Malicious Activity
Detects patterns indicating credential harvesting, backdoor installation, data exfiltration, or other malicious activities
62 rules in malicious_activity.yml
CRITICAL: 42 | HIGH: 16 | MEDIUM: 4
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
adb_ | CRITICAL | Android ADB Command Injection | adb shell receives a string interpolated from {{ user_command }}. An attacker-controlled command string runs on every connected Android device with debugging enabled. | |
backdoor_ | CRITICAL | Backdoor in Bashrc | echo ‘… curl evil.com …’ » ~/.bashrc plants a callback that fires every time the user opens a shell. A classic low-tech persistence and beaconing pattern. | |
bitlocker_ | CRITICAL | BitLocker Force-Enabled From Automation With Attacker-Controlled Recovery Key | A task invokes manage-bde -on <drive> -recoverypassword <password> or Enable-BitLocker -MountPoint <drive> -RecoveryPasswordProtector from an ad-hoc Ansible playbook (not a signed corporate MDM / GPO baseline). This is the exact primitive used by LockBit-4, BlackCat/ALPHV, and NoEscape 2024-2025 campaigns: the attacker turns the victim’s own native BitLocker into a ransomware crypter, then withholds the recovery password. Legitimate BitLocker rollout always escrows the recovery key in AD / Intune / Azure AD - never in an inline playbook variable. | |
cloud_ | CRITICAL | Cloud Credential Exposure | export AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / GOOGLE_APPLICATION_CREDENTIALS=… resolves a {{ }} expression. The shape leaks cloud credentials into the shell environment of subsequent commands. | |
confluence_ | CRITICAL | Confluence OGNL / Jenkins CLI Path Traversal Exploit Payload Invoked From Playbook | A task’s uri, shell, command, or win_shell invocation contains an exploit payload matching Confluence CVE-2023-22527 OGNL injection (\${new javax.script.ScriptEngineManager(), Runtime.getRuntime().exec(, freemarker.template.utility.Execute), Jenkins CLI CVE-2024-23897 arg-at-file read (@/etc/passwd, @/var/jenkins_home/secrets), F5 BIG-IP iControl REST CVE-2022-1388 (/mgmt/tm/util/bash, X-F5-Auth-Token: ), Cisco IOS-XE WebUI CVE-2023-20198 backdoor account creation (/%25/NS/, username.*privilege 15), or VMware vCenter CVE-2024-37080 DCERPC traversal. These are uri:/shell: invocations that only make sense as an active exploit - legitimate playbooks never contain these literal attack strings. | |
confluence_ | CRITICAL | Confluence Broken Access Control (CVE-2023-22515) Indicator | Creates a Confluence administrator account via the unauthenticated setup endpoint, the signature of CVE-2023-22515 post-exploitation | |
container_ | CRITICAL | Container Breakout Attempt | chroot /rootfs is invoked - the canonical second step after mounting the host root into a container. The shape escapes the container’s filesystem isolation. | |
container_ | CRITICAL | Container Command Injection | Container command: array contains a {{ user_command }} entry. The container’s entrypoint runs the user-controlled string with the container’s full capabilities. | |
container_ | CRITICAL | Container Root Filesystem Mount | docker run -v /:/ | |
credential_ | CRITICAL | Credential Dump Creation | cat heredoc writes a ‘credential’ file at a templated path. The shape stages a multi-credential dump for later exfiltration. | |
credential_ | CRITICAL | Credential File Upload | curl -F file=@… uploads a ‘credentials’ path to a remote endpoint. The shape stages credentials for exfiltration via a multipart POST. | |
credential_ | CRITICAL | Credential Harvesting from Environment | echo $MASTER_PASSWORD / AWS_ACCESS_KEY / GITHUB_TOKEN / DOCKER_TOKEN appended to ~/.bashrc, .bash_profile, .zshrc, or .zprofile. The shape exfiltrates env-resident secrets to a user-readable file. | |
