Detections | Josh

GitHub Repos

Full detection repos for LimaCharlie and Fibratus. Clone them, use them, contribute.

CTI Dashboard

My curated threat intelligence start.me page. Feeds, tools, IOC lookups, threat actor tracking.

Formats

Fibratus (ETW/kernel) and LimaCharlie D&R rules for endpoint, cloud, and identity.

0

Fibratus Rules

0

LimaCharlie Rules

0

MITRE Tactics

0

Ransomware Detections

TA0001 / TA0007

Initial Access & Discovery

APT campaigns, exploit detection, and reconnaissance patterns.

Kimsuky DEEP#GOSU Multi-Stage Execution

VBScript/WSH spawning encoded PowerShell commands, North Korean APT chain

TA0005 Fibratus CRITICAL +

name: Kimsuky DEEP#GOSU multi-stage VBScript to PowerShell execution
id: c8f1a5d4-6b9e-2d8c-4f0a-9e7b3c5d6789
version: 1.0.0
description: |
  Detects the Kimsuky APT group's DEEP#GOSU malware execution chain,
  which employs a multi-stage evasion technique starting with VBScript
  or Windows Script Host execution that spawns encoded PowerShell commands.

condition: >
  spawn_process
    and
  ps.parent.name iin ('wscript.exe', 'cscript.exe')
    and
  ps.name iin ('powershell.exe', 'pwsh.exe')
    and
  (ps.cmdline imatches ('*-enc*', '*-encodedcommand*', '*-e *')
   or regex(ps.cmdline, '[A-Za-z0-9+/]{40,}={0,2}'))

severity: critical
min-engine-version: 2.4.0

Potential ClickFix Chain

Explorer.exe → LOLBins via Run dialog with malicious command-line patterns and callstack analysis

T1204 T1566 HIGH +

- action: report
  metadata:
    author: Josh Strickland
    description: >-
      Detects potential ClickFix attack where explorer.exe spawns PowerShell
      variants, scripting engines, or LOLBins with suspicious command arguments
      via Run dialog (Win+R). Covers multiple PowerShell versions, common
      Living off the Land binaries abused in ClickFix campaigns.
    falsepositives:
      - Legitimate administrative PowerShell scripts launched via Run dialog
      - IT management tools using encoded commands
      - Software deployment using msiexec or bitsadmin
      - Web developers testing scripts with mshta or rundll32
      - System administrators using certutil for certificate management
    level: high
    references:
      - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
      - https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b
      - https://lolbas-project.github.io/
    tags:
      - attack.initial_access
      - attack.t1204.002
      - attack.execution
      - attack.t1059.001
      - attack.t1059.003
      - attack.t1059.005
      - attack.t1059.007
      - attack.defense_evasion
      - attack.t1218
  name: Potential ClickFix Chain

event: NEW_PROCESS
op: and
rules:
  - op: is windows
  - case sensitive: false
    op: ends with
    path: event/PARENT/FILE_PATH
    value: explorer.exe
  - op: or
    rules:
      - { op: ends with, path: event/FILE_PATH, value: powershell.exe }
      - { op: ends with, path: event/FILE_PATH, value: pwsh.exe }
      - { op: ends with, path: event/FILE_PATH, value: cmd.exe }
      - { op: ends with, path: event/FILE_PATH, value: wscript.exe }
      - { op: ends with, path: event/FILE_PATH, value: cscript.exe }
      - { op: ends with, path: event/FILE_PATH, value: mshta.exe }
      - { op: ends with, path: event/FILE_PATH, value: certutil.exe }
      - { op: ends with, path: event/FILE_PATH, value: bitsadmin.exe }
      - { op: ends with, path: event/FILE_PATH, value: rundll32.exe }
      - { op: ends with, path: event/FILE_PATH, value: regsvr32.exe }
      - { op: ends with, path: event/FILE_PATH, value: msiexec.exe }
      - { op: ends with, path: event/FILE_PATH, value: regasm.exe }
      - { op: ends with, path: event/FILE_PATH, value: msbuild.exe }
      - { op: ends with, path: event/FILE_PATH, value: wmic.exe }
  - not: true
    op: or
    rules:
      - { op: starts with, path: event/COMMAND_LINE, value: '"C:\Program Files\' }
      - { op: starts with, path: event/COMMAND_LINE, value: '"C:\Program Files (x86)\' }
      - { op: starts with, path: event/COMMAND_LINE, value: 'C:\Program Files\' }
      - { op: starts with, path: event/COMMAND_LINE, value: 'C:\Program Files (x86)\' }
  - op: or
    rules:
      - op: matches
        path: event/COMMAND_LINE
        re: >-
          .*\s-e(nc|nco|ncod|ncode|ncoded|ncodedC|ncodedCo|ncodedCom|
          ncodedComm|ncodedComma|ncodedComman|ncodedCommand)
          \s+[A-Za-z0-9+/=]{50,}.*
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*(downloadstring|downloadfile).*\|.*(iex|invoke-expression).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*(invoke-webrequest|iwr|wget|curl).*\|.*(iex|invoke-expression).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*net\.webclient.*\.(downloadstring|downloadfile).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*(-w hidden|-windowstyle hidden).*(http|downloadstring).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*bypass.*(http|downloadstring|downloadfile|iex).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*certutil.*-urlcache.*(http|ftp).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*certutil.*-decode.*\.(exe|dll|bat|ps1|vbs).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*bitsadmin.*/transfer.*(http|ftp).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*mshta.*(http|javascript:|vbscript:).*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*rundll32.*javascript:.*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*rundll32.*,.*http.*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*regsvr32.*/s\s+/u\s+/i:http.*scrobj\.dll.*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*wmic.*process call create.*http.*' }
      - { op: matches, path: event/COMMAND_LINE,
          re: '.*(\\temp\\|\\downloads\\|\\appdata\\local\\temp\\).*\.(exe|bat|cmd|ps1|vbs).*' }

