diff --git a/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx b/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx new file mode 100644 index 00000000000..53016557c76 Binary files /dev/null and b/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx differ diff --git a/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json b/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json new file mode 100644 index 00000000000..658f4531b92 --- /dev/null +++ b/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json @@ -0,0 +1,59 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 7, + "Version": 3, + "Level": 4, + "Task": 7, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-02-04T08:43:28.342637Z" + } + }, + "EventRecordID": 715282, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 776, + "ThreadID": 4352 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-02-04 08:43:28.234", + "ProcessGuid": "14207D89-06B0-6983-CF01-000000004402", + "ProcessId": 6672, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\fsquirt.exe", + "ImageLoaded": "C:\\Users\\SwachchhandaP\\Downloads\\bthprops.cpl", + "FileVersion": "-", + "Description": "-", + "Product": "-", + "Company": "-", + "OriginalFileName": "-", + "Hashes": "MD5=221877743CF329314E571E9398EFCA70,SHA256=863390BB749E466975A6A5330CCD077C846E1F387AAE0327AFFE33DF87153E67,IMPHASH=7FF91A855D5B3D338EB5B4CE63698F4A", + "Signed": "false", + "Signature": "-", + "SignatureStatus": "Unavailable", + "User": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml b/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml new file mode 100644 index 00000000000..8b9ff60f54c --- /dev/null +++ b/regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml @@ -0,0 +1,13 @@ +id: 8ee57597-baba-46bd-8a61-85ff51f7aab6 +description: N/A +date: 2026-02-04 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde + title: System Control Panel Item Loaded From Uncommon Location +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx new file mode 100644 index 00000000000..dc860bf9572 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.json b/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.json new file mode 100644 index 00000000000..76e787dad3a --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-02-04T08:52:58.205267Z" + } + }, + "EventRecordID": 715573, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 776, + "ThreadID": 4344 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-02-04 08:52:58.203", + "ProcessGuid": "14207D89-08EA-6983-2A02-000000004402", + "ProcessId": 5696, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\taskhost.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Windows Calculator", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CALC.EXE", + "CommandLine": "taskhost.exe", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-057C-6983-A047-0C0000000000", + "LogonId": "0xc47a0", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=1FD4DD58C75D6F2EDCDB337EE686231E,SHA256=4208893C871D2499F184E3F0F2554DA89F451FA9E98D95FC9516C5AE8F2B3BBD,IMPHASH=8EEAA9499666119D13B3F44ECD77A729", + "ParentProcessGuid": "14207D89-08EA-6983-2902-000000004402", + "ParentProcessId": 1816, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd /c taskhost.exe", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml new file mode 100644 index 00000000000..932f770c7c7 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml @@ -0,0 +1,13 @@ +id: 0efa6f32-c1df-4053-91ca-cafc05416e79 +description: N/A +date: 2026-02-04 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: e4a6b256-3e47-40fc-89d2-7a477edd6915 + title: System File Execution Location Anomaly +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx new file mode 100644 index 00000000000..389571ced2c Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json b/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json new file mode 100644 index 00000000000..80fd0b74e9c --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-02-04T08:47:45.988926Z" + } + }, + "EventRecordID": 715337, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 776, + "ThreadID": 4344 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-02-04 08:47:45.987", + "ProcessGuid": "14207D89-07B1-6983-EA01-000000004402", + "ProcessId": 5592, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\svchost.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Windows Calculator", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CALC.EXE", + "CommandLine": ".\\svchost.exe", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-057C-6983-A047-0C0000000000", + "LogonId": "0xc47a0", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=1FD4DD58C75D6F2EDCDB337EE686231E,SHA256=4208893C871D2499F184E3F0F2554DA89F451FA9E98D95FC9516C5AE8F2B3BBD,IMPHASH=8EEAA9499666119D13B3F44ECD77A729", + "ParentProcessGuid": "14207D89-0781-6983-E201-000000004402", + "ParentProcessId": 984, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml new file mode 100644 index 00000000000..dc411cb1d3a --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml @@ -0,0 +1,13 @@ +id: 9cee7767-9219-40b3-b77e-dedf82957c94 +description: N/A +date: 2026-02-04 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd + title: Suspicious Process Masquerading As SvcHost.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 748f5a4bcbe..0f3b78e7836 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -8,7 +8,7 @@ references: - Internal Research author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020-05-26 -modified: 2025-12-03 +modified: 2026-02-04 tags: - attack.defense-evasion - attack.t1036.005 @@ -36,6 +36,7 @@ detection: - '\explorer.exe' - '\extrac32.exe' - '\fontdrvhost.exe' + - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/ - '\ipconfig.exe' - '\iscsicli.exe' - '\iscsicpl.exe' diff --git a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml index 7cbfd97d7fa..02880444d06 100644 --- a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml @@ -1,29 +1,38 @@ title: System Control Panel Item Loaded From Uncommon Location id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde status: test -description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. +description: | + Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques. references: - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ + - https://github.com/mhaskar/FsquirtCPLPoC + - https://securelist.com/sidewinder-apt/114089/ author: Anish Bogati date: 2024-01-09 +modified: 2026-02-17 tags: - attack.defense-evasion - - attack.t1036 + - attack.persistence + - attack.privilege-escalation + - attack.t1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded|endswith: - - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe - '\appwiz.cpl' # Usually loaded by fondue.exe + - '\bthprops.cpl' # Usually loaded by fsquirt.exe + - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe filter_main_legit_location: - ImageLoaded|contains: - - ':\Windows\System32\' - - ':\Windows\SysWOW64\' - - ':\Windows\WinSxS\' - condition: selection and not 1 of filter_* + ImageLoaded|startswith: + - 'C:\Windows\Prefetch\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown -level: medium +level: high +regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 15a855db33f..77dc13da6d1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -41,6 +41,7 @@ detection: - '\dllhst3g.exe' - '\dwm.exe' - '\eventvwr.exe' + - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/ - '\finger.exe' - '\logonui.exe' - '\LsaIso.exe' @@ -107,3 +108,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml index 5d48e3ea053..ab08855e581 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml @@ -33,3 +33,4 @@ detection: falsepositives: - Unlikely level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml