% /y %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
RuleName = Activity Related to NTDS.dit Domain Hash Retrieval
EventType = Process.Start
Tag = proc-start-activity-related-to-ntds.dit-domain-hash-retrieval
RiskScore = 75
Query = (Process.CommandLine like r"vssadmin.exe Delete Shadows" or Process.CommandLine like r"vssadmin create shadow /for=C:" or Process.CommandLine like r"copy \\_\\GLOBALROOT\\Device\\%\\windows\\ntds\\ntds.dit" or Process.CommandLine like r"copy \\_\\GLOBALROOT\\Device\\%\\config\\SAM" or Process.CommandLine like r"vssadmin delete shadows /for=C:" or Process.CommandLine like r"reg SAVE HKLM\\SYSTEM " or Process.CommandLine like r"esentutl.exe /y /vss %\\ntds.dit%" or Process.CommandLine like r"esentutl.exe /y /vss %\\SAM" or Process.CommandLine like r"esentutl.exe /y /vss %\\SYSTEM")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
RuleName = Abusing Azure Browser SSO
EventType = Image.Load
Tag = abusing-azure-browser-sso
RiskScore = 75
Query = (Image.Path like r"%MicrosoftAccountTokenProvider.dll" and not ((Process.Path like r"%BackgroundTaskHost.exe" or Process.Path like r"%devenv.exe" or Process.Path like r"%iexplore.exe" or Process.Path like r"%MicrosoftEdge.exe")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
RuleName = In-memory PowerShell
EventType = Image.Load
Tag = in-memory-powershell
RiskScore = 75
Query = ((Image.Path like r"%\\System.Management.Automation.Dll" or Image.Path like r"%\\System.Management.Automation.ni.Dll") and not ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\WINDOWS\\System32\\sdiagnhost.exe" or Process.Path like r"%\\mscorsvw.exe" or Process.Path like r"%\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe" or Process.Path like r"%\\sqlps.exe" or Process.Path like r"%\\wsmprovhost.exe" or Process.Path like r"%\\winrshost.exe" or Process.Path like r"%\\syncappvpublishingserver.exe" or Process.Path like r"%\\runscripthelper.exe" or Process.Path like r"%\\ServerManager.exe")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects processes loading modules related to PCRE.NET package
RuleName = PCRE.NET Package Image Load
EventType = Image.Load
Tag = pcre.net-package-image-load
RiskScore = 75
Query = Image.Path like r"%\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\%"
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
RuleName = WMI Script Host Process Image Loaded
EventType = Image.Load
Tag = wmi-script-host-process-image-loaded
RiskScore = 75
Query = (Process.Path like r"%\\scrcons.exe" and (Image.Path like r"%\\vbscript.dll" or Image.Path like r"%\\wbemdisp.dll" or Image.Path like r"%\\wshom.ocx" or Image.Path like r"%\\scrrun.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
RuleName = Fax Service DLL Search Order Hijack
EventType = Image.Load
Tag = fax-service-dll-search-order-hijack
RiskScore = 75
Query = (((Process.Path like r"%fxssvc.exe") and (Image.Path like r"%ualapi.dll")) and not ((Image.Path like r"C:\\Windows\\WinSxS\\%")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
RuleName = Possible Process Hollowing Image Loading
EventType = Image.Load
Tag = possible-process-hollowing-image-loading
RiskScore = 75
Query = ((Process.Path like r"%\\notepad.exe") and (Image.Path like r"%\\samlib.dll" or Image.Path like r"%\\WinSCard.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects any assembly DLL being loaded by an Office Product
RuleName = dotNET DLL Loaded Via Office Applications
EventType = Image.Load
Tag = dotnet-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"C:\\Windows\\assembly\\%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects CLR DLL being loaded by an Office Product
RuleName = CLR DLL Loaded Via Office Applications
EventType = Image.Load
Tag = clr-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\clr.dll%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects any GAC DLL being loaded by an Office Product
RuleName = GAC DLL Loaded Via Office Applications
EventType = Image.Load
Tag = gac-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"C:\\Windows\\Microsoft.NET\\assembly\\GAC\_MSIL%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects DSParse DLL being loaded by an Office Product
RuleName = Active Directory Parsing DLL Loaded Via Office Applications
EventType = Image.Load
Tag = active-directory-parsing-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\dsparse.dll%"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects Kerberos DLL being loaded by an Office Product
RuleName = Active Directory Kerberos DLL Loaded Via Office Applications
EventType = Image.Load
Tag = active-directory-kerberos-dll-loaded-via-office-applications
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\kerberos.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects CLR DLL being loaded by an scripting applications
RuleName = CLR DLL Loaded Via Scripting Applications
EventType = Image.Load
Tag = clr-dll-loaded-via-scripting-applications
RiskScore = 75
Query = ((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe") and (Image.Path like r"%\\clr.dll" or Image.Path like r"%\\mscoree.dll" or Image.Path like r"%\\mscorlib.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects DLL's Loaded Via Word Containing VBA Macros
RuleName = VBA DLL Loaded Via Microsoft Word
EventType = Image.Load
Tag = vba-dll-loaded-via-microsoft-word
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\VBE7.DLL" or Image.Path like r"%\\VBEUI.DLL" or Image.Path like r"%\\VBE7INTL.DLL"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
RuleName = Windows Management Instrumentation DLL Loaded Via Microsoft Word
EventType = Image.Load
Tag = windows-management-instrumentation-dll-loaded-via-microsoft-word
RiskScore = 75
Query = ((Process.Path like r"%\\winword.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\outlook.exe") and (Image.Path like r"%\\wmiutils.dll" or Image.Path like r"%\\wbemcomn.dll" or Image.Path like r"%\\wbemprox.dll" or Image.Path like r"%\\wbemdisp.dll" or Image.Path like r"%\\wbemsvc.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
RuleName = Svchost DLL Search Order Hijack
EventType = Image.Load
Tag = svchost-dll-search-order-hijack
RiskScore = 75
Query = (((Process.Path like r"%\\svchost.exe") and (Image.Path like r"%\\tsmsisrv.dll" or Image.Path like r"%\\tsvipsrv.dll" or Image.Path like r"%\\wlbsctrl.dll")) and not ((Image.Path like r"C:\\Windows\\WinSxS\\%")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
RuleName = Time Travel Debugging Utility Usage
EventType = Image.Load
Tag = time-travel-debugging-utility-usage
RiskScore = 75
Query = (Image.Path like r"%\\ttdrecord.dll" or Image.Path like r"%\\ttdwriter.dll" or Image.Path like r"%\\ttdloader.dll")
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
RuleName = Time Travel Debugging Utility Usage
EventType = Process.Start
Tag = proc-start-time-travel-debugging-utility-usage
RiskScore = 75
Query = (Parent.Path like r"%\\tttracer.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Attempts to load dismcore.dll after dropping it
RuleName = UAC Bypass With Fake DLL
EventType = Image.Load
Tag = uac-bypass-with-fake-dll
RiskScore = 75
Query = ((Process.Path like r"%\\dism.exe") and (Image.Path like r"%\\dismcore.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
RuleName = WMIC Loading Scripting Libraries
EventType = Image.Load
Tag = wmic-loading-scripting-libraries
RiskScore = 75
Query = (Process.Path like r"%\\wmic.exe" and (Image.Path like r"%\\jscript.dll" or Image.Path like r"%\\vbscript.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects non wmiprvse loading WMI modules
RuleName = WMI Modules Loaded
EventType = Image.Load
Tag = wmi-modules-loaded
RiskScore = 75
Query = ((Image.Path like r"%\\wmiclnt.dll" or Image.Path like r"%\\WmiApRpl.dll" or Image.Path like r"%\\wmiprov.dll" or Image.Path like r"%\\wmiutils.dll" or Image.Path like r"%\\wbemcomn.dll" or Image.Path like r"%\\wbemprox.dll" or Image.Path like r"%\\WMINet\_Utils.dll" or Image.Path like r"%\\wbemsvc.dll" or Image.Path like r"%\\fastprox.dll") and not ((Process.Path like r"%\\WmiPrvSe.exe" or Process.Path like r"%\\WmiAPsrv.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\DeviceCensus.exe" or Process.Path like r"%\\CompatTelRunner.exe" or Process.Path like r"%\\sdiagnhost.exe" or Process.Path like r"%\\SIHClient.exe" or Process.Path like r"%\\ngentask.exe" or Process.Path like r"%\\windows\\system32\\taskhostw.exe" or Process.Path like r"%\\windows\\system32\\MoUsoCoreWorker.exe")))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI command line event consumers
RuleName = WMI Persistence - Command Line Event Consumer
EventType = Image.Load
Tag = wmi-persistence-command-line-event-consumer
RiskScore = 75
Query = (Process.Path like r"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and Image.Path like r"%\\wbemcons.dll")
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Attempts to detect system changes made by Blue Mockingbird