Fibratus detection by Nedim Šabić — inspired the LimaCharlie version above

name: Potential ClickFix infection chain
id: ffe1fc54-2893-4760-ab50-51a83bd71d13
version: 2.0.1
description: |
  Identifies the execution of the process via the Run command dialog box,
  Windows Console shortcut, or Explorer address bar followed by spawning
  of the potential infostealer process. This could be indicative of the
  ClickFix deceptive tactic used by attackers to lure victims into
  executing malicious commands under the guise of meeting pages or CAPTCHAs.
labels:
  tactic.id: TA0001
  tactic.name: Initial Access
  technique.id: T1566
  technique.name: Phishing
references:
  - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
  - https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/
  - https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b

condition: >
  sequence
  maxspan 2m
    |spawn_process and
     ps.parent.name ~= 'explorer.exe' and length(ps.args) >= 2 and
     ps.name iin ('cmd.exe', 'powershell.exe', 'pwsh.exe', 'wget.exe',
                   'curl.exe', 'msiexec.exe', 'mshta.exe', 'wscript.exe',
                   'cscript.exe', 'msbuild.exe') and
     (thread.callstack.summary imatches
       ('ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*',
        'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*',
        'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|SHCore.dll|*')
      or
      (thread.callstack.summary imatches '*shell32.dll|explorer.exe|*'
       and thread.callstack.symbols imatches '*shell32.dll!GetFileNameFromBrowse*'))
    | by ps.uuid
    |spawn_process and ps.exe not imatches
       ('?:\Program Files\*.exe',
        '?:\Program Files (x86)\*.exe')
    | by ps.parent.uuid

action:
  - name: kill
output: >
  Potential infostealer process %2.ps.exe delivered via ClickFix infection chain
severity: high
min-engine-version: 3.0.0

Palo Alto GlobalProtect CVE-2024-3400

Command injection, CVSS 10.0, PanGPS.exe spawning cmd/powershell/whoami

TA0001 Fibratus CRITICAL +

name: Palo Alto GlobalProtect command injection via CVE-2024-3400
id: c9f1e4d3-5a7b-6c9e-1d4f-8b2c3e5f6789
version: 1.0.0
description: |
  Detects active exploitation of CVE-2024-3400, a critical command injection
  vulnerability in Palo Alto Networks GlobalProtect Gateway (CVSS 10.0).
  Attackers can execute arbitrary commands with root privileges without
  authentication.

condition: >
  spawn_process
    and
  ps.name imatches '*PanGPS.exe'
    and
  ps.child.name iin ('cmd.exe', 'powershell.exe', 'pwsh.exe', 'whoami.exe')
    and
  not (
    ps.child.cmdline icontains 'flushdns'
      or
    ps.child.cmdline imatches
      '*reg export*Settings\\*\\windows\\TEMP\\uninstall.reg*'
  )

severity: critical
min-engine-version: 2.4.0

SocGholish Fake Browser Update Campaign

.js download → scheduled task persistence within 5 minutes

TA0001 Fibratus CRITICAL +

name: SocGholish fake browser update with scheduled task persistence
id: b7e5f3a2-4d6f-5e8a-0b3c-7f9d8e1a2345
version: 1.0.0
description: |
  Identifies the SocGholish (FakeUpdates) malware campaign that uses
  compromised websites to serve fake browser update notifications.
  Victims download malicious JavaScript files which establish persistence
  through Windows scheduled tasks and deploy secondary payloads.

condition: >
  sequence
  maxspan 5m
    |create_file and file.extension = '.js'
     and file.path imatches '*\\Downloads\\*.js'| by ps.sid
    |spawn_process and ps.child.name ~= 'schtasks.exe'
     and ps.child.cmdline imatches '*/create*'| by ps.sid

severity: critical
min-engine-version: 2.4.0

M365 - Suspicious User Agent on Login

23 suspicious user agents: automation tools (axios, python-requests, curl), pentesting (Burp, Nikto, sqlmap), Entra ID attack tools (AADInternals, ROADtools), empty UA strings

T1078T1110 LimaCharlie MEDIUM +

- action: report
  metadata:
    author: Joshua Strickland
    description: >-
      Detected login attempt using a suspicious user agent commonly associated
      with automation tools, credential stuffing, or security scanning
    false_positives:
      - Legitimate automation scripts
      - Security scanning tools used by IT
      - DevOps automation
    mitre_attack:
      - T1078 - Valid Accounts
      - T1110 - Brute Force
    references:
      - https://attack.mitre.org/techniques/T1078/
    severity: medium
  name: M365 - Suspicious User Agent on Login
  suppression:
    is_global: true
    keys:
      - '{{ .event.UserId }}'
      - m365-suspicious-ua
    max_count: 5
    period: 1h

events:
  - UserLoggedIn
  - UserLoginFailed
op: or
rules:
  - { op: contains, path: event/ExtendedProperties/?/Value, value: axios }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: TruffleHog }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: python-requests }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: python-urllib }
  - { op: matches, path: event/ExtendedProperties/?/Value, re: "^curl/.*" }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: Go-http-client }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: PostmanRuntime }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: HTTPie }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: Scrapy }
  - { op: matches, path: event/ExtendedProperties/?/Value, re: "^Wget/.*" }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: WindowsPowerShell }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: node-fetch }
  - { op: matches, path: event/ExtendedProperties/?/Value, re: "^Java/\d+.*" }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: Apache-HttpClient }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: okhttp }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: Nuclei }
  - { op: is, path: event/ExtendedProperties/?/Value, value: "" }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: BOT }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: Burp }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: Nikto }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: sqlmap }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: AADInternals }
  - { op: contains, path: event/ExtendedProperties/?/Value, value: ROADtools }

TA0002

Execution

Hack tools, suspicious process patterns, and malicious code execution.

CrackMapExec Execution Patterns

cmd.exe output redirection to SMB shares, PowerShell encoding patterns unique to CME

T1047 Fibratus HIGH +

name: CrackMapExec Execution Patterns
id: b162fa0f-8dbc-4b99-b483-77f9e659d44e
version: 1.0.0
description: |
  Detects command patterns specific to CrackMapExec (CME) post-exploitation
  framework. CME automates network reconnaissance, credential harvesting,
  and lateral movement.

condition: >
  spawn_process
    and
  (
    ps.child.cmdline icontains 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
    or ps.child.cmdline icontains 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
    or ps.child.cmdline icontains 'cmd.exe /C * > *\\Temp\\* 2>&1'
    or ps.child.cmdline icontains 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
    or ps.child.cmdline icontains 'powershell.exe -noni -nop -w 1 -enc '
  )

severity: high
min-engine-version: 2.0.0

Empire PowerShell Launch Parameters

Specific flag combinations: -NoP -sta -NonI -W Hidden -Enc used by Empire stagers

T1059.001 Fibratus HIGH +

name: HackTool - Empire PowerShell Launch Parameters
id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
version: 1.0.0
description: |
  Detects suspicious PowerShell command line parameters commonly used by
  Empire framework for launching encoded payloads. Empire typically uses
  specific combinations of flags to bypass security controls, hide windows,
  and execute base64-encoded commands.

