Windows

This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.

A vulnerability in Windows RPC architecture allows an attacker to create a fake RPC server and escalate their privileges to SYSTEM level, leveraging processes with impersonation privileges.

Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.

Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.

Adversaries use WMIC.exe to enumerate running services on remote devices, potentially identifying valuable targets or misconfigured systems.

The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.

Detection of multiple consecutive logon failures from the same source address within a short time interval on Windows systems, indicating potential brute force or password spraying attacks targeting multiple user accounts.

Adversaries modify Windows Registry Classes keys to establish persistence by executing malicious code when specific file types are opened or actions are performed, potentially leading to privilege escalation and persistent access.

This brief details the use of obfuscated IP addresses within download commands, often employed to evade detection by hiding the true destination of malicious downloads.

Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.

Attackers bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in to execute code with elevated permissions, potentially leading to system compromise.

Detection of svchost.exe executing with uncommon command-line parameters, excluding known legitimate patterns, which may indicate file masquerading, process injection, or process hollowing.

The Invoke-NinjaCopy PowerShell script is used by attackers to directly access volume files, such as NTDS.dit or registry hives, for credential dumping.

Adversaries may attempt to disable Windows EventLog autologger sessions via registry modification to evade detection and prevent security monitoring of early boot activities and system events.

An attacker abuses the Secondary Logon service (seclogon.dll) to gain unauthorized access to the LSASS process, potentially leaking credentials.

This rule identifies potential timestomping behavior on Windows systems where the creation time of executable files in sensitive system directories is modified, potentially to blend malicious executables with legitimate system files and evade detection.

Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.

Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.

This analytic identifies the use of Distributed Component Object Model (DCOM) to execute commands on a remote host, specifically when launched via ShellBrowserWindow or ShellWindows Application COM objects, indicating potential lateral movement by an attacker.

This rule identifies execution of suspicious programs via scheduled tasks by looking at process lineage and command line usage, detecting processes such as cscript.exe, powershell.exe, and cmd.exe when executed from suspicious paths like C:\Users\ and C:\ProgramData\.

Detection of suspicious LSASS handle access via DuplicateHandle from an unknown call trace module, indicating a potential attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.

This brief outlines detection strategies for adversaries leveraging Invoke-Obfuscation techniques within PowerShell scripts executed via standard input, a method commonly used to evade traditional detection mechanisms.

Adversaries disable crucial scheduled tasks, such as those related to BitLocker, Windows Defender, System Restore and Windows Update, using schtasks.exe to disrupt services and potentially facilitate data destruction or ransomware deployment.

Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.

Attackers may disable AutoLogger sessions by modifying specific registry values to evade detection and prevent security monitoring of early boot activities and system events, a technique observed in intrusions involving IcedID and XingLocker ransomware.

Detection of network connections initiated by unusual Windows system binaries, often leveraged by adversaries to proxy execution of malicious code and evade detection, indicating potential defense evasion and command and control activity.

Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.

Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.

The use of `clip.exe` in conjunction with PowerShell and command-line obfuscation is used to evade detection.

The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.

Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.

Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.

This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.

Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.

Attackers disable Windows System Restore by modifying specific registry keys to hinder recovery efforts after malicious activity.

Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.

This rule detects modifications to scheduled tasks by user accounts, excluding system activity and machine accounts, which adversaries can exploit for persistence by modifying them to execute malicious code.

This rule detects changes to uncommon registry persistence keys on Windows systems that are not commonly used or modified by legitimate programs, which could indicate an adversary's attempt to persist in a stealthy manner by modifying registry keys for persistence, ensuring malicious code executes on startup or during specific events.

Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.

Adversaries may execute script interpreters such as cscript, wscript, mshta, or powershell from suspicious directories accessible via environment variables to evade detection and execute malicious scripts.

The native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection may indicate an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.

This threat involves the suspicious copying of files from or to Windows system directories (System32, SysWOW64, WinSxS) using command-line tools, often employed by attackers to relocate LOLBINs for defense evasion.

Adversaries use the Windows Management Instrumentation Command-line (WMIC) utility to modify the startup type of services, setting them to 'Manual' or 'Disabled' to impair defenses or disrupt system operations.