RuleName = Blue Mockingbird
EventType = Process.Start
Tag = proc-start-blue-mockingbird
RiskScore = 75
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%sc config%" and Process.CommandLine like r"%wercplsupporte.dll%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Attempts to detect system changes made by Blue Mockingbird
RuleName = Blue Mockingbird
EventType = Process.Start
Tag = proc-start-blue-mockingbird
RiskScore = 75
Query = (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%COR\_PROFILER")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the PowerShell command lines with reversed strings
RuleName = Suspicious PowerShell Cmdline
EventType = Process.Start
Tag = proc-start-suspicious-powershell-cmdline
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%hctac%" or Process.CommandLine like r"%kearb%" or Process.CommandLine like r"%dnammoc%" or Process.CommandLine like r"%ekovn%" or Process.CommandLine like r"%eliFd%" or Process.CommandLine like r"%rahc%" or Process.CommandLine like r"%etirw%" or Process.CommandLine like r"%golon%" or Process.CommandLine like r"%tninon%" or Process.CommandLine like r"%eddih%" or Process.CommandLine like r"%tpircS%" or Process.CommandLine like r"%ssecorp%" or Process.CommandLine like r"%llehsrewop%" or Process.CommandLine like r"%esnopser%" or Process.CommandLine like r"%daolnwod%" or Process.CommandLine like r"%tneilCbeW%" or Process.CommandLine like r"%tneilc%" or Process.CommandLine like r"%ptth%" or Process.CommandLine like r"%elifotevas%" or Process.CommandLine like r"%46esab%" or Process.CommandLine like r"%htaPpmeTteG%" or Process.CommandLine like r"%tcejbO%" or Process.CommandLine like r"%maerts%" or Process.CommandLine like r"%hcaerof%" or Process.CommandLine like r"%ekovni%" or Process.CommandLine like r"%retupmoc%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detection of unusual child processes by different system processes
RuleName = Abused Debug Privilege by Arbitrary Parent Processes
EventType = Process.Start
Tag = proc-start-abused-debug-privilege-by-arbitrary-parent-processes
RiskScore = 75
Query = (((Parent.Path like r"%\\winlogon.exe" or Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\lsass.exe" or Parent.Path like r"%\\csrss.exe" or Parent.Path like r"%\\smss.exe" or Parent.Path like r"%\\wininit.exe" or Parent.Path like r"%\\spoolsv.exe" or Parent.Path like r"%\\searchindexer.exe") and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\cmd.exe") and Process.User like r"NT AUTHORITY\\SYSTEM") and not (Process.CommandLine like r"% route %" and Process.CommandLine like r"% ADD %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects various indicators of Microsoft Connection Manager Profile Installer execution
RuleName = CMSTP Execution Process Creation
EventType = Process.Start
Tag = proc-start-cmstp-execution-process-creation
RiskScore = 75
Query = Parent.Path like r"%\\cmstp.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects creation or execution of UserInitMprLogonScript persistence method
RuleName = Logon Scripts (UserInitMprLogonScript)
EventType = Process.Start
Tag = proc-start-logon-scripts-(userinitmprlogonscript)
RiskScore = 75
Query = (((Parent.Path like r"%\\userinit.exe" and not (Process.Path like r"%\\explorer.exe")) and not ((Process.CommandLine like r"%netlogon.bat%" or Process.CommandLine like r"%UsrLogon.cmd%"))) or Process.CommandLine like r"%UserInitMprLogonScript%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
RuleName = AdFind Usage Detection
EventType = Process.Start
Tag = proc-start-adfind-usage-detection
RiskScore = 75
Query = (Process.CommandLine like r"%domainlist%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%adinfo%" or Process.CommandLine like r"% dclist %" or Process.CommandLine like r"%computer\_pwdnotreqd%" or Process.CommandLine like r"%objectcategory=%" or Process.CommandLine like r"%-subnets -f%" or Process.CommandLine like r"%name=\"Domain Admins\"%" or Process.CommandLine like r"%-sc u:%" or Process.CommandLine like r"%domainncs%" or Process.CommandLine like r"%dompol%" or Process.CommandLine like r"% oudmp %" or Process.CommandLine like r"%subnetdmp%" or Process.CommandLine like r"%gpodmp%" or Process.CommandLine like r"%fspdmp%" or Process.CommandLine like r"%users\_noexpire%" or Process.CommandLine like r"%computers\_active%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects activity that could be related to Baby Shark malware
RuleName = Baby Shark Activity
EventType = Process.Start
Tag = proc-start-baby-shark-activity
RiskScore = 75
Query = (Process.CommandLine like r"reg query \"HKEY\_CURRENT\_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" or Process.CommandLine like r"powershell.exe mshta.exe http%" or Process.CommandLine like r"cmd.exe /c taskkill /im cmd.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
RuleName = GALLIUM Artefacts
EventType = Process.Start
Tag = proc-start-gallium-artefacts
RiskScore = 75
Query = Process.Hash.SHA1 in ["53a44c2396d15c3a03723fa5e5db54cafd527635", "9c5e496921e3bc882dc40694f1dcc3746a75db19", "aeb573accfd95758550cf30bf04f389a92922844", "79ef78a797403a4ed1a616c68e07fff868a8650a", "4f6f38b4cec35e895d91c052b1f5a83d665c2196", "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d", "e841a63e47361a572db9a7334af459ddca11347a", "c28f606df28a9bc8df75a4d5e5837fc5522dd34d", "2e94b305d6812a9f96e6781c888e48c7fb157b6b", "dd44133716b8a241957b912fa6a02efde3ce3025", "8793bf166cb89eb55f0593404e4e933ab605e803", "a39b57032dbb2335499a51e13470a7cd5d86b138", "41cc2b15c662bc001c0eb92f6cc222934f0beeea", "d209430d6af54792371174e70e27dd11d3def7a7", "1c6452026c56efd2c94cea7e0f671eb55515edb0", "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a", "4923d460e22fbbf165bbbaba168e5a46b8157d9f", "f201504bd96e81d0d350c3a8332593ee1c9e09de", "ddd2db1127632a2a52943a2fe516a2e7d05d70d2"]
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
RuleName = GALLIUM Artefacts
EventType = Process.Start
Tag = proc-start-gallium-artefacts
RiskScore = 75
Query = ((Process.Hash.SHA1 like r"e570585edc69f9074cb5e8a790708336bd45ca0f") and not ((Process.Path like r"%:\\Program Files(x86)\\%" or Process.Path like r"%:\\Program Files\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects activity observed by different researchers to be HAFNIUM group acitivity (or related) on Exchange servers
RuleName = Exchange Exploitation Activity
EventType = Process.Start
Tag = proc-start-exchange-exploitation-activity
RiskScore = 75
Query = ((Process.CommandLine like r"%attrib%" and Process.CommandLine like r"% +h %" and Process.CommandLine like r"% +s %" and Process.CommandLine like r"% +r %" and Process.CommandLine like r"%.aspx%") or (Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%VSPerfMon%") or (Process.CommandLine like r"%vssadmin list shadows%" and Process.CommandLine like r"%Temp\\\_\_output%") or Process.CommandLine like r"%\%TEMP\%\\execute.bat%" or Process.Path like r"%Users\\Public\\opera\\Opera\_browser.exe" or (Process.Path like r"%Opera\_browser.exe" and (Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\svchost.exe")) or Process.Path like r"%\\ProgramData\\VSPerfMon\\%" or (Process.CommandLine like r"% -t7z %" and Process.CommandLine like r"%C:\\Programdata\\pst%" and Process.CommandLine like r"%\\it.zip%") or (Process.Path like r"%\\makecab.exe" and (Process.CommandLine like r"%Microsoft\\Exchange Server\\%" or Process.CommandLine like r"%inetpub\\wwwroot%")) or (Process.CommandLine like r"%\\Temp\\xx.bat%" or Process.CommandLine like r"%Windows\\WwanSvcdcs%" or Process.CommandLine like r"%Windows\\Temp\\cw.exe%") or (Process.CommandLine like r"%\\comsvcs.dll%" and Process.CommandLine like r"%Minidump%" and Process.CommandLine like r"%\\inetpub\\wwwroot%") or (Process.CommandLine like r"%dsquery%" and Process.CommandLine like r"% -uco %" and Process.CommandLine like r"%\\inetpub\\wwwroot%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Hurricane Panda Activity
RuleName = Hurricane Panda Activity
EventType = Process.Start
Tag = proc-start-hurricane-panda-activity
RiskScore = 75
Query = ((Process.CommandLine like r"%localgroup%" and Process.CommandLine like r"%admin%" and Process.CommandLine like r"%/add%") or (Process.CommandLine like r"%\\Win64.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
RuleName = Lazarus Session Highjacker
EventType = Process.Start
Tag = proc-start-lazarus-session-highjacker
RiskScore = 75
Query = ((Process.Path like r"%\\msdtc.exe" or Process.Path like r"%\\gpvc.exe") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects specific process parameters as used by Mustang Panda droppers
RuleName = Mustang Panda Dropper
EventType = Process.Start
Tag = proc-start-mustang-panda-dropper
RiskScore = 75