condition: >
  spawn_process
    and
  (ps.child.name ~= 'powershell.exe' or ps.child.name ~= 'pwsh.exe')
    and
  ps.child.cmdline icontains
    (
      ' -NoP -sta -NonI -W Hidden -Enc ',
      ' -noP -sta -w 1 -enc ',
      ' -NoP -NonI -W Hidden -enc ',
      ' -enc  SQB',
      ' -nop -exec bypass -EncodedCommand '
    )

severity: high
min-engine-version: 2.0.0

PowerShell Script Execution from C:\Users\Public

PowerShell -f/-fi/-fil/-file flags pointing to the world-writable Public folder

T1059.001 Fibratus HIGH +

name: PowerShell Script Execution in Public Folder
id: 52c9da6b-49bf-4dca-bc82-60998f6aaf94
version: 1.0.0
description: |
  Detects execution of PowerShell scripts located in the
  "C:\Users\Public" folder.

condition: |
  spawn_process
    and
  ((ps.child.exe iendswith '\\powershell.exe'
    or ps.child.exe iendswith '\\pwsh.exe')
    and (ps.child.cmdline icontains '-f C:\\Users\\Public'
      or ps.child.cmdline icontains '-fi C:\\Users\\Public'
      or ps.child.cmdline icontains '-fil C:\\Users\\Public'
      or ps.child.cmdline icontains '-file C:\\Users\\Public'
      or ps.child.cmdline icontains '-f %Public%'))

severity: high
min-engine-version: 2.0.0

Critical Unsigned Executable Pattern

50ms sequence: unsigned LoadImage → directory enum with READ|WRITE → PAGEFILE mapping

T1486 Fibratus CRITICAL +

name: Critical Suspicious Executable Pattern (Unsigned)
id: 01a35edb-78c2-5a09-9d7c-2f18e145517c
version: 2.0.0
description: |
  Detects unsigned executables exhibiting suspicious behavioral patterns
  including rapid sequential file system operations and PAGEFILE memory
  mapping. This pattern indicates potential ransomware preparing for mass
  file encryption.

condition: >
  sequence
    maxspan 50ms
    by ps.uuid
    |( kevt.name = 'LoadImage' and image.is_exec = true
       and image.signature.type = 'NONE'
       and image.signature.level = 'UNCHECKED'
       and not ps.exe imatches ('?:\\Windows\\system32\\*',
                                 '?:\\Program Files*')
       and not ps.name in ('svchost.exe', 'services.exe',
                            'lsass.exe', 'csrss.exe') )|
    |( kevt.name = 'CreateFile' and kevt.arg[type] = 'Directory'
       and kevt.arg[share_mask] = 'READ|WRITE'
       and file.path imatches ('?:\\Users\\*\\Documents\\*',
                                '?:\\Users\\*\\Desktop\\*') )|
    |( kevt.name = 'MapViewFile' and file.view.type = 'PAGEFILE'
       and file.view.protection = 'READONLY' )|

severity: critical
min-engine-version: 2.0.0

React2Shell - Node.js execSync Suspicious Command

CVE-2025-55182 — cmd.exe spawned by node.exe with Next.js/React parent context + recon or post-exploitation commands via child_process.execSync()

T1059.003T1190 LimaCharlie CRITICAL +

- action: report
  metadata:
    author: Josh Strickland
    cve: CVE-2025-55182
    description: >-
      Detects cmd.exe spawned by Node.js with Next.js/React context using the
      /d /s /c flag pattern typical of child_process.execSync(), containing
      suspicious reconnaissance or post-exploitation commands. This is a strong
      indicator of CVE-2025-55182 (React2Shell) exploitation.
    false_positives:
      - Legitimate build scripts or development tools using cmd.exe
      - Custom deployment scripts that execute system commands
      - Note: The combination of Next.js parent + suspicious command is very rare
    mitre_attack:
      - T1059.003 - Windows Command Shell
      - T1190 - Exploit Public-Facing Application
    references:
      - https://react2shell.com/
      - https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
      - https://github.com/msanft/CVE-2025-55182
    severity: critical
  name: React2Shell - Node.js execSync Suspicious Command

event: NEW_PROCESS
op: and
rules:
  - op: ends with
    path: event/FILE_PATH
    value: \cmd.exe
  - op: contains
    path: event/COMMAND_LINE
    value: /d /s /c
  - op: ends with
    path: event/PARENT/FILE_PATH
    value: \node.exe
  - op: or
    rules:
      - { op: contains, path: event/PARENT/COMMAND_LINE, value: node_modules\next }
      - { op: contains, path: event/PARENT/COMMAND_LINE, value: next\dist\server }
      - { op: contains, path: event/PARENT/COMMAND_LINE, value: start-server.js }
      - { op: contains, path: event/PARENT/COMMAND_LINE, value: next dev }
      - { op: contains, path: event/PARENT/COMMAND_LINE, value: next start }
      - { op: contains, path: event/PARENT/COMMAND_LINE, value: react-scripts }
  - op: or
    rules:
      - { op: contains, path: event/COMMAND_LINE, value: whoami }
      - { op: contains, path: event/COMMAND_LINE, value: powershell }
      - { op: contains, path: event/COMMAND_LINE, value: curl }
      - { op: contains, path: event/COMMAND_LINE, value: certutil }
      - { op: contains, path: event/COMMAND_LINE, value: bitsadmin }
      - { op: contains, path: event/COMMAND_LINE, value: mshta }
      - { op: contains, path: event/COMMAND_LINE, value: wscript }
      - { op: contains, path: event/COMMAND_LINE, value: systeminfo }
      - { op: contains, path: event/COMMAND_LINE, value: net user }
      - { op: contains, path: event/COMMAND_LINE, value: net localgroup }
      - { op: contains, path: event/COMMAND_LINE, value: netsh }
      - { op: contains, path: event/COMMAND_LINE, value: sc.exe }
      - { op: contains, path: event/COMMAND_LINE, value: reg add }
      - { op: contains, path: event/COMMAND_LINE, value: wmic }
      - { op: contains, path: event/COMMAND_LINE, value: base64 }
      - { op: contains, path: event/COMMAND_LINE, value: "-enc" }
      - { op: contains, path: event/COMMAND_LINE, value: downloadstring }
      - { op: contains, path: event/COMMAND_LINE, value: invoke-expression }
      - { op: contains, path: event/COMMAND_LINE, value: "&&" }
      - { op: contains, path: event/COMMAND_LINE, value: " | " }
      - { op: matches, path: event/COMMAND_LINE,
          re: ".*\\.(ps1|bat|vbs|js|exe).*" }

TA0003

Persistence

Scheduled tasks, hidden accounts, and maintaining access.