data_ | CRITICAL | curl Uploads Local File to External Endpoint (data-exfil primitive) | A shell/command task runs curl with a file-upload flag (-T /path / -F 'file=@/path' / -F 'upload=@/path' / --data-binary @/path / --upload-file /path) targeting an ANONYMOUS paste-or-upload service (transfer.sh, file.io, 0x0.st, x0.at, bashupload.com, oshi.at, catbox.moe, litterbox.catbox.moe, ix.io, dpaste.com, pastebin.com, paste.ee, hastebin.com, termbin.com, requestbin.net, webhook.site, beeceptor.com, ngrok.io, burpcollaborator.net, interact.sh). These are the canonical data-exfiltration landing pads in IR write-ups (MITRE T1567.002 - Exfiltration to Cloud Storage). Rule previously matched the keyword evil/attacker in curl URLs which produced zero TPs and every FP in the corpus came from Splunk-SOAR playbook description fields containing the word attacker. | |
database_ | CRITICAL | Database Backdoor User Creation | Creating database users with hardcoded passwords and excessive privileges | |
database_ | CRITICAL | Database Privilege Escalation | Granting excessive database privileges that could enable backdoor access | |
discord_ | CRITICAL | Task POSTs To Discord / Telegram / Pastebin As Live C2 Or Exfil Channel | A task invokes uri, ansible.builtin.uri, community.general.slack misused, curl -X POST, or a Jinja-templated HTTP call against a Discord webhook (discord.com/api/webhooks/<id>/<token>), a Telegram bot API (api.telegram.org/bot<token>/sendMessage|sendDocument), Pastebin paste API (pastebin.com/api/api_post.php), Hastebin / dpaste / ix.io, or a Keybase chat API. These endpoints are the 2024 default C2 / exfil channels for commodity loaders (AgentTesla, RedLine, Vidar, Lumma, Meduza Stealer) because they blend with legitimate SaaS traffic, TLS-encrypt automatically, and require no infrastructure on the attacker side. Legitimate automation essentially never POSTs to them. | |
docker_ | CRITICAL | Privileged Container with Host Access | docker run –privileged combined with –pid=host or –net=host. The container shares the host’s PID/network namespace with no capability filtering - effectively root on the host. | |
hardcoded_ | CRITICAL | Hardcoded Database Password | psql/mysql/sqlcmd/sqlite3/mongo command-line carries WITH PASSWORD, IDENTIFIED BY, –password=, or -p with a 6+ char literal. The shape leaks the DB credential to argv and shell history. | |
java_ | CRITICAL | Java Deserialization Gadget Chain (ysoserial / commons-collections InvokerTransformer) In Playbook / File | A task writes or transfers a file or string containing Java-deserialization gadget-chain signatures: the literal token ysoserial / ysoserial-modified, the aced0005 magic header of Java’s ObjectOutputStream format (hex-encoded serialized object), or the classic commons-collections gadget-chain classes (InvokerTransformer, ChainedTransformer, InstantiateTransformer, TrAXFilter, PriorityQueue + Comparator, LazyMap, TransformingComparator). These are the confirmed building blocks of every widely-used Java-deser RCE from 2015 (CVE-2015-4852 WebLogic) through 2024 (Spring, ActiveMQ, Jackson, Confluence, OpenNMS). An Ansible playbook shipping a .ser / .bin file with this content is either delivering a weaponized payload or configuring a honeypot. Distinct from the ’log4shell’ rules (that’s JNDI lookup, this is classic Java deser). | |
kubernetes_ | CRITICAL | Privileged Kubernetes Pod | Pod manifest sets hostNetwork: true, hostPID: true, or privileged: true. Each individually grants the pod near-host capabilities; combined, they make the pod equivalent to root on the node. | |
log4shell_ | CRITICAL | Log4Shell (CVE-2021-44228) Exploitation Payload in Playbook | A task embeds a JNDI lookup string - ${jndi:ldap://...}, ${jndi:rmi://...}, ${jndi:dns://...}, or an obfuscated ${${lower:j}ndi:...} / ${::-j}${::-n}${::-d}${::-i}: form - into a header, URL parameter, template, or shell command. This is the Log4Shell exploitation vector against any unpatched Log4j 2.x <= 2.14.1 (CVE-2021-44228) or <= 2.15.0 (CVE-2021-45046). A playbook that ships this payload is either actively exploiting vulnerable targets or preserving a pen-test payload that must not land in production. | |