Query = ((Process.CommandLine like r"%Temp\\wtask.exe /create%" or Process.CommandLine like r"%\%windir:~-3,1\%\%PUBLIC:~-9,1\%%" or Process.CommandLine like r"%/tn \"Security Script %" or Process.CommandLine like r"%\%windir:~-1,1\%%") or (Process.CommandLine like r"%/E:vbscript%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%.txt%" and Process.CommandLine like r"%/F%") or Process.Path like r"%Temp\\winwsh.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
RuleName = Ps.exe Renamed SysInternals Tool
EventType = Process.Start
Tag = proc-start-ps.exe-renamed-sysinternals-tool
RiskScore = 75
Query = Process.CommandLine == "ps.exe -accepteula"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
RuleName = TropicTrooper Campaign November 2018
EventType = Process.Start
Tag = proc-start-tropictrooper-campaign-november-2018
RiskScore = 75
Query = Process.CommandLine like r"%abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
RuleName = Unidentified Attacker November 2018
EventType = Process.Start
Tag = proc-start-unidentified-attacker-november-2018
RiskScore = 75
Query = (Process.CommandLine like r"%cyzfc.dat,%" and Process.CommandLine like r"%PointFunctionCall")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects activity mentioned in Operation Wocao report
RuleName = Operation Wocao Activity
EventType = Process.Start
Tag = proc-start-operation-wocao-activity
RiskScore = 75
Query = (Process.CommandLine like r"%checkadmin.exe 127.0.0.1 -all%" or Process.CommandLine like r"%netsh advfirewall firewall add rule name=powershell dir=in%" or Process.CommandLine like r"%cmd /c powershell.exe -ep bypass -file c:\\s.ps1%" or Process.CommandLine like r"%/tn win32times /f%" or Process.CommandLine like r"%create win32times binPath=%" or Process.CommandLine like r"%\\c$\\windows\\system32\\devmgr.dll%" or Process.CommandLine like r"% -exec bypass -enc JgAg%" or Process.CommandLine like r"%type %keepass\\KeePass.config.xml%" or Process.CommandLine like r"%iie.exe iie.txt%" or Process.CommandLine like r"%reg query HKEY\_CURRENT\_USER\\Software\\%\\PuTTY\\Sessions\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
RuleName = Bad Opsec Defaults Sacrificial Processes With Improper Arguments
EventType = Process.Start
Tag = proc-start-bad-opsec-defaults-sacrificial-processes-with-improper-arguments
RiskScore = 75
Query = (Process.CommandLine like r"%\\WerFault.exe" or Process.CommandLine like r"%\\rundll32.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
RuleName = Modification of Boot Configuration
EventType = Process.Start
Tag = proc-start-modification-of-boot-configuration
RiskScore = 75
Query = ((Process.Path like r"%\\bcdedit.exe" and Process.CommandLine like r"%set%") and ((Process.CommandLine like r"%bootstatuspolicy%" and Process.CommandLine like r"%ignoreallfailures%") or (Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Execution via SyncInvoke in CL_Invocation.ps1 module
RuleName = Execution via CL_Invocation.ps1
EventType = Process.Start
Tag = proc-start-execution-via-cl_invocation.ps1
RiskScore = 75
Query = (Process.CommandLine like r"%CL\_Invocation.ps1%" and Process.CommandLine like r"%SyncInvoke%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
RuleName = Execution via CL_Mutexverifiers.ps1
EventType = Process.Start
Tag = proc-start-execution-via-cl_mutexverifiers.ps1
RiskScore = 75
Query = (Process.CommandLine like r"%CL\_Mutexverifiers.ps1%" and Process.CommandLine like r"%runAfterCancelProcess%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects
RuleName = CMSTP UAC Bypass via COM Object Access
EventType = Process.Start
Tag = proc-start-cmstp-uac-bypass-via-com-object-access
RiskScore = 75
Query = (Parent.CommandLine like r"%\\DllHost.exe %" and (Parent.CommandLine like r"%{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or Parent.CommandLine like r"%{3E000D72-A845-4CD9-BD83-80C07C3B881F}"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking
RuleName = Cmd.exe CommandLine Path Traversal
EventType = Process.Start
Tag = proc-start-cmd.exe-commandline-path-traversal
RiskScore = 75
Query = (Parent.CommandLine like r"%cmd%" and Parent.CommandLine like r"%/c%" and Process.CommandLine like r"%/../../%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Files with well-known filenames (sensitive files with credential data) copying
RuleName = Copying Sensitive Files with Credential Data
EventType = Process.Start
Tag = proc-start-copying-sensitive-files-with-credential-data
RiskScore = 75
Query = ((Process.Path like r"%\\esentutl.exe" and (Process.CommandLine like r"%vss%" or Process.CommandLine like r"% /m %" or Process.CommandLine like r"% /y %")) or (Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%" or Process.CommandLine like r"%\\config\\sam%" or Process.CommandLine like r"%\\config\\security%" or Process.CommandLine like r"%\\config\\system %" or Process.CommandLine like r"%\\repair\\sam%" or Process.CommandLine like r"%\\repair\\system%" or Process.CommandLine like r"%\\repair\\security%" or Process.CommandLine like r"%\\config\\RegBack\\sam%" or Process.CommandLine like r"%\\config\\RegBack\\system%" or Process.CommandLine like r"%\\config\\RegBack\\security%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Archer malware invocation via rundll32
RuleName = Fireball Archer Install
EventType = Process.Start
Tag = proc-start-fireball-archer-install
RiskScore = 75
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%InstallArcherSvc%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Well-known DNS Exfiltration tools execution
RuleName = DNS Exfiltration and Tunneling Tools Execution
EventType = Process.Start
Tag = proc-start-dns-exfiltration-and-tunneling-tools-execution
RiskScore = 75
Query = (Process.Path like r"%\\iodine.exe" or Process.Path like r"%\\dnscat2%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
RuleName = Disable of ETW Trace
EventType = Process.Start
Tag = proc-start-disable-of-etw-trace
RiskScore = 75
Query = ((Process.CommandLine like r"%cl%" and Process.CommandLine like r"%/Trace%") or (Process.CommandLine like r"%clear-log%" and Process.CommandLine like r"%/Trace%") or (Process.CommandLine like r"%sl%" and Process.CommandLine like r"%/e:false%") or (Process.CommandLine like r"%set-log%" and Process.CommandLine like r"%/e:false%") or (Process.CommandLine like r"%Remove-EtwTraceProvider%" and Process.CommandLine like r"%EventLog-Microsoft-Windows-WMI-Activity-Trace%" and Process.CommandLine like r"%{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}%") or (Process.CommandLine like r"%Set-EtwTraceProvider%" and Process.CommandLine like r"%{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}%" and Process.CommandLine like r"%EventLog-Microsoft-Windows-WMI-Activity-Trace%" and Process.CommandLine like r"%0x11%") or (Process.CommandLine like r"%logman%" and Process.CommandLine like r"%update%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%--p%" and Process.CommandLine like r"%-ets%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
RuleName = Exploiting SetupComplete.cmd CVE-2019-1378
EventType = Process.Start
Tag = proc-start-exploiting-setupcomplete.cmd-cve-2019-1378
RiskScore = 75
Query = ((Parent.CommandLine like r"%\\cmd.exe%" and Parent.CommandLine like r"%/c%" and Parent.CommandLine like r"%C:\\Windows\\Setup\\Scripts\\%" and (Parent.CommandLine like r"%SetupComplete.cmd" or Parent.CommandLine like r"%PartnerSetupComplete.cmd")) and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\Windows\\Setup\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects new commands that add new printer port which point to suspicious file
RuleName = Suspicious PrinterPorts Creation (CVE-2020-1048)
EventType = Process.Start
Tag = proc-start-suspicious-printerports-creation-(cve-2020-1048)
RiskScore = 75
Query = (((Process.CommandLine like r"%Add-PrinterPort -Name%") and (Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.bat%")) or (Process.CommandLine like r"%Generic / Text Only%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command line parameters used by Bloodhound and Sharphound hack tools
RuleName = Bloodhound and Sharphound Hack Tool
EventType = Process.Start
Tag = proc-start-bloodhound-and-sharphound-hack-tool
RiskScore = 75
Query = ((Process.Path like r"%\\Bloodhound.exe%" or Process.Path like r"%\\SharpHound.exe%") or (Process.CommandLine like r"% -CollectionMethod All %" or Process.CommandLine like r"%.exe -c All -d %" or Process.CommandLine like r"%Invoke-Bloodhound%" or Process.CommandLine like r"%Get-BloodHoundData%") or (Process.CommandLine like r"% -JsonFolder %" and Process.CommandLine like r"% -ZipFileName %") or (Process.CommandLine like r"% DCOnly %" and Process.CommandLine like r"% --NoSaveCache %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command line parameters used by Koadic hack tool
RuleName = Koadic Execution
EventType = Process.Start
Tag = proc-start-koadic-execution
RiskScore = 75
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%/q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%chcp%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies usage of hh.exe executing recently modified .chm files.