Hidden Local User Account via Registry

lsass.exe modifying SAM registry with $ suffix indicating hidden account creation

T1136.001 Fibratus HIGH +

name: Sysmon registry detection of a local hidden user account
id: dfa902c0-c21a-4ae6-b29c-77442034f16c
version: 1.0.0
description: |
  Detects the creation of hidden local user accounts through registry
  modification. Attackers create accounts ending with $ to hide them
  from standard user enumeration tools.

condition: >
  modify_registry
    and
  ps.exe iendswith '\\lsass.exe'
    and
  registry.path icontains
    '\\SAM\\SAM\\Domains\\Account\\Users\\Names\\'
    and
  registry.path iendswith '$'

severity: high
min-engine-version: 2.0.0

PowerSploit/Empire Scheduled Task Persistence

Default "Updater" task with PowerShell -NonI and ONLOGON/DAILY/IDLE/HOURLY triggers

T1053.005 Fibratus HIGH +

name: HackTool - Default PowerSploit/Empire Scheduled Task Creation
id: 56c217c3-2de2-479b-990f-5c109ba8458f
version: 1.0.0
description: |
  Detects creation of a scheduled task via PowerSploit or Empire default
  configuration. Task typically named "Updater" executes PowerShell with
  non-interactive flags.

condition: >
  spawn_process
    and
  (ps.name ~= 'powershell.exe' or ps.name ~= 'pwsh.exe')
    and
  (ps.child.name ~= 'schtasks.exe')
    and
  (ps.child.cmdline icontains '/Create')
    and
  (ps.child.cmdline icontains 'powershell.exe -NonI')
    and
  (ps.child.cmdline icontains '/TN Updater /TR')
    and
  ((ps.child.cmdline icontains '/SC ONLOGON')
    or (ps.child.cmdline icontains '/SC DAILY /ST')
    or (ps.child.cmdline icontains '/SC ONIDLE')
    or (ps.child.cmdline icontains '/SC HOURLY'))

severity: high
min-engine-version: 2.0.0

M365 - Dynamic Group Membership Rule Modified

Entra ID dynamic group rule change — stealthy privilege escalation by modifying attribute-based membership to auto-add attacker accounts to privileged groups

T1098T1484 LimaCharlie HIGH +

- action: report
  metadata:
    author: Joshua Strickland
    description: >-
      A dynamic group membership rule was modified. Dynamic groups in Entra ID
      automatically assign membership based on user or device attributes
      matching a defined rule. Attackers with sufficient privileges modify these
      rules to automatically grant themselves or compromised accounts membership
      in privileged groups. This is a stealthy privilege escalation technique
      because the membership appears legitimate (rule-based) rather than
      manually assigned.
    false_positives:
      - Legitimate organizational restructuring requiring rule updates
      - Corrections to misconfigured membership rules
      - Security team adjustments to group automation
      - HR-driven changes to department or role-based rules
    investigation_steps:
      - Identify which group had its membership rule modified
      - Check if the group has privileged roles or sensitive resource access
      - Review the old membership rule versus the new membership rule
      - Determine what user attributes the new rule matches on
      - Verify the user account that modified the rule
      - Check if the rule change resulted in new members being added
    mitre_attack:
      - T1098.003 - Account Manipulation: Additional Cloud Roles
      - T1484 - Domain Policy Modification
      - T1069.003 - Permission Groups Discovery: Cloud Groups
    references:
      - https://attack.mitre.org/techniques/T1098/003/
      - https://attack.mitre.org/techniques/T1484/
      - https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
    severity: high
  name: M365 - Dynamic Group Membership Rule Modified
  suppression:
    is_global: true
    keys:
      - '{{ .event.ObjectId }}'
      - m365-dynamic-rule
    max_count: 3
    period: 24h

event: Update group
op: or
rules:
  - op: is
    path: event/ModifiedProperties/?/Name
    value: MembershipRule
  - op: is
    path: event/ModifiedProperties/?/Name
    value: MembershipRuleProcessingStat

TA0005

Defense Evasion

Defender tampering, masquerading, and security tool bypass.

Renamed NetSupport RAT Execution

NetSupport product metadata on non-client32.exe binary, masquerading detection

T1036 Fibratus HIGH +

name: Renamed NetSupport RAT Execution
id: 3e6a1c5d-e7d6-4840-a835-942b71ff76a6
version: 1.0.0
description: |
  Detects execution of renamed NetSupport Manager client. Attackers
  frequently deploy renamed versions to establish remote control while
  evading filename-based detections.

condition: >
  load_module
    and
  pe.product icontains 'NetSupport'
    and
  not image.name = 'client32.exe'

severity: high
min-engine-version: 2.0.0

Suspicious Hosts File Access

Editors or scripting engines opening Windows hosts file for DNS hijacking

T1562.001 Fibratus HIGH +

name: Suspicious Hosts File Access
id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2
version: 1.0.0
description: |
  Detects attempts to modify the Windows hosts file for DNS hijacking
  or security tool blocking. Malware commonly edits hosts files to
  redirect security update servers to localhost or redirect banking
  sites to phishing servers.

condition: >
  open_file
    and
  file.path imatches
    '?:\\Windows\\System32\\drivers\\etc\\hosts'
    and
  ( ps.name iin ('notepad.exe', 'wordpad.exe', 'powershell.exe',
                  'pwsh.exe', 'sublime_text.exe', 'code.exe', 'vim.exe')
    or ps.parent.name iin ('powershell.exe', 'pwsh.exe', 'cmd.exe') )
    and
  not ps.exe imatches (
    '?:\\Windows\\servicing\\TrustedInstaller.exe',
    '?:\\Windows\\System32\\svchost.exe',
    '?:\\Program Files\\Windows Defender\\*')

severity: high
min-engine-version: 2.0.0

Windows Defender Disabling Attempt

DisableRealtimeMonitoring set to 1 via registry modification

T1562.001 Fibratus CRITICAL +

name: Windows Defender Disabling Attempt
id: 8c2f5b7a-d93e-47f5-9b1a-3f6e8e2c91fc
version: 1.3.0
description: |
  Detects direct registry modifications to disable Windows Defender
  real-time protection. Setting DisableRealtimeMonitoring to 1
  immediately disables antivirus scanning.

condition: >
  kevt.name = 'RegSetValue'
    and
  ps.name = 'MsMpEng.exe'
    and
  registry.path = 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring'
    and
  registry.value = 1

severity: critical
min-engine-version: 2.0.0

Windows Defender Exclusion Modification

Exclusion paths, extensions, or processes added via registry or MpCmdRun

T1562.001 Fibratus HIGH +

name: Windows Defender Exclusion Modification
id: a1234567-89ab-cdef-0123-456789abcdef
version: 1.0.0
description: |
  Detects modifications to Windows Defender exclusion lists via registry
  or PowerShell. Attackers add malware paths, extensions, or process
  names to exclusions to operate undetected.