log4shell_ | CRITICAL | Log4Shell (CVE-2021-44228) Mitigation Disabled | Sets log4j2.formatMsgNoLookups=false or removes the JndiLookup class removal, re-opening Log4Shell exploitation | |
lolbas_ | CRITICAL | bitsadmin.exe /transfer Used To Download Remote Payload (LOLBAS) | A Windows task invokes bitsadmin /transfer <jobname> /download /priority <n> http://... <dest>. BITS (Background Intelligent Transfer Service) was designed for Windows Update but the LOLBAS pattern bitsadmin /transfer downloads arbitrary files while appearing as a benign OS service, bypassing many network-activity heuristics because the traffic originates from svchost.exe hosting BITS rather than the caller. | |
lolbas_ | CRITICAL | certutil.exe Used To Download Remote Payload (LOLBAS) | A Windows task invokes certutil.exe -urlcache -split -f http://... <dest> or certutil -decode <b64file> <exe> - the canonical LOLBAS primitive for fetching or decoding second-stage payloads while masquerading as a PKI tool. certutil is signed by Microsoft, runs with any-user context, and is not blocked by the default Windows Defender Attack Surface Reduction baseline - which is exactly why every commodity loader (Qakbot, Emotet, Black Basta) uses it. | |
lolbas_ | CRITICAL | esentutl.exe Used To Copy NTDS.dit or SYSTEM Hive Via VSS (LOLBAS) | A task invokes esentutl.exe /y /vss C:\\Windows\\NTDS\\ntds.dit or /vss C:\\Windows\\System32\\config\\SYSTEM. esentutl’s /y copy flag combined with /vss (Volume Shadow Copy) pulls a consistent copy of locked files - the preferred technique for offline NTDS.dit extraction after domain-admin compromise, because it avoids ntdsutil.exe ifm create which drops obvious audit events. With NTDS.dit + SYSTEM hive an attacker has every AD credential hash. | |
lolbas_ | CRITICAL | mshta.exe Executes Remote HTA / vbscript URL (LOLBAS) | A task runs mshta.exe http(s)://... or mshta.exe vbscript:.... mshta runs HTML Applications with full user privilege and no warning dialog, and is the dominant delivery vehicle for JScript / VBScript loaders in phishing campaigns (Qakbot, IcedID, SocGholish). The vbscript: scheme embeds the entire payload inline without touching disk. | |
lolbas_ | CRITICAL | regsvr32.exe Used With scrobj.dll (Squiblydoo AppLocker Bypass) | A task invokes regsvr32.exe /s /u /n /i:http(s)://... scrobj.dll - the Squiblydoo AppLocker-bypass primitive. scrobj.dll (Windows Script Host) executes the remote .sct file’s JScript/VBScript content in the context of the running user, bypassing AppLocker path/publisher rules because regsvr32 is a Microsoft-signed binary in a default-allowed location. | |
moveit_ | CRITICAL | MOVEit-Style Webshell Drop (CVE-2023-34362 Signature) | Writes a human2.aspx / human2.php webshell or drops a LEMURLOOT-style ASPX handler, the signature used in the Cl0p MOVEit campaign | |
network_ | CRITICAL | Network Command Injection | ssh/lftp/sftp invocation interpolates {{ user_command }} into the remote command. The injected payload runs on the remote host, not the controller. | |
office_ | CRITICAL | Office Macro-Enabled Document (.docm/.xlsm/.pptm) With AutoOpen/Workbook_Open VBA Pushed To Targets | A task uses win_copy, copy, fetch, get_url, or ansible.builtin.copy to transfer a macro-enabled Office document (.docm, .xlsm, .pptm, .dotm, .xlsb with vbaProject.bin, .xll Excel add-in) to user profile directories (%APPDATA%, Desktop, Documents, Downloads, Startup, XLSTART, Office Templates) OR explicitly references VBA auto-execution hooks (AutoOpen, AutoExec, Workbook_Open, Document_Open, Auto_Close, Class_Initialize). Office macros remain the #1 initial-access vector in 2024 Verizon DBIR (16% of all breaches with a known TTP). Even with Microsoft’s 2022 ‘Macros blocked from the Internet by default’ policy, macros in internally-transferred documents (via Ansible playbook) execute without the MotW block. Detection of AutoOpen/Workbook_Open specifically catches the fire-on-open pattern that turns a policy push into RCE. Distinct from lateral-movement rules (this is specifically malicious document delivery via automation). | |