RuleName = HH.exe Execution
EventType = Process.Start
Tag = proc-start-hh.exe-execution
RiskScore = 75
Query = (Process.Path like r"%\\hh.exe" and Process.CommandLine like r"%.chm%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
RuleName = CreateMiniDump Hacktool
EventType = Process.Start
Tag = proc-start-createminidump-hacktool
RiskScore = 75
Query = (Process.Path like r"%\\CreateMiniDump.exe%" or Process.Hash.IMP == "4a07f944a83e8a7c2525efa35dd30e2f")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
RuleName = HTML Help Shell Spawn
EventType = Process.Start
Tag = proc-start-html-help-shell-spawn
RiskScore = 75
Query = (Parent.Path like r"C:\\Windows\\hh.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\rundll32.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
RuleName = Suspicious HWP Sub Processes
EventType = Process.Start
Tag = proc-start-suspicious-hwp-sub-processes
RiskScore = 75
Query = (Parent.Path like r"%\\Hwp.exe" and Process.Path like r"%\\gbb.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
RuleName = Suspicious Debugger Registration Cmdline
EventType = Process.Start
Tag = proc-start-suspicious-debugger-registration-cmdline
RiskScore = 75
Query = (Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\%" and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%magnify.exe%" or Process.CommandLine like r"%narrator.exe%" or Process.CommandLine like r"%displayswitch.exe%" or Process.CommandLine like r"%atbroker.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect an interactive AT job, which may be used as a form of privilege escalation
RuleName = Interactive AT Job
EventType = Process.Start
Tag = proc-start-interactive-at-job
RiskScore = 75
Query = (Process.Path like r"%\\at.exe" and Process.CommandLine like r"%interactive%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
RuleName = MSHTA Spwaned by SVCHOST
EventType = Process.Start
Tag = proc-start-mshta-spwaned-by-svchost
RiskScore = 75
Query = (Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mshta.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
RuleName = LSASS Memory Dumping
EventType = Process.Start
Tag = proc-start-lsass-memory-dumping
RiskScore = 75
Query = (((Process.CommandLine like r"%lsass%" and Process.CommandLine like r"%.dmp%") and not (Process.Path like r"%\\werfault.exe")) or (Process.Path like r"%\\procdump%" and Process.Path like r"%.exe" and Process.CommandLine like r"%lsass%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects wscript/cscript executions of scripts located in user directories
RuleName = WScript or CScript Dropper
EventType = Process.Start
Tag = proc-start-wscript-or-cscript-dropper
RiskScore = 75
Query = (((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%C:\\Users\\%" or Process.CommandLine like r"%C:\\ProgramData\\%") and (Process.CommandLine like r"%.jse%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.vba%" or Process.CommandLine like r"%.vbs%")) and not (Parent.Path like r"%\\winzip%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects javaw.exe in AppData folder as used by Adwind / JRAT
RuleName = Adwind RAT / JRAT
EventType = Process.Start
Tag = proc-start-adwind-rat-/-jrat
RiskScore = 75
Query = ((Process.CommandLine like r"%\\AppData\\Roaming\\Oracle%" and Process.CommandLine like r"%\\java%" and Process.CommandLine like r"%.exe %") or (Process.CommandLine like r"%cscript.exe%" and Process.CommandLine like r"%Retrive%" and Process.CommandLine like r"%.vbs %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
RuleName = Meterpreter or Cobalt Strike Getsystem Service Start
EventType = Process.Start
Tag = proc-start-meterpreter-or-cobalt-strike-getsystem-service-start
RiskScore = 75
Query = ((Parent.Path like r"%\\services.exe" and ((Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%\%COMSPEC\%%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%") or (Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%.dll,a%" and Process.CommandLine like r"%/p:%"))) and not (Process.CommandLine like r"%MpCmdRun%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Windows command line executable started from MMC
RuleName = MMC Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mmc-spawning-windows-shell
RiskScore = 75
Query = (Parent.Path like r"%\\mmc.exe" and ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\BITSADMIN%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies suspicious mshta.exe commands
RuleName = Mshta JavaScript Execution
EventType = Process.Start
Tag = proc-start-mshta-javascript-execution
RiskScore = 75
Query = (Process.Path like r"%\\mshta.exe" and Process.CommandLine like r"%javascript%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Windows command line executable started from MSHTA
RuleName = MSHTA Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-mshta-spawning-windows-shell
RiskScore = 75
Query = (Parent.Path like r"%\\mshta.exe" and ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\BITSADMIN%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
RuleName = Netsh RDP Port Opening
EventType = Process.Start
Tag = proc-start-netsh-rdp-port-opening
RiskScore = 75
Query = (Process.CommandLine like r"%netsh%" and ((Process.CommandLine like r"%firewall add portopening%" and Process.CommandLine like r"%tcp 3389%") or (Process.CommandLine like r"%advfirewall firewall add rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%protocol=TCP%" and Process.CommandLine like r"%localport=3389%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Netsh commands that allows a suspcious application location on Windows Firewall
RuleName = Netsh Program Allowed with Suspcious Location
EventType = Process.Start
Tag = proc-start-netsh-program-allowed-with-suspcious-location
RiskScore = 75
Query = ((Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%" and (Process.CommandLine like r"%allowedprogram%" or (Process.CommandLine like r"%advfirewall%" and Process.CommandLine like r"%rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%program=%"))) and ((Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%:\\RECYCLER\\%" or Process.CommandLine like r"%C:\\$Recycle.bin\\%" or Process.CommandLine like r"%:\\SystemVolumeInformation\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%" or Process.CommandLine like r"%C:\\Temp\\%" or Process.CommandLine like r"%C:\\Users\\Public\\%" or Process.CommandLine like r"%C:\\Users\\Default\\%" or Process.CommandLine like r"%C:\\Users\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.CommandLine like r"%\\Local Settings\\Temporary Internet Files\\%") or (Process.CommandLine like r"C:\\Windows\\Tasks\\%" or Process.CommandLine like r"C:\\Windows\\debug\\%" or Process.CommandLine like r"C:\\Windows\\fonts\\%" or Process.CommandLine like r"C:\\Windows\\help\\%" or Process.CommandLine like r"C:\\Windows\\drivers\\%" or Process.CommandLine like r"C:\\Windows\\addins\\%" or Process.CommandLine like r"C:\\Windows\\cursors\\%" or Process.CommandLine like r"C:\\Windows\\system32\\tasks\\%" or Process.CommandLine like r"\%Public\%\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects netsh commands that configure a port forwarding of port 3389 used for RDP
RuleName = Netsh RDP Port Forwarding
EventType = Process.Start
Tag = proc-start-netsh-rdp-port-forwarding
RiskScore = 75
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%i%" and Process.CommandLine like r"% p%" and Process.CommandLine like r"%=3389%" and Process.CommandLine like r"% c%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
RuleName = Microsoft Office Product Spawning Windows Shell
EventType = Process.Start
Tag = proc-start-microsoft-office-product-spawning-windows-shell
RiskScore = 75
Query = ((Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\OUTLOOK.EXE" or Parent.Path like r"%\\MSACCESS.EXE" or Parent.Path like r"%\\EQNEDT32.EXE") and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\msbuild.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
RuleName = MS Office Product Spawning Exe in User Dir
EventType = Process.Start
Tag = proc-start-ms-office-product-spawning-exe-in-user-dir
RiskScore = 75
Query = (((Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe") and Process.Path like r"C:\\users\\%" and Process.Path like r"%.exe") and not (Process.Path like r"%\\Teams.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
RuleName = Executable Used by PlugX in Uncommon Location
EventType = Process.Start
Tag = proc-start-executable-used-by-plugx-in-uncommon-location
RiskScore = 75
Query = ((((((((((((Process.Path like r"%\\CamMute.exe" and not ((Process.Path like r"%\\Lenovo\\Communication Utility\\%" or Process.Path like r"%\\Lenovo\\Communications Utility\\%"))) or (Process.Path like r"%\\chrome\_frame\_helper.exe" and not (Process.Path like r"%\\Google\\Chrome\\application\\%"))) or (Process.Path like r"%\\dvcemumanager.exe" and not (Process.Path like r"%\\Microsoft Device Emulator\\%"))) or (Process.Path like r"%\\Gadget.exe" and not (Process.Path like r"%\\Windows Media Player\\%"))) or (Process.Path like r"%\\hcc.exe" and not (Process.Path like r"%\\HTML Help Workshop\\%"))) or (Process.Path like r"%\\hkcmd.exe" and not ((Process.Path like r"%\\System32\\%" or Process.Path like r"%\\SysNative\\%" or Process.Path like r"%\\SysWowo64\\%")))) or (Process.Path like r"%\\Mc.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%")))) or (Process.Path like r"%\\MsMpEng.exe" and not ((Process.Path like r"%\\Microsoft Security Client\\%" or Process.Path like r"%\\Windows Defender\\%" or Process.Path like r"%\\AntiMalware\\%")))) or (Process.Path like r"%\\msseces.exe" and not ((Process.Path like r"%\\Microsoft Security Center\\%" or Process.Path like r"%\\Microsoft Security Client\\%" or Process.Path like r"%\\Microsoft Security Essentials\\%")))) or (Process.Path like r"%\\OInfoP11.exe" and not (Process.Path like r"%\\Common Files\\Microsoft Shared\\%"))) or (Process.Path like r"%\\OleView.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%" or Process.Path like r"%\\Windows Resource Kit\\%")))) or (Process.Path like r"%\\rc.exe" and not ((Process.Path like r"%\\Microsoft Visual Studio%" or Process.Path like r"%\\Microsoft SDK%" or Process.Path like r"%\\Windows Kit%" or Process.Path like r"%\\Windows Resource Kit\\%" or Process.Path like r"%\\Microsoft.NET\\%"))))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
RuleName = Powershell AMSI Bypass via .NET Reflection
EventType = Process.Start
Tag = proc-start-powershell-amsi-bypass-via-.net-reflection
RiskScore = 75
Query = ((Process.CommandLine like r"%System.Management.Automation.AmsiUtils%") and (Process.CommandLine like r"%amsiInitFailed%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
RuleName = Powershell Defender Exclusion
EventType = Process.Start
Tag = proc-start-powershell-defender-exclusion
RiskScore = 75
Query = ((Process.CommandLine == "Add-MpPreference" and (Process.CommandLine like r"% -ExclusionPath %" or Process.CommandLine like r"% -ExclusionExtension %" or Process.CommandLine like r"% -ExclusionProcess %")) or (Process.CommandLine like r"%QWRkLU1wUHJlZmVyZW5jZ%" or Process.CommandLine like r"%FkZC1NcFByZWZlcmVuY2%" or Process.CommandLine like r"%BZGQtTXBQcmVmZXJlbmNl%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects attackers attempting to disable Windows Defender using Powershell