condition: >
  ( kevt.name in ('RegSetValue', 'RegDeleteValue')
    and ( registry.path icontains
            'Windows Defender\\Exclusions\\Paths\\'
          or registry.path icontains
            'Windows Defender\\Exclusions\\Extensions\\'
          or registry.path icontains
            'Windows Defender\\Exclusions\\Processes\\' )
    and ps.name = 'MsMpEng.exe' )
  or
  ( kevt.name = 'CreateProcess'
    and ps.name in ('MpCmdRun.exe')
    and kevt.arg[cmdline] contains 'MpPreference'
    and kevt.arg[cmdline] contains '-Exclusion' )

severity: high
min-engine-version: 2.0.0

TA0006

Credential Access

Credential dumping and harvesting tools.

Remote Credential Dumping via CrackMapExec/Impacket

svchost.exe creating 8-char random .tmp files in System32 during SAM/SECURITY/SYSTEM dump

T1003 Fibratus HIGH +

name: Remote Credential Dumping via CrackMapExec/Impacket
id: 0c0bf53b-9875-48ce-a389-0d309f51fdcf
version: 1.0.0
description: |
  Detects temporary file patterns created by CrackMapExec and
  Impacket-secretsdump during remote credential harvesting. These tools
  dump SAM/SECURITY/SYSTEM registry hives to 8-character random .tmp
  files in System32.

  Normal: Never - legitimate Windows operations don't create random
  8-char .tmp files in System32
  Likely malicious: svchost.exe creating [8chars].tmp in System32

condition: >
  create_file
    and
  ps.exe iendswith '\\svchost.exe'
    and
  file.path matches '?:\\Windows\\System32\\????????.tmp'

severity: high
min-engine-version: 2.0.0

M365 - AiTM Session Token Replay

Detects MFA bypass via stolen session tokens — "previously satisfied" or "claim in token" authentication indicating Evilginx/AiTM phishing toolkit replay

T1539T1550 LimaCharlie CRITICAL +

- action: report
  metadata:
    author: Joshua Strickland
    description: >-
      A user authentication was completed using a session token where MFA was
      "previously satisfied" or "satisfied by claim in token" rather than an
      interactive MFA challenge. This is a strong indicator of
      Adversary-in-the-Middle (AiTM) phishing and session token replay attacks.
      Sophisticated phishing toolkits (Evilginx, Modlishka, Muraena) proxy the
      real authentication flow, allowing the victim to complete legitimate
      authentication including MFA, while the attacker intercepts and steals the
      resulting session cookies. The attacker then replays these stolen tokens
      to gain unauthorized access that bypasses MFA.
    false_positives:
      - Legitimate SSO scenarios where tokens are exchanged between apps
      - OAuth token exchanges in federated environments
      - Mobile app authentication flows that cache tokens
      - Azure AD Seamless SSO in hybrid environments
      - Browser session resumption after legitimate authentication
    investigation_steps:
      - Identify the user account that authenticated with token replay
      - Review the source IP address and geolocation of this login
      - Check for recent logins from the same user from different IPs
      - Look for preceding authentic authentication from normal location
      - Review user agent string for anomalies or headless browsers
      - Check if the IP is associated with VPN, proxy, or hosting providers
      - Examine actions taken immediately after this authentication
      - Look for data exfiltration, inbox rules, or privilege escalation
      - Check for mailbox forwarding rules or OAuth app consents after login
    mitre_attack:
      - T1539 - Steal Web Session Cookie
      - T1185 - Browser Session Hijacking
      - T1566.002 - Phishing: Spearphishing Link
      - T1550.004 - Use Alternate Authentication Material: Web Session Cookie
    references:
      - https://attack.mitre.org/techniques/T1539/
      - https://attack.mitre.org/techniques/T1550/004/
      - https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec/
      - https://github.com/kgretzky/evilginx2
    severity: critical
  name: M365 - AiTM Session Token Replay
  suppression:
    is_global: true
    keys:
      - '{{ .event.UserId }}'
      - m365-aitm-token
    max_count: 2
    period: 1h

event: UserLoggedIn
op: or
rules:
  - { op: contains, path: event/AuthenticationDetails/?/authenticationMethod,
      value: claim }
  - { op: contains, path: event/AuthenticationDetails/?/authenticationMethod,
      value: previously satisfied }
  - { op: contains, path: event/MfaDetail/?/authMethod,
      value: claim }
  - { op: contains, path: event/MfaDetail/?/authMethod,
      value: previously satisfied }
  - { op: contains, path: event/ExtendedProperties/?/Value,
      value: Previously satisfied }
  - { op: contains, path: event/ExtendedProperties/?/Value,
      value: claim in the token }

TA0011

Command & Control

RATs, C2 comms, reverse shells, and tunneling.

NetSupport RAT Detection

Multi-event detection: process execution, file drops, config files — covers naming variations and suspicious paths

T1219 T1036 HIGH +

- action: report
  metadata:
    author: Josh Strickland
    description: >-
      Detects NetSupport RAT activity including both execution and file drops.
      NetSupport Manager is legitimate remote access software frequently
      weaponized by threat actors. This rule identifies NetSupport client
      executables and associated configuration files when they are dropped on
      disk or executed from suspicious locations. Covers common naming
      variations and obfuscation techniques used in malicious campaigns.
    falsepositives:
      - Legitimate NetSupport Manager installations used by IT support teams
      - Authorized remote support sessions initiated by help desk
      - MSPs using NetSupport for client management
      - Educational institutions using NetSupport School
    level: high
    references:
      - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a
      - https://attack.mitre.org/software/S0122/
      - https://www.huntress.com/blog/netsupport-manager-rat-installed-via-fake-update-notices
      - https://redcanary.com/threat-detection-report/threats/netsupport-manager/
    tags:
      - attack.command_and_control
      - attack.t1219
      - attack.defense_evasion
      - attack.t1036.005
      - attack.persistence
      - attack.t1547.001
      - attack.t1105
  name: NetSupport RAT Activity