The rule identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege, which can be used by adversaries to debug and modify other processes to escalate privileges and bypass access controls.

The creation of scheduled tasks from a remote source via RPC, where the RpcCallClientLocality and ClientProcessId are 0, indicates potential adversary lateral movement within a Windows environment.

This rule identifies the creation of a process impersonating the token of another user logon session on Windows, potentially indicating privilege escalation.

Attackers are abusing the legitimate Windows Print.exe utility to copy sensitive files like NTDS.DIT and SAM in order to extract credentials, enabling local or remote credential access.

Adversaries employ token obfuscation techniques within PowerShell commands to evade detection by security tools, leveraging methods such as character insertion, string concatenation, and environment variable manipulation to mask their malicious intent.

Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.

An unusual process is enumerating built-in Windows privileged local groups membership, such as Administrators or Remote Desktop users, potentially revealing targets for credential compromise and post-exploitation activities.

The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.

Adversaries delete or disable critical scheduled tasks, such as those related to system restore, Windows Defender, BitLocker, Windows Backup, or Windows Update, to disrupt operations and potentially conduct data destructive activities.

Adversaries delete critical scheduled tasks, such as those related to BitLocker, ExploitGuard, System Restore, Windows Defender, and Windows Update, to disrupt security measures and enable data destruction.

Detects the execution of .NET utilities by script processes from unusual locations, indicative of signed binary proxy execution for defense evasion and code execution.

This rule detects PowerShell loading the Task Scheduler COM DLL followed by an outbound RPC network connection, potentially indicating lateral movement or remote discovery via scheduled tasks.

Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider by modifying registry keys associated with the W32Time service.

Attackers abuse the Application Shim functionality in Windows by using `sdbinst.exe` with malicious arguments to achieve persistence and execute arbitrary code within legitimate Windows processes.

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.

This analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems, where adversaries often use these paths to evade detection and maintain persistence, potentially leading to unauthorized code execution, privilege escalation, or persistence within the environment.

This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.

The rule detects attempts to reset potentially privileged account passwords remotely, a tactic used by adversaries to maintain access, evade password policies, and preserve compromised credentials.

The Csc.exe (C# compiler) process is being launched by unusual parent processes or from suspicious locations, indicating potential malware execution or defense evasion.

This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.

Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.

The WScript or CScript Dropper technique involves using cscript.exe or wscript.exe to write malicious script files (js, jse, vba, vbe, vbs, wsf, wsh) to suspicious locations on a Windows system for later execution.

Detection of rapid creation and deletion of scheduled tasks on Windows, indicating potential malicious activity abusing the task scheduler for execution and cleanup.

Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.

Detection of remote registry access by an account with SeBackupPrivilege, potentially indicating credential exfiltration attempts via SAM registry hive dumping.

Mshta.exe spawning a suspicious child process, such as cmd.exe or powershell.exe, indicates potential adversarial activity leveraging Mshta to execute malicious scripts and evade detection on Windows systems.

Attackers may attempt to masquerade as the Service Host process `svchost.exe` by executing from non-standard paths to evade detection and blend in with normal system activity.

Detection of renamed COMSVCS.DLL being loaded by rundll32.exe, potentially used to dump LSASS memory for credential access while evading command-line detection.

The detection rule identifies a potential credential access attempt via the trusted developer utility MSBuild by detecting instances where it loads DLLs associated with Windows credential management, specifically vaultcli.dll or SAMLib.DLL, which is often used for credential dumping.

Adversaries may abuse the msiexec.exe utility to proxy the execution of malicious DLL payloads, bypassing application control and other defenses.

The rule detects attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory, which could lead to credential dumping.

This rule detects handle requests for LSASS object access with specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) indicative of memory dumping, commonly employed by tools like SharpDump, Procdump, Mimikatz, and Comsvcs to extract credentials from the LSASS process on Windows systems.

The rule identifies process creation with alternate credentials, which can be used for privilege escalation, by detecting successful logins via the Secondary Logon service (seclogon) from a local source IP address (::1), followed by process creation using the same TargetLogonId.

PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.