RuleName = Powershell Used To Disable Windows Defender AV Security Monitoring
EventType = Process.Start
Tag = proc-start-powershell-used-to-disable-windows-defender-av-security-monitoring
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%-DisableBehaviorMonitoring $true%" or Process.CommandLine like r"%-DisableRuntimeMonitoring $true%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious FromBase64String expressions in command line arguments
RuleName = FromBase64String Command Line
EventType = Process.Start
Tag = proc-start-frombase64string-command-line
RiskScore = 75
Query = Process.CommandLine like r"%::FromBase64String(%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
RuleName = Powershell Reverse Shell Connection
EventType = Process.Start
Tag = proc-start-powershell-reverse-shell-connection
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%new-object system.net.sockets.tcpclient%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious PowerShell invocation with a parameter substring
RuleName = Suspicious PowerShell Parameter Substring
EventType = Process.Start
Tag = proc-start-suspicious-powershell-parameter-substring
RiskScore = 75
Query = ((Process.Path like r"%\\Powershell.exe") and (Process.CommandLine like r"% -windowstyle h %" or Process.CommandLine like r"% -windowstyl h%" or Process.CommandLine like r"% -windowsty h%" or Process.CommandLine like r"% -windowst h%" or Process.CommandLine like r"% -windows h%" or Process.CommandLine like r"% -windo h%" or Process.CommandLine like r"% -wind h%" or Process.CommandLine like r"% -win h%" or Process.CommandLine like r"% -wi h%" or Process.CommandLine like r"% -win h %" or Process.CommandLine like r"% -win hi %" or Process.CommandLine like r"% -win hid %" or Process.CommandLine like r"% -win hidd %" or Process.CommandLine like r"% -win hidde %" or Process.CommandLine like r"% -NoPr %" or Process.CommandLine like r"% -NoPro %" or Process.CommandLine like r"% -NoProf %" or Process.CommandLine like r"% -NoProfi %" or Process.CommandLine like r"% -NoProfil %" or Process.CommandLine like r"% -nonin %" or Process.CommandLine like r"% -nonint %" or Process.CommandLine like r"% -noninte %" or Process.CommandLine like r"% -noninter %" or Process.CommandLine like r"% -nonintera %" or Process.CommandLine like r"% -noninterac %" or Process.CommandLine like r"% -noninteract %" or Process.CommandLine like r"% -noninteracti %" or Process.CommandLine like r"% -noninteractiv %" or Process.CommandLine like r"% -ec %" or Process.CommandLine like r"% -encodedComman %" or Process.CommandLine like r"% -encodedComma %" or Process.CommandLine like r"% -encodedComm %" or Process.CommandLine like r"% -encodedCom %" or Process.CommandLine like r"% -encodedCo %" or Process.CommandLine like r"% -encodedC %" or Process.CommandLine like r"% -encoded %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% -encod %" or Process.CommandLine like r"% -enco %" or Process.CommandLine like r"% -en %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
RuleName = Default PowerSploit and Empire Schtasks Persistence
EventType = Process.Start
Tag = proc-start-default-powersploit-and-empire-schtasks-persistence
RiskScore = 75
Query = (Parent.Path like r"%\\powershell.exe" and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%/SC%" and (Process.CommandLine like r"%ONLOGON%" or Process.CommandLine like r"%DAILY%" or Process.CommandLine like r"%ONIDLE%" or Process.CommandLine like r"%Updater%") and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%Updater%" and Process.CommandLine like r"%/TR%" and Process.CommandLine like r"%powershell%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
RuleName = Process Dump via Rundll32 and Comsvcs.dll
EventType = Process.Start
Tag = proc-start-process-dump-via-rundll32-and-comsvcs.dll
RiskScore = 75
Query = (Process.CommandLine like r"%comsvcs.dll,#24%" or Process.CommandLine like r"%comsvcs.dll,MiniDump%" or Process.CommandLine like r"%comsvcs.dll MiniDump%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects RDP session hijacking by using MSTSC shadowing
RuleName = MSTSC Shadowing
EventType = Process.Start
Tag = proc-start-mstsc-shadowing
RiskScore = 75
Query = (Process.CommandLine like r"%noconsentprompt%" and Process.CommandLine like r"%shadow:%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects actions caused by the RedMimicry Winnti playbook
RuleName = RedMimicry Winnti Playbook Execute
EventType = Process.Start
Tag = proc-start-redmimicry-winnti-playbook-execute
RiskScore = 75
Query = ((Process.Path like r"%rundll32.exe%" or Process.Path like r"%cmd.exe%") and (Process.CommandLine like r"%gthread-3.6.dll%" or Process.CommandLine like r"%\\Windows\\Temp\\tmp.bat%" or Process.CommandLine like r"%sigcmm-2.4.dll%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the export of a crital Registry key to a file.
RuleName = Exports Critical Registry Keys To a File
EventType = Process.Start
Tag = proc-start-exports-critical-registry-keys-to-a-file
RiskScore = 75
Query = (Process.Path like r"%\\regedit.exe" and Process.CommandLine like r"% /E %" and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
RuleName = Highly Relevant Renamed Binary
EventType = Process.Start
Tag = proc-start-highly-relevant-renamed-binary
RiskScore = 75
Query = ((Process.Name like r"powershell.exe" or Process.Name like r"powershell\_ise.exe" or Process.Name like r"psexec.exe" or Process.Name like r"psexec.c" or Process.Name like r"cscript.exe" or Process.Name like r"wscript.exe" or Process.Name like r"mshta.exe" or Process.Name like r"regsvr32.exe" or Process.Name like r"wmic.exe" or Process.Name like r"certutil.exe" or Process.Name like r"rundll32.exe" or Process.Name like r"cmstp.exe" or Process.Name like r"msiexec.exe") and not ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\psexec.exe" or Process.Path like r"%\\psexec64.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\msiexec.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
RuleName = Rundll32 Without Parameters
EventType = Process.Start
Tag = proc-start-rundll32-without-parameters
RiskScore = 75
Query = Process.CommandLine == "rundll32.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects PowerShell script execution from Alternate Data Stream (ADS)
RuleName = Run PowerShell Script from ADS
EventType = Process.Start
Tag = proc-start-run-powershell-script-from-ads
RiskScore = 75
Query = (Parent.Path like r"%\\powershell.exe" and Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Get-Content%" and Process.CommandLine like r"%-Stream%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
RuleName = Possible Shim Database Persistence via sdbinst.exe
EventType = Process.Start
Tag = proc-start-possible-shim-database-persistence-via-sdbinst.exe
RiskScore = 75
Query = (((Process.Path like r"%\\sdbinst.exe") and (Process.CommandLine like r"%.sdb%")) and not ((Process.CommandLine like r"%iisexpressshim.sdb%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Atbroker executing non-deafualt Assistive Technology applications
RuleName = Suspicious Atbroker Execution
EventType = Process.Start
Tag = proc-start-suspicious-atbroker-execution
RiskScore = 75
Query = ((Process.Path like r"%AtBroker.exe" and Process.CommandLine like r"%start%") and not ((Process.CommandLine like r"%animations%" or Process.CommandLine like r"%audiodescription%" or Process.CommandLine like r"%caretbrowsing%" or Process.CommandLine like r"%caretwidth%" or Process.CommandLine like r"%colorfiltering%" or Process.CommandLine like r"%cursorscheme%" or Process.CommandLine like r"%filterkeys%" or Process.CommandLine like r"%focusborderheight%" or Process.CommandLine like r"%focusborderwidth%" or Process.CommandLine like r"%highcontrast%" or Process.CommandLine like r"%keyboardcues%" or Process.CommandLine like r"%keyboardpref%" or Process.CommandLine like r"%magnifierpane%" or Process.CommandLine like r"%messageduration%" or Process.CommandLine like r"%minimumhitradius%" or Process.CommandLine like r"%mousekeys%" or Process.CommandLine like r"%Narrator%" or Process.CommandLine like r"%osk%" or Process.CommandLine like r"%overlappedcontent%" or Process.CommandLine like r"%showsounds%" or Process.CommandLine like r"%soundsentry%" or Process.CommandLine like r"%stickykeys%" or Process.CommandLine like r"%togglekeys%" or Process.CommandLine like r"%windowarranging%" or Process.CommandLine like r"%windowtracking%" or Process.CommandLine like r"%windowtrackingtimeout%" or Process.CommandLine like r"%windowtrackingzorder%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
RuleName = Suspicious Calculator Usage
EventType = Process.Start
Tag = proc-start-suspicious-calculator-usage
RiskScore = 75
Query = (Process.CommandLine like r"%\\calc.exe %" or (Process.Path like r"%\\calc.exe" and not (Process.Path like r"%\\Windows\\Sys%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
RuleName = Suspicious Certutil Command
EventType = Process.Start
Tag = proc-start-suspicious-certutil-command
RiskScore = 75
Query = ((Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% -decodehex %" or Process.CommandLine like r"% -urlcache %" or Process.CommandLine like r"% -verifyctl %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% /decode %" or Process.CommandLine like r"% /decodehex %" or Process.CommandLine like r"% /urlcache %" or Process.CommandLine like r"% /verifyctl %" or Process.CommandLine like r"% /encode %") or (Process.Path like r"%\\certutil.exe" and (Process.CommandLine like r"%URL%" or Process.CommandLine like r"%ping%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious command line arguments of common data compression tools
RuleName = Suspicious Compression Tool Parameters
EventType = Process.Start
Tag = proc-start-suspicious-compression-tool-parameters
RiskScore = 75
Query = (((Process.Name like r"7z%.exe" or Process.Name like r"%rar.exe" or Process.Name like r"%Command%Line%RAR%") and (Process.CommandLine like r"% -p%" or Process.CommandLine like r"% -ta%" or Process.CommandLine like r"% -tb%" or Process.CommandLine like r"% -sdel%" or Process.CommandLine like r"% -dw%" or Process.CommandLine like r"% -hp%")) and not (Parent.Path like r"C:\\Program%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
RuleName = Suspicious Control Panel DLL Load
EventType = Process.Start
Tag = proc-start-suspicious-control-panel-dll-load
RiskScore = 75
Query = ((Parent.Path like r"%\\System32\\control.exe" and Process.Path like r"%\\rundll32.exe ") and not (Process.CommandLine like r"%Shell32.dll%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious copy command to or from an Admin share
RuleName = Copy from Admin Share
EventType = Process.Start
Tag = proc-start-copy-from-admin-share
RiskScore = 75