events:
  - NEW_PROCESS
  - NEW_DOCUMENT
  - FILE_CREATE
op: or
rules:
  # === Process Execution ===
  - op: and
    rules:
      - { op: is, path: routing/event_type, value: NEW_PROCESS }
      - op: or
        rules:
          # Known NetSupport binary names
          - op: matches
            path: event/FILE_PATH
            re: >-
              .*\\(client32|uclient32|nclient32|rclient|sclient|
              tclient|xclient|pclient|gclient|vnclient|nsclient)\.exe$
          # NetSupport binaries in suspicious locations
          - op: and
            rules:
              - op: or
                rules:
                  - { op: contains, path: event/FILE_PATH, value: client32 }
                  - { op: contains, path: event/FILE_PATH, value: uclient }
                  - { op: contains, path: event/FILE_PATH, value: nsclient }
              - op: or
                rules:
                  - { op: contains, path: event/FILE_PATH, value: "\\Temp\\" }
                  - { op: contains, path: event/FILE_PATH, value: "\\AppData\\Roaming\\" }
                  - { op: contains, path: event/FILE_PATH, value: "\\AppData\\Local\\Temp\\" }
                  - { op: contains, path: event/FILE_PATH, value: "\\ProgramData\\" }
                  - { op: contains, path: event/FILE_PATH, value: "\\Users\\Public\\" }
                  - { op: contains, path: event/FILE_PATH, value: "\\Windows\\Temp\\" }
                  - { op: contains, path: event/FILE_PATH, value: "\\Downloads\\" }
          # Command line indicators outside Program Files
          - op: and
            rules:
              - op: or
                rules:
                  - { op: contains, path: event/COMMAND_LINE, value: NetSupport }
                  - { op: contains, path: event/COMMAND_LINE, value: NSM_ }
                  - { op: contains, path: event/COMMAND_LINE, value: client32 }
              - not: true
                op: contains
                path: event/FILE_PATH
                value: "\\Program Files\\"
  # === File Drops (NEW_DOCUMENT + FILE_CREATE) ===
  - op: and
    rules:
      - op: or
        rules:
          - { op: is, path: routing/event_type, value: NEW_DOCUMENT }
          - { op: is, path: routing/event_type, value: FILE_CREATE }
      - op: or
        rules:
          # NetSupport executables dropped to disk
          - op: matches
            path: event/FILE_PATH
            re: >-
              .*\\(client32|uclient32|nclient32|nsclient|pciclient)\.exe$
          # Config files (ini, lic, cfg)
          - op: matches
            path: event/FILE_PATH
            re: >-
              .*\\(client32\.ini|nsm\.ini|nsm\.lic|NSM.*\.cfg|
              NetSupport.*\.ini)$

name: NetSupport RAT Detection
id: 8a7b9c2d-4f3e-5a6b-9d1c-2e8f7b3a4156
version: 1.0.0
description: |
  Detects execution of NetSupport Manager components commonly abused as
  a Remote Access Trojan. Unauthorized installations are frequently used
  by attackers for remote control.

  Normal: NetSupport in Program Files with proper licensing, IT-managed
  Likely malicious: client32.exe in AppData/Temp/ProgramData

condition: >
  spawn_process
    and
  ps.child.name iin ('client32.exe', 'uclient32.exe')

severity: high
min-engine-version: 2.0.0

Suspicious DNS Query Detection

C2 domains, DNS tunneling TLDs (.tk/.xyz/.onion), file-sharing abuse, dynamic DNS providers

T1071.004 Fibratus HIGH +

name: Suspicious DNS Query Detection
id: a5e6d8f2-74b1-4c3e-bb4a-9c2d58e3f0d2
version: 1.4.0
description: |
  Detects suspicious DNS queries indicating C2 communications, data
  exfiltration via DNS tunneling, or DGA activity. Monitors for known
  malicious TLDs, file-sharing services commonly abused by infostealers,
  and dynamic DNS providers used for C2 infrastructure.

condition: >
  query_dns
    and dns.name in (
      'ngrok.io', 'pastebin.com', 'discordapp.com', '.onion',
      '.top', '.xyz', '.tk', 'limewire.com', '.bit', '.ir',
      '.ru', '.dyn', '.no-ip', '.duckdns', 'file.io',
      'anonfiles.com', 'bayfiles.com', 'wetransfer.com',
      'sendspace.com', 'filedropper.com', 'mega.nz',
      'transfer.sh', 'pixeldrain.com', 'gofile.io',
      'zippyshare.com'
    )
    and dns.name not contains 'microsoft.com'
    and dns.name not contains 'windows.com'

min-engine-version: 2.0.0

VPN and Proxy Detection

Three vectors: process cmdline, DNS queries, and network connections to VPN/proxy/SSH tunnel providers

T1090 Fibratus HIGH +

name: VPN and Proxy Detection
id: f9b1d2e3-82c1-4d7a-91ea-3f4cbb64a1f2
version: 1.2.0
description: |
  Detects VPN and proxy usage through process execution patterns, network
  connections, and DNS queries to known VPN/proxy providers. Covers
  OpenVPN, WireGuard, NordVPN, ExpressVPN, ProtonVPN, Surfshark, SSH
  tunneling (-D/-L/-R), stunnel, and more.

condition: >
  ( spawn_process
    and ps.child.name iin (
      'openvpn.exe', 'openvpn-gui.exe', 'wireguard.exe',
      'nordvpn.exe', 'NordVPN.exe', 'expressvpn.exe',
      'protonvpn.exe', 'surfshark.exe', 'mullvad-vpn.exe',
      'proxifier.exe', 'softether-vpnclient.exe', 'stunnel.exe'
    )
  )
  or
  ( spawn_process
    and ps.child.name iin ('ssh.exe', 'plink.exe')
    and ps.child.cmdline imatches ('*-D *', '*-L *', '*-R *') )
  or
  ( query_dns
    and dns.name iin (
      'nordvpn.com', 'expressvpn.com', 'protonvpn.com',
      'surfshark.com', 'mullvad.net', 'privateinternetaccess.com',
      'cyberghostvpn.com', 'windscribe.com', 'tunnelbear.com',
      'hotspotshield.com', 'ipvanish.com', 'purevpn.com',
      'hide.me', 'torguard.net', 'strongvpn.com',
      'astrill.com', 'zenmate.com', 'ivpn.net',
      'perfectprivacy.com', 'cactusvpn.com'
    )
  )

severity: high
min-engine-version: 2.0.0

Reverse Shell Detection

30+ process names, 50+ cmdline indicators: bash -i, nc -e, python sockets, ConPtyShell, encoded PS

T1059 Fibratus CRITICAL +

name: Reverse Shell Detection
id: e74b8d1a-6a9d-4f8a-b1ef-2e24c9b3e9fc
version: 4.1.0
description: |
  Detects reverse shell techniques across multiple vectors including
  traditional shells (bash -i, cmd), scripting languages (python/perl/
  ruby -c/-e), network utilities (nc -e, socat), and modern techniques
  (ConPtyShell, encoded PowerShell).