Query = ((((Process.Path like r"%\\robocopy.exe" or Process.Path like r"%\\xcopy.exe") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%copy%")) or (Process.Path like r"%\\powershell%" and (Process.CommandLine like r"%copy-item%" or Process.CommandLine like r"%copy%" or Process.CommandLine like r"%cpi %" or Process.CommandLine like r"% cp %"))) and (Process.CommandLine like r"%\\\\\*" and Process.CommandLine like r"%$%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious command lines used in Covenant luanchers
RuleName = Covenant Launcher Indicators
EventType = Process.Start
Tag = proc-start-covenant-launcher-indicators
RiskScore = 75
Query = ((Process.CommandLine like r"%-Sta%" and Process.CommandLine like r"%-Nop%" and Process.CommandLine like r"%-Window%" and Process.CommandLine like r"%Hidden%" and (Process.CommandLine like r"%-Command%" or Process.CommandLine like r"%-EncodedCommand%")) or (Process.CommandLine like r"%sv o (New-Object IO.MemorySteam);sv d %" or Process.CommandLine like r"%mshta file.hta%" or Process.CommandLine like r"%GruntHTTP%" or Process.CommandLine like r"%-EncodedCommand cwB2ACAAbwAgA%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect various execution methods of the CrackMapExec pentesting framework
RuleName = CrackMapExec Command Execution
EventType = Process.Start
Tag = proc-start-crackmapexec-command-execution
RiskScore = 75
Query = ((Process.CommandLine like r"%cmd.exe /Q /c % 1> \\%\\%\\% 2>&1" or Process.CommandLine like r"%cmd.exe /C % > \\%\\%\\% 2>&1" or Process.CommandLine like r"%cmd.exe /C % > %\\Temp\\% 2>&1") and (Process.CommandLine like r"%powershell.exe -exec bypass -noni -nop -w 1 -C \"%" or Process.CommandLine like r"%powershell.exe -noni -nop -w 1 -enc %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
RuleName = CrackMapExec PowerShell Obfuscation
EventType = Process.Start
Tag = proc-start-crackmapexec-powershell-obfuscation
RiskScore = 75
Query = (Process.CommandLine like r"%powershell.exe%" and (Process.CommandLine like r"%join%split%" or Process.CommandLine like r"%( $ShellId[1]+$ShellId[13]+'x')%" or Process.CommandLine like r"%( $PSHome[%]+$PSHOME[%]+%" or Process.CommandLine like r"%( $env:Public[13]+$env:Public[5]+'x')%" or Process.CommandLine like r"%( $env:ComSpec[4,%,25]-Join'')%" or Process.CommandLine like r"%[1,3]+'x'-Join'')%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
RuleName = Suspicious Parent of Csc.exe
EventType = Process.Start
Tag = proc-start-suspicious-parent-of-csc.exe
RiskScore = 75
Query = (Process.Path like r"%\\csc.exe" and (Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
RuleName = Suspicious Csc.exe Source File Folder
EventType = Process.Start
Tag = proc-start-suspicious-csc.exe-source-file-folder
RiskScore = 75
Query = ((Process.Path like r"%\\csc.exe" and (Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%")) and not (Parent.Path like r"C:\\Program Files%" or (Parent.Path like r"%\\sdiagnhost.exe" or Parent.Path like r"%\\w3wp.exe") or (Parent.CommandLine like r"%\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process injection using ZOHO's dctask64.exe
RuleName = ZOHO Dctask64 Process Injection
EventType = Process.Start
Tag = proc-start-zoho-dctask64-process-injection
RiskScore = 75
Query = ((Process.Path like r"%\\dctask64.exe") and not ((Process.CommandLine like r"%DesktopCentral\_Agent\\agent%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
RuleName = Suspicious Desktopimgdownldr Command
EventType = Process.Start
Tag = proc-start-suspicious-desktopimgdownldr-command
RiskScore = 75
Query = ((Process.CommandLine like r"% /lockscreenurl:%" and not ((Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.png%"))) or (Process.CommandLine like r"%reg delete%" and Process.CommandLine like r"%\\PersonalizationCSP%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command that is used to disable Windows eventlog
RuleName = Disable Windows Eventlog
EventType = Process.Start
Tag = proc-start-disable-windows-eventlog
RiskScore = 75
Query = Process.CommandLine like r"%logman stop EventLog-System%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
RuleName = Disabled IE Security Features
EventType = Process.Start
Tag = proc-start-disabled-ie-security-features
RiskScore = 75
Query = ((Process.CommandLine like r"% -name IEHarden %" and Process.CommandLine like r"% -value 0 %") or (Process.CommandLine like r"% -name DEPOff %" and Process.CommandLine like r"% -value 1 %") or (Process.CommandLine like r"% -name DisableFirstRunCustomize %" and Process.CommandLine like r"% -value 2 %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
RuleName = Raccine Uninstall
EventType = Process.Start
Tag = proc-start-raccine-uninstall
RiskScore = 75
Query = ((Process.CommandLine like r"%taskkill %" and Process.CommandLine like r"%/IM RaccineSettings.exe%") or (Process.CommandLine like r"%reg.exe%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%Raccine Tray%") or (Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%/DELETE%" and Process.CommandLine like r"%Raccine Rules Updater%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using Diskshadow.exe to execute arbitrary code in text file
RuleName = Execution via Diskshadow.exe
EventType = Process.Start
Tag = proc-start-execution-via-diskshadow.exe
RiskScore = 75
Query = (Process.Path like r"%\\diskshadow.exe" and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%-s%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
RuleName = DIT Snapshot Viewer Use
EventType = Process.Start
Tag = proc-start-dit-snapshot-viewer-use
RiskScore = 75
Query = ((Process.Path like r"%\\ditsnap.exe") or (Process.CommandLine like r"%ditsnap.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
RuleName = Suspicious Eventlog Clear or Configuration Using Wevtutil
EventType = Process.Start
Tag = proc-start-suspicious-eventlog-clear-or-configuration-using-wevtutil
RiskScore = 75
Query = (((Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%Clear-EventLog%" or Process.CommandLine like r"%Remove-EventLog%" or Process.CommandLine like r"%Limit-EventLog%")) or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"% ClearEventLog %")) or (Process.Path like r"%\\wevtutil.exe" and (Process.CommandLine like r"%clear-log%" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log%" or Process.CommandLine like r"% sl %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious execution from an uncommon folder
RuleName = Execution from Suspicious Folder
EventType = Process.Start
Tag = proc-start-execution-from-suspicious-folder
RiskScore = 75
Query = ((Process.Path like r"%\\$Recycle.bin\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Intel\\Logs\\%" or Process.Path like r"%\\RSA\\MachineKeys\\%" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\NetworkService\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\Windows\\addins\\%" or Process.Path like r"%\\Windows\\debug\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\Help\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\Media\\%" or Process.Path like r"%\\Windows\\repair\\%" or Process.Path like r"%\\Windows\\security\\%" or Process.Path like r"%\\Windows\\system32\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%" or Process.Path like r"%\\Windows\\Tasks\\%") or Process.Path like r"C:\\Perflogs\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays
RuleName = Finger.exe Suspicious Invocation
EventType = Process.Start
Tag = proc-start-finger.exe-suspicious-invocation
RiskScore = 75
Query = Process.Path like r"%\\finger.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
RuleName = Fsutil Suspicious Invocation
EventType = Process.Start
Tag = proc-start-fsutil-suspicious-invocation
RiskScore = 75
Query = ((Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and (Process.CommandLine like r"%deletejournal%" or Process.CommandLine like r"%createjournal%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
RuleName = Suspicious GUP Usage
EventType = Process.Start
Tag = proc-start-suspicious-gup-usage
RiskScore = 75
Query = (Process.Path like r"%\\GUP.exe" and not ((Process.Path like r"%\\Users\\%\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Users\\%\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Program Files\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Program Files (x86)\\Notepad++\\updater\\GUP.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious msiexec process starts in an uncommon directory
RuleName = Suspicious MsiExec Directory
EventType = Process.Start
Tag = proc-start-suspicious-msiexec-directory
RiskScore = 75
Query = (Process.Path like r"%\\msiexec.exe" and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Downloads payload from remote server
RuleName = Malicious Payload Download via Office Binaries
EventType = Process.Start
Tag = proc-start-malicious-payload-download-via-office-binaries
RiskScore = 75
Query = ((Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\winword.exe" or Process.Path like r"%\\excel.exe") and Process.CommandLine like r"%http%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects persitence via netsh helper
RuleName = Suspicious Netsh DLL Persistence
EventType = Process.Start
Tag = proc-start-suspicious-netsh-dll-persistence
RiskScore = 75
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%helper%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available
RuleName = Ngrok Usage
EventType = Process.Start
Tag = proc-start-ngrok-usage
RiskScore = 75
Query = ((Process.CommandLine like r"% tcp 3389%") or (Process.CommandLine like r"% start %" and Process.CommandLine like r"%--all%" and Process.CommandLine like r"%--config%" and Process.CommandLine like r"%.yml%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# The OpenWith.exe executes other binary
RuleName = OpenWith.exe Executes Specified Binary
EventType = Process.Start
Tag = proc-start-openwith.exe-executes-specified-binary
RiskScore = 75
Query = (Process.Path like r"%\\OpenWith.exe" and Process.CommandLine like r"%/c%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
RuleName = Suspicious Execution from Outlook
EventType = Process.Start
Tag = proc-start-suspicious-execution-from-outlook
RiskScore = 75
Query = (Process.CommandLine like r"%EnableUnsafeClientMailRules%" or (Parent.Path like r"%\\outlook.exe" and Process.CommandLine like r"%\\\\\*" and Process.CommandLine like r"%\\\*" and Process.CommandLine like r"%.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious program execution in Outlook temp folder
RuleName = Execution in Outlook Temp Folder
EventType = Process.Start
Tag = proc-start-execution-in-outlook-temp-folder
RiskScore = 75
Query = Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\\*"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a ping command that uses a hex encoded IP address
RuleName = Ping Hex IP
EventType = Process.Start
Tag = proc-start-ping-hex-ip
RiskScore = 75
Query = (Process.Path like r"%\\ping.exe" and Process.CommandLine like r"%0x%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious encoded character syntax often used for defense evasion
RuleName = PowerShell Encoded Character Syntax
EventType = Process.Start
Tag = proc-start-powershell-encoded-character-syntax
RiskScore = 75
Query = Process.CommandLine like r"%(WCHAR)0x%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
RuleName = Suspicious Encoded PowerShell Command Line
EventType = Process.Start
Tag = proc-start-suspicious-encoded-powershell-command-line
RiskScore = 75
Query = (((Process.CommandLine like r"% -e%" and Process.CommandLine like r"% JAB%" and Process.CommandLine like r"% -w%" and Process.CommandLine like r"% hidden %") or (Process.CommandLine like r"% -e%" and (Process.CommandLine like r"% BA^J%" or Process.CommandLine like r"% SUVYI%" or Process.CommandLine like r"% SQBFAFgA%" or Process.CommandLine like r"% aQBlAHgA%" or Process.CommandLine like r"% aWV4I%" or Process.CommandLine like r"% IAA%" or Process.CommandLine like r"% IAB%" or Process.CommandLine like r"% UwB%" or Process.CommandLine like r"% cwB%")) or (Process.CommandLine like r"%.exe -ENCOD %")) and not (Process.CommandLine like r"% -ExecutionPolicy%" and Process.CommandLine like r"%remotesigned %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
RuleName = PowerShell Get-Process LSASS
EventType = Process.Start
Tag = proc-start-powershell-get-process-lsass
RiskScore = 75
Query = (Process.CommandLine like r"%Get-Process lsass%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects base64 encoded strings used in hidden malicious PowerShell command lines
RuleName = Malicious Base64 Encoded PowerShell Keywords in Command Lines
EventType = Process.Start
Tag = proc-start-malicious-base64-encoded-powershell-keywords-in-command-lines
RiskScore = 75
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"% hidden %" and (Process.CommandLine like r"%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%" or Process.CommandLine like r"%aXRzYWRtaW4gL3RyYW5zZmVy%" or Process.CommandLine like r"%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%" or Process.CommandLine like r"%JpdHNhZG1pbiAvdHJhbnNmZX%" or Process.CommandLine like r"%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%" or Process.CommandLine like r"%Yml0c2FkbWluIC90cmFuc2Zlc%" or Process.CommandLine like r"%AGMAaAB1AG4AawBfAHMAaQB6AGUA%" or Process.CommandLine like r"%JABjAGgAdQBuAGsAXwBzAGkAegBlA%" or Process.CommandLine like r"%JGNodW5rX3Npem%" or Process.CommandLine like r"%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%" or Process.CommandLine like r"%RjaHVua19zaXpl%" or Process.CommandLine like r"%Y2h1bmtfc2l6Z%" or Process.CommandLine like r"%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%" or Process.CommandLine like r"%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%" or Process.CommandLine like r"%lPLkNvbXByZXNzaW9u%" or Process.CommandLine like r"%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%" or Process.CommandLine like r"%SU8uQ29tcHJlc3Npb2%" or Process.CommandLine like r"%Ty5Db21wcmVzc2lvb%" or Process.CommandLine like r"%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%" or Process.CommandLine like r"%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%" or Process.CommandLine like r"%lPLk1lbW9yeVN0cmVhb%" or Process.CommandLine like r"%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%" or Process.CommandLine like r"%SU8uTWVtb3J5U3RyZWFt%" or Process.CommandLine like r"%Ty5NZW1vcnlTdHJlYW%" or Process.CommandLine like r"%4ARwBlAHQAQwBoAHUAbgBrA%" or Process.CommandLine like r"%5HZXRDaHVua%" or Process.CommandLine like r"%AEcAZQB0AEMAaAB1AG4Aaw%" or Process.CommandLine like r"%LgBHAGUAdABDAGgAdQBuAGsA%" or Process.CommandLine like r"%LkdldENodW5r%" or Process.CommandLine like r"%R2V0Q2h1bm%" or Process.CommandLine like r"%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%" or Process.CommandLine like r"%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%" or Process.CommandLine like r"%RIUkVBRF9JTkZPNj%" or Process.CommandLine like r"%SFJFQURfSU5GTzY0%" or Process.CommandLine like r"%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%" or Process.CommandLine like r"%VEhSRUFEX0lORk82N%" or Process.CommandLine like r"%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%" or Process.CommandLine like r"%cmVhdGVSZW1vdGVUaHJlYW%" or Process.CommandLine like r"%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%" or Process.CommandLine like r"%NyZWF0ZVJlbW90ZVRocmVhZ%" or Process.CommandLine like r"%Q3JlYXRlUmVtb3RlVGhyZWFk%" or Process.CommandLine like r"%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%" or Process.CommandLine like r"%0AZQBtAG0AbwB2AGUA%" or Process.CommandLine like r"%1lbW1vdm%" or Process.CommandLine like r"%AGUAbQBtAG8AdgBlA%" or Process.CommandLine like r"%bQBlAG0AbQBvAHYAZQ%" or Process.CommandLine like r"%bWVtbW92Z%" or Process.CommandLine like r"%ZW1tb3Zl%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
RuleName = PowerShell DownloadFile
EventType = Process.Start
Tag = proc-start-powershell-downloadfile
RiskScore = 75
Query = (Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%.DownloadFile%" and Process.CommandLine like r"%System.Net.WebClient%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects various anomalies in relation to regsvr32.exe
RuleName = Regsvr32 Anomaly
EventType = Process.Start
Tag = proc-start-regsvr32-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%\\Temp\\%") or (Process.Path like r"%\\regsvr32.exe" and Parent.Path like r"%\\powershell.exe") or (Process.Path like r"%\\regsvr32.exe" and Parent.Path like r"%\\cmd.exe") or (Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%/i:%" and (Process.CommandLine like r"%http%" or Process.CommandLine like r"%ftp%") and Process.CommandLine like r"%scrobj.dll") or (Process.Path like r"%\\wscript.exe" and Parent.Path like r"%\\regsvr32.exe") or (Process.Path like r"%\\EXCEL.EXE" and Process.CommandLine like r"%..\\..\\..\\Windows\\System32\\regsvr32.exe %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
RuleName = Regsvr32 Flags Anomaly
EventType = Process.Start
Tag = proc-start-regsvr32-flags-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"% /i:%") and not (Process.CommandLine like r"% /n %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
RuleName = Renamed ZOHO Dctask64
EventType = Process.Start
Tag = proc-start-renamed-zoho-dctask64
RiskScore = 75
Query = (Process.Hash.IMP == "6834B1B94E49701D77CCB3C0895E1AFD" and not (Process.Path like r"%\\dctask64.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
RuleName = Suspicious Call by Ordinal
EventType = Process.Start
Tag = proc-start-suspicious-call-by-ordinal
RiskScore = 75
Query = ((Process.CommandLine like r"%\\rundll32.exe%" and Process.CommandLine like r"%,#%") and not (Process.CommandLine like r"%EDGEHTML.dll%" and Process.CommandLine like r"%#141%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
RuleName = Suspicious Rundll32 Invoking Inline VBScript
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-invoking-inline-vbscript
RiskScore = 75
Query = (Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%Execute%" and Process.CommandLine like r"%RegRead%" and Process.CommandLine like r"%window.close%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
RuleName = Suspicious Rundll32 Activity Invoking Sys File
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-activity-invoking-sys-file
RiskScore = 75
Query = (Process.CommandLine like r"%rundll32.exe%" and (Process.CommandLine like r"%.sys,%" or Process.CommandLine like r"%.sys %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the creation of scheduled tasks that involves a temporary folder and runs only once
RuleName = Suspicious Scheduled Task Creation Involving Temp Folder
EventType = Process.Start
Tag = proc-start-suspicious-scheduled-task-creation-involving-temp-folder
RiskScore = 75
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and Process.CommandLine like r"% /sc once %" and Process.CommandLine like r"%\\Temp\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)
RuleName = ScreenConnect Remote Access
EventType = Process.Start
Tag = proc-start-screenconnect-remote-access
RiskScore = 75
Query = (Process.CommandLine like r"%e=Access&%" and Process.CommandLine like r"%y=Guest&%" and Process.CommandLine like r"%&p=%" and Process.CommandLine like r"%&c=%" and Process.CommandLine like r"%&k=%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious DACL modifications that can  be used to hide services or make them unstopable
RuleName = Suspicious Service DACL Modification
EventType = Process.Start
Tag = proc-start-suspicious-service-dacl-modification
RiskScore = 75
Query = ((Process.Path like r"%\\sc.exe") and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%D;;%" and (Process.CommandLine like r"%;;;IU%" or Process.CommandLine like r"%;;;SU%" or Process.CommandLine like r"%;;;BA%" or Process.CommandLine like r"%;;;SY%" or Process.CommandLine like r"%;;;WD%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a service binary running in a suspicious directory
RuleName = Suspicious Service Binary Directory
EventType = Process.Start
Tag = proc-start-suspicious-service-binary-directory
RiskScore = 75
Query = ((Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\$Recycle.bin%" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\Contacts\\%" or Process.Path like r"%\\Users\\Searches\\%" or Process.Path like r"%C:\\Perflogs\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%") and (Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\svchost.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects service path modification to powershell/cmd
RuleName = Suspicious Service Path Modification
EventType = Process.Start
Tag = proc-start-suspicious-service-path-modification
RiskScore = 75
Query = (Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%binpath%" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%cmd%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Possible Squirrel Packages Manager as Lolbin
RuleName = Squirrel Lolbin
EventType = Process.Start
Tag = proc-start-squirrel-lolbin
RiskScore = 75
Query = (Process.Path like r"%\\update.exe" and (Process.CommandLine like r"%--processStart%" or Process.CommandLine like r"%--processStartAndWait%" or Process.CommandLine like r"%--createShortcut%") and Process.CommandLine like r"%.exe%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious svchost process start
RuleName = Suspicious Svchost Process
EventType = Process.Start
Tag = proc-start-suspicious-svchost-process
RiskScore = 75
Query = ((Process.Path like r"%\\svchost.exe" and not ((Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\MsMpEng.exe" or Parent.Path like r"%\\Mrt.exe" or Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\svchost.exe"))) and not (Parent.Path == ''))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
RuleName = Taskmgr as LOCAL_SYSTEM
EventType = Process.Start
Tag = proc-start-taskmgr-as-local_system
RiskScore = 75
Query = (Process.User like r"NT AUTHORITY\\SYSTEM" and Process.Path like r"%\\taskmgr.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a tscon.exe start as LOCAL SYSTEM
RuleName = Suspicious TSCON Start
EventType = Process.Start
Tag = proc-start-suspicious-tscon-start
RiskScore = 75
Query = (Process.User like r"NT AUTHORITY\\SYSTEM" and Process.Path like r"%\\tscon.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious RDP session redirect using tscon.exe