condition: >
  spawn_process
    and
  ps.child.name iin (
    'cmd.exe', 'powershell.exe', 'pwsh.exe', 'bash.exe',
    'python.exe', 'python3.exe', 'perl.exe', 'ruby.exe',
    'lua.exe', 'php.exe', 'nc.exe', 'ncat.exe', 'netcat.exe',
    'socat.exe', 'openssl.exe', 'java.exe', 'javaw.exe',
    'telnet.exe', 'node.exe', 'mshta.exe', 'wscript.exe',
    'cscript.exe'
  )
    and
  ps.child.cmdline icontains (
    'nc ', 'ncat ', '-e /bin/sh', '-e /bin/bash',
    '-e cmd.exe', 'bash -i', '/dev/tcp/', 'socket(',
    'SOCK_STREAM', 'AF_INET', 'DownloadString(',
    'New-Object Net.Sockets.TCPClient',
    'System.Net.Sockets.TcpClient', 'ConPtyShell',
    'pty.spawn', 'IEX(', 'Invoke-Expression',
    'IO.StreamReader', 'IO.StreamWriter',
    'Net.WebClient', '-e cmd', '-e powershell',
    'exec 5<>/dev/tcp', 'socat exec:'
  )
    and
  not ps.parent.name iin (
    'Action1_Agent.exe', 'Velociraptor.exe',
    'svchost.exe', 'taskhostw.exe'
  )
    and
  not ps.parent.exe imatches (
    '?:\\Program Files\\*',
    '?:\\Program Files (x86)\\*'
  )

severity: critical
min-engine-version: 2.0.0

TA0040

Impact / Ransomware

8 kernel-level ransomware detections using ETW File I/O sequence analysis with tight timing windows (2ms to 50ms). These catch ransomware during initialization and active encryption by fingerprinting the exact file operation sequences different families use.

Gamma Hive Vipasana LockBit Cerber Generic Patterns

Gamma Ransomware (PyInstaller Unpacking)

_MEI temp directory DLL creation: api-ms-win-*, VCRUNTIME140, python37.dll cluster

T1486 Fibratus CRITICAL +

name: Ransomware Process Detected (6)
id: 01a45edb-78c2-4a39-9d7c-2f19e384517d
version: 1.0.0
description: |
  Detects Gamma ransomware through its distinctive PyInstaller unpacking
  behavior, creating multiple Windows API and runtime DLLs in temporary
  _MEI directories. Early-stage detection catches Gamma before encryption
  begins.

condition: >
  create_file
    and
  file.path imatches
    'C:\\Users\\*\\AppData\\Local\\Temp\\_MEI*\\*'
    and
  (
    file.name contains ('api-ms-win-core-')
    or file.name contains ('api-ms-win-crt-')
    or file.name iin (
      'ucrtbase.dll', 'VCRUNTIME140.dll', 'libssl-1_1.dll',
      'libcrypto-1_1.dll', 'python37.dll', 'tk86t.dll',
      'tcl86t.dll'
    )
  )

severity: critical
min-engine-version: 2.0.0

Generic Ransomware Initialization (Hive+)

27ms: PAGEFILE(16384) → Windows dir → wow64.dll → System32 enum → kernel32.dll

T1486 Fibratus CRITICAL +

name: Generic Ransomware Initialization Pattern
id: 95a1d8c3-7e4b-42f5-b9d1-8c5e4f6a2b3d
version: 5.0.0
description: |
  Identifies ransomware initialization through a precise 27ms behavioral
  fingerprint. Matches multiple families (including Hive) as they resolve
  critical Windows APIs, map system DLLs, and prepare for file operations.

condition: >
  sequence
    maxspan 27ms
    by ps.uuid
    |( kevt.name = 'MapViewFile'
       and file.view.type = 'PAGEFILE'
       and file.view.size = 16384
       and not ps.name in ('svchost.exe', 'services.exe',
                            'lsass.exe', 'explorer.exe') )|
    |( kevt.name = 'CreateFile'
       and kevt.arg[create_options] icontains 'DIRECTORY_FILE'
       and file.path imatches 'C:\\Windows' )|
    |( kevt.name = 'MapViewFile'
       and file.view.type = 'IMAGE'
       and file.path imatches '*\\wow64.dll' )|
    |( kevt.name = 'EnumDirectory'
       and kevt.arg[directory] imatches 'C:\\Windows\\System32' )|
    |( kevt.name = 'MapViewFile'
       and file.view.type = 'IMAGE'
       and file.path imatches (
         '*\\kernel32.dll', '*\\KernelBase.dll') )|

severity: critical
min-engine-version: 2.0.0

Vipasana Ransomware Initialization

45ms: PAGEFILE → Windows → wow64*.dll → Desktop folder → SysWOW64 DLL

T1486 Fibratus CRITICAL +

name: Ransomware or Malware Process Detected (Generic 2)
id: 8e7d9c2a-5f1b-4c3d-b8e1-6a8f37d49b5c
version: 1.0.2
description: |
  Detects Vipasana ransomware's unique initialization sequence combining
  memory allocation with rapid directory discovery. 45ms pattern provides
  early detection before file damage.

condition: >
  sequence
    maxspan 45ms
    by ps.uuid
    |( kevt.name = 'MapViewFile'
       and file.view.type = 'PAGEFILE'
       and file.view.size = 16384 )|
    |( kevt.name = 'CreateFile'
       and file.path imatches 'C:\\Windows'
       and kevt.arg[type] = 'Directory' )|
    |( kevt.name = 'MapViewFile'
       and file.view.type = 'IMAGE'
       and file.path imatches
         'C:\\Windows\\System32\\wow64*.dll' )|
    |( kevt.name = 'CreateFile'
       and file.path imatches 'C:\\Users\\*\\Desktop\\'
       and kevt.arg[type] = 'Directory' )|
    |( kevt.name = 'MapViewFile'
       and file.view.type = 'IMAGE'
       and file.path imatches
         'C:\\Windows\\SysWOW64\\*.dll' )|

severity: critical
min-engine-version: 2.0.0

Ransomware File I/O: Enum / Delete / Create / Read / Write

2ms: unsigned process performing classic encrypt cycle on user folders

T1486 Fibratus CRITICAL +

name: Ransomware In Progress - File I/O variant
id: 9f7aab92-0002-4fcd-85ea-59692f44712f
version: 1.1.0
description: |
  Detects classic ransomware file operation sequence: enumerate directory,
  delete shadow copies or backups, create new encrypted files, read
  original content, and write encrypted data. 2ms sequential pattern
  captures the moment ransomware begins actively encrypting.