RuleName = Suspicious RDP Redirect Using TSCON
EventType = Process.Start
Tag = proc-start-suspicious-rdp-redirect-using-tscon
RiskScore = 75
Query = Process.CommandLine like r"% /dest:rdp-tcp:%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of CSharp interactive console by PowerShell
RuleName = Suspicious Use of CSharp Interactive Console
EventType = Process.Start
Tag = proc-start-suspicious-use-of-csharp-interactive-console
RiskScore = 75
Query = (Process.Path like r"%\\csi.exe" and Parent.Path like r"%\\powershell.exe" and Process.Name == "csi.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious inline VBScript keywords as used by UNC2452
RuleName = Suspicious VBScript UN2452 Pattern
EventType = Process.Start
Tag = proc-start-suspicious-vbscript-un2452-pattern
RiskScore = 75
Query = ((Process.CommandLine like r"%Execute%" and Process.CommandLine like r"%CreateObject%" and Process.CommandLine like r"%RegRead%" and Process.CommandLine like r"%window.close%" and Process.CommandLine like r"%\\Microsoft\\Windows\\CurrentVersion%") and not ((Process.CommandLine like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects commands that temporarily turn off Volume Snapshots
RuleName = Disabled Volume Snapshots
EventType = Process.Start
Tag = proc-start-disabled-volume-snapshots
RiskScore = 75
Query = (Process.CommandLine like r"%reg%" and Process.CommandLine like r"% add %" and Process.CommandLine like r"%\\Services\\VSS\\Diag%" and Process.CommandLine like r"%/d Disabled%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI executing rundll32
RuleName = Suspicious WMI Execution Using Rundll32
EventType = Process.Start
Tag = proc-start-suspicious-wmi-execution-using-rundll32
RiskScore = 75
Query = (Process.CommandLine like r"%process call create%" and Process.CommandLine like r"%rundll32%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects code execution via the Windows Update client (wuauclt)
RuleName = Windows Update Client LOLBIN
EventType = Process.Start
Tag = proc-start-windows-update-client-lolbin
RiskScore = 75
Query = (Process.CommandLine like r"%/UpdateDeploymentProvider%" and Process.CommandLine like r"%/RunHandlerComServer%" and (Process.Path like r"%\\wuauclt.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
RuleName = Suspicious Auditpol Usage
EventType = Process.Start
Tag = proc-start-suspicious-auditpol-usage
RiskScore = 75
Query = (Process.Path like r"%\\auditpol.exe" and (Process.CommandLine like r"%disable%" or Process.CommandLine like r"%clear%" or Process.CommandLine like r"%remove%" or Process.CommandLine like r"%restore%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect possible Sysmon driver unload
RuleName = Sysmon Driver Unload
EventType = Process.Start
Tag = proc-start-sysmon-driver-unload
RiskScore = 75
Query = (Process.Path like r"%\\fltmc.exe" and Process.CommandLine like r"%unload%" and Process.CommandLine like r"%sys%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Windows program executable started in a suspicious folder
RuleName = System File Execution Location Anomaly
EventType = Process.Start
Tag = proc-start-system-file-execution-location-anomaly
RiskScore = 75
Query = ((Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\spoolsv.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\smss.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\winlogon.exe" or Process.Path like r"%\\explorer.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\Taskmgr.exe" or Process.Path like r"%\\sihost.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\smartscreen.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\audiodg.exe" or Process.Path like r"%\\wlanext.exe") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\system32\\%" or Process.Path like r"C:\\Windows\\SysWow64\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\winsxs\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\avast! sandbox%") or Process.Path like r"%\\SystemRoot\\System32\\%" or Process.Path like r"C:\\Windows\\explorer.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
RuleName = Terminal Service Process Spawn
EventType = Process.Start
Tag = proc-start-terminal-service-process-spawn
RiskScore = 75
Query = ((Parent.CommandLine like r"%\\svchost.exe%" and Parent.CommandLine like r"%termsvcs%") and not (Process.Path like r"%\\rdpclip.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
RuleName = Bypass UAC via CMSTP
EventType = Process.Start
Tag = proc-start-bypass-uac-via-cmstp
RiskScore = 75
Query = (Process.Path like r"%\\cmstp.exe" and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%/au%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
RuleName = Bypass UAC via Fodhelper.exe
EventType = Process.Start
Tag = proc-start-bypass-uac-via-fodhelper.exe
RiskScore = 75
Query = Parent.Path like r"%\\fodhelper.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
RuleName = Bypass UAC via WSReset.exe
EventType = Process.Start
Tag = proc-start-bypass-uac-via-wsreset.exe
RiskScore = 75
Query = (Parent.Path like r"%\\wsreset.exe" and not (Process.Path like r"%\\conhost.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using SettingSyncHost.exe to run hijacked binary
RuleName = Using SettingSyncHost.exe as LOLBin
EventType = Process.Start
Tag = proc-start-using-settingsynchost.exe-as-lolbin
RiskScore = 75
Query = (not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")) and (Parent.CommandLine like r"%cmd.exe /c%" and Parent.CommandLine like r"%RoamDiag.cmd%" and Parent.CommandLine like r"%-outputpath%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
RuleName = Visual Basic Command Line Compiler Usage
EventType = Process.Start
Tag = proc-start-visual-basic-command-line-compiler-usage
RiskScore = 75
Query = (Parent.Path like r"%\\vbc.exe" and Process.Path like r"%\\cvtres.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects certain command line parameters often used during reconnaissance activity via web shells
RuleName = Webshell Detection With Command Line Keywords
EventType = Process.Start
Tag = proc-start-webshell-detection-with-command-line-keywords
RiskScore = 75
Query = (((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe") or (Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%")) and ((((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and (Process.CommandLine like r"% user %" or Process.CommandLine like r"% use %" or Process.CommandLine like r"% group %")) or (Process.Path like r"%\\ping.exe" and Process.CommandLine like r"% -n %") or (Process.CommandLine like r"%&cd&echo%" or Process.CommandLine like r"%cd /d %")) or (Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"% /node:%") or (Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\quser.exe" or Process.Path like r"%\\ipconfig.exe" or Process.Path like r"%\\pathping.exe" or Process.Path like r"%\\tracert.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\tasklist.exe") or (Process.CommandLine like r"% Test-NetConnection %" or Process.CommandLine like r"%dir \\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
RuleName = Webshell Recon Detection Via CommandLine & Processes
EventType = Process.Start
Tag = proc-start-webshell-recon-detection-via-commandline-&-processes
RiskScore = 75
Query = (((Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe")) and ((Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%perl --help%" or Process.CommandLine like r"%python --help%" or Process.CommandLine like r"%wget --help%" or Process.CommandLine like r"%perl -h%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
RuleName = Shells Spawned by Web Servers
EventType = Process.Start
Tag = proc-start-shells-spawned-by-web-servers
RiskScore = 75
Query = ((Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\tomcat.exe" or Parent.Path like r"%\\UMWorkerProcess.exe") and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\bitsadmin.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
RuleName = Run Whoami as SYSTEM
EventType = Process.Start
Tag = proc-start-run-whoami-as-system
RiskScore = 75
Query = (Process.User like r"NT AUTHORITY\\SYSTEM" and Process.Path like r"%\\whoami.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.
RuleName = Run Whoami Showing Privileges
EventType = Process.Start
Tag = proc-start-run-whoami-showing-privileges
RiskScore = 75
Query = (Process.Path like r"%\\whoami.exe" and Process.CommandLine like r"%/priv%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Task Scheduler .job import arbitrary DACL write\par
RuleName = Windows 10 Scheduled Task SandboxEscaper 0-day
EventType = Process.Start
Tag = proc-start-windows-10-scheduled-task-sandboxescaper-0-day
RiskScore = 75
Query = (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/change%" and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%/RU%" and Process.CommandLine like r"%/RP%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI script event consumers
RuleName = WMI Persistence - Script Event Consumer
EventType = Process.Start
Tag = proc-start-wmi-persistence-script-event-consumer
RiskScore = 75
Query = (Process.Path like r"C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and Parent.Path like r"C:\\Windows\\System32\\svchost.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI spawning PowerShell
RuleName = WMI Spawning Windows PowerShell
EventType = Process.Start
Tag = proc-start-wmi-spawning-windows-powershell
RiskScore = 75
Query = ((((Parent.Path like r"%\\wmiprvse.exe") and (Process.Path like r"%\\powershell.exe")) and not (Process.CommandLine == "null")) and not (Process.CommandLine == ''))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
RuleName = Microsoft Workflow Compiler
EventType = Process.Start
Tag = proc-start-microsoft-workflow-compiler
RiskScore = 75
Query = Process.Path like r"%\\Microsoft.Workflow.Compiler.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
RuleName = Wsreset UAC Bypass
EventType = Process.Start
Tag = proc-start-wsreset-uac-bypass
RiskScore = 75
Query = (Parent.Path like r"%\\WSreset.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
RuleName = DNS ServerLevelPluginDll Install
EventType = Process.Start
Tag = proc-start-dns-serverlevelplugindll-install
RiskScore = 75
Query = (Process.Path like r"%\\dnscmd.exe" and Process.CommandLine like r"%/config%" and Process.CommandLine like r"%/serverlevelplugindll%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
RuleName = Pingback Backdoor
EventType = Image.Load
Tag = pingback-backdoor
RiskScore = 75
Query = (Process.Path like r"%msdtc.exe" and Image.Path like r"C:\\Windows\\oci.dll")
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
RuleName = Pingback Backdoor
EventType = Process.Start
Tag = proc-start-pingback-backdoor
RiskScore = 75
Query = (Parent.Path like r"%updata.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%msdtc%" and Process.CommandLine like r"%start%" and Process.CommandLine like r"%auto%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP


Leave a Reply

Your email address will not be published. Required fields are marked *