condition: >
  sequence
    maxspan 2ms
    by ps.uuid
    |( (image.signature.type = 'NONE' or pe.is_trusted = false)
       and (kevt.name = 'EnumDirectory'
            or kevt.name = 'DeleteFile')
       and file.path imatches (
         '?:\\Users\\*\\Desktop\\*',
         '?:\\Users\\*\\Documents\\*',
         '?:\\Users\\*\\Downloads\\*',
         '?:\\Users\\*\\Pictures\\*')
       and not ps.exe imatches '?:\\Program Files*' )|
    |( kevt.name = 'CreateFile'
       and file.operation in ('CREATE', 'OPEN')
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'ReadFile'
       and file.path imatches '?:\\Users\\*' )|
    |( (kevt.name = 'ReadFile' or kevt.name = 'WriteFile')
       and file.path imatches '?:\\Users\\*' )|
    |( (kevt.name = 'WriteFile' or kevt.name = 'CreateFile')
       and file.path imatches '?:\\Users\\*' )|

severity: critical
min-engine-version: 2.0.0

Ransomware File-to-File with Delete

17ms: open → read → create encrypted copy → write → delete original

T1486 Fibratus CRITICAL +

name: Ransomware In Progress - File-to-File with Delete
id: bd306ce2-03e8-46f8-9bf4-841c33b60056
version: 1.0.0
description: |
  Detects file-by-file encryption pattern where ransomware reads original
  files, creates encrypted copies with new extensions, then deletes
  originals. 17ms window captures the complete encrypt-and-delete cycle.

condition: >
  sequence
    maxspan 17ms
    by ps.uuid
    |( (image.signature.type = 'NONE' or pe.is_trusted = false)
       and kevt.name = 'CreateFile'
       and file.operation = 'OPEN'
       and file.path imatches (
         '?:\\Users\\*\\Desktop\\*',
         '?:\\Users\\*\\Documents\\*',
         '?:\\Users\\*\\Downloads\\*',
         '?:\\Users\\*\\Pictures\\*')
       and not ps.exe imatches '?:\\Program Files*' )|
    |( kevt.name = 'ReadFile'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'CreateFile'
       and file.operation = 'OPEN'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'WriteFile'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'DeleteFile'
       and file.path imatches '?:\\Users\\*' )|

severity: critical
min-engine-version: 2.0.0

Ransomware File-to-File with Rename and Delete

16ms LockBit pattern: open → create temp → write → rename → delete original

T1486 Fibratus CRITICAL +

name: Ransomware In Progress - File-to-File with Rename and Delete
id: cb3ec28b-0914-4f24-b84c-74185feecfba
version: 1.0.0
description: |
  Detects ransomware using temporary file encryption before renaming to
  final encrypted form and deleting originals. Used by families like
  LockBit. 16ms pattern catches the multi-step process.

condition: >
  sequence
    maxspan 16ms
    by ps.uuid
    |( (image.signature.type = 'NONE' or pe.is_trusted = false)
       and kevt.name = 'CreateFile'
       and file.operation = 'OPEN'
       and file.path imatches (
         '?:\\Users\\*\\Desktop\\*',
         '?:\\Users\\*\\Documents\\*',
         '?:\\Users\\*\\Downloads\\*',
         '?:\\Users\\*\\Pictures\\*')
       and not ps.exe imatches '?:\\Program Files*' )|
    |( kevt.name = 'CreateFile'
       and file.operation = 'OPEN'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'WriteFile'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'RenameFile'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'DeleteFile'
       and file.path imatches '?:\\Users\\*' )|

severity: critical
min-engine-version: 2.0.0

Ransomware Memory-to-File Post-Overwrite (Cerber)

15ms by file.object: open → read → write → write(size>0) → rename/delete

T1486 Fibratus CRITICAL +

name: Ransomware In Progress - Memory-to-File Post-Overwrite
id: 1e1350b5-4562-4515-b3bd-fcd7db52dd13
version: 1.0.0
description: |
  Detects Cerber-style encryption where files are opened, read into memory
  for encryption, written back encrypted, then subjected to additional
  operations. Tracked by file object for accurate correlation across the
  15ms window.

condition: >
  sequence
    maxspan 15ms
    by file.object
    |( kevt.name = 'CreateFile'
       and file.operation = 'OPEN'
       and file.path imatches '?:\\Users\\*'
       and not file.path imatches '?:\\Users\\*\\AppData\\*'
       and not ps.name in ('OneDrive.exe', 'Dropbox.exe',
         'explorer.exe', 'SearchProtocolHost.exe') )|
    |( kevt.name = 'ReadFile'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'WriteFile'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'WriteFile'
       and file.io.size > 0
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'RenameFile'
       or kevt.name = 'FileDelete'
       or kevt.name = 'FileCreate' )|

severity: critical
min-engine-version: 2.0.0

Ransomware Memory-to-File Pre-Overwrite (Wiper)

2ms destructive: open → rename to backup → overwrite with encrypted data

T1486 Fibratus CRITICAL +

name: Ransomware In Progress - Memory-to-File Pre-Overwrite
id: a72a98a9-d230-41e7-af68-c3e5105f3a2e
version: 1.0.2
description: |
  Detects immediate file corruption pattern where ransomware opens files,
  renames them to backup copies, then overwrites originals with encrypted
  content. Rapid 2ms sequence prevents file recovery. Common in wiper
  malware and destructive ransomware variants.

condition: >
  sequence
    maxspan 2ms
    by ps.uuid
    |( (image.signature.type = 'NONE' or pe.is_trusted = false)
       and kevt.name = 'CreateFile'
       and file.operation = 'OPEN'
       and file.path imatches (
         '?:\\Users\\*\\Desktop\\*',
         '?:\\Users\\*\\Documents\\*',
         '?:\\Users\\*\\Downloads\\*',
         '?:\\Users\\*\\Pictures\\*')
       and not ps.exe imatches '?:\\Program Files*' )|
    |( kevt.name = 'RenameFile'
       and file.path imatches '?:\\Users\\*' )|
    |( kevt.name = 'WriteFile'
       and file.io.size > 0
       and file.path imatches '?:\\Users\\*' )|

severity: critical
min-engine-version: 2.0.0

My Detection Work

GitHub Repos

CTI Dashboard

Formats

Initial Access & Discovery

Execution

Persistence

Defense Evasion

Credential Access

Command & Control

Impact / Ransomware

Use these detections