powershell_ | CRITICAL | PowerShell Command Injection | powershell.exe / pwsh.exe -Command (or -ExecutionPolicy Bypass) receives a string interpolated from {{ user_command }}. PowerShell with bypassed execution policy runs anything the variable resolves to. | |
ransomware_ | CRITICAL | Ransomware Note File Dropped To Multiple User Directories | A task templates or copies a file whose name matches the canonical ransomware-note shape (HOW_TO_DECRYPT*.txt, DECRYPT_INSTRUCTIONS*.txt, RESTORE-MY-FILES.txt, README_FOR_DECRYPT*.txt, _readme.txt with decrypt keyword in content) into C:\Users\*, /home/*, or /root. There is essentially no legitimate reason for a configuration playbook to drop such a filename - it is either a training exercise (should live outside production inventories) or an active extortion payload. | |
scheduled_ | CRITICAL | Scheduled Task Command Injection | schtasks /create /tr … receives a {{ user_command }} value as the task action. The action runs with the scheduling user’s privileges every time the task fires. | |
shell_ | CRITICAL | Shell Command Injection | /bin/{bash,sh,zsh,fish} -c receives a string interpolated from {{ user_command }}. The payload is whatever the variable resolves to; this is the textbook command-injection sink. | |
spring4shell_ | CRITICAL | Spring4Shell (CVE-2022-22965) Exploitation Payload in Playbook | A task embeds the Spring4Shell exploitation primitive - class.module.classLoader.resources.context.parent.pipeline.first.pattern=..., class.module.classLoader.resources.context.parent.pipeline.first.suffix=..., or the AccessLogValve-based JSP webshell write (pattern=%{c2}i, suffix=.jsp, directory=webapps/ROOT). This is active exploitation of Spring Framework < 5.2.20 / < 5.3.18 on Tomcat with JDK >= 9 (CVE-2022-22965). | |
spring4shell_ | CRITICAL | Spring4Shell (CVE-2022-22965) Vulnerable DataBinder | Deploys Spring Framework before 5.3.18 / 5.2.20 without disallowedFields protection, exposing the DataBinder RCE | |
ssh_ | CRITICAL | SSH Key Backdoor | ssh-keygen names a ‘backdoor’ key, or authorized_keys is appended to with a ‘backdoor’ label. Either shape installs an attacker-controlled SSH credential for persistence. | |
ssrf_ | CRITICAL | SSRF to Cloud Instance Metadata Service From Ansible URI Module | An ansible.builtin.uri, ansible.builtin.get_url, community.general.uri, or raw curl/wget task targets a cloud instance-metadata endpoint: 169.254.169.254 (AWS / GCP / Azure / Oracle IMDS), fd00:ec2::254 (AWS IPv6 IMDS), metadata.google.internal, or metadata.azure.com. A playbook that pulls IMDS data and exfiltrates or templates it elsewhere is the canonical SSRF-to-credential-theft primitive (Capital One, Drupalgeddon successor campaigns) - and inside cloud CI runners where the playbook is attacker-influenced, IMDSv1 responses include the instance-profile’s temporary credentials. | |
systemd_ | CRITICAL | Systemd Command Injection | systemd-run –scope –user receives a string interpolated from {{ user_command }}. systemd scopes inherit the invoking user’s privileges and run whatever the variable resolves to. | |
wdac_ | CRITICAL | WDAC / AppLocker Policy Merged With Allow-All Rule Or Set To Audit-Only From Playbook | A task runs Set-AppLockerPolicy -Merge, Set-CIPolicy, ConvertFrom-CIPolicy, or templates a WDAC .cip/.xml that contains a FileRule.Level="Hash" with wildcard Hash="*", OR toggles the policy mode to Audit (enforcement-off) via Set-RuleOption -Option 3. WDAC (Windows Defender Application Control) and AppLocker are the Microsoft-recommended application-allowlisting controls for servers and privileged workstations. Merging an allow-all policy, or flipping to Audit-only, is the textbook EDR-bypass setup used by Scattered Spider and BlackCat/ALPHV affiliates in 2024-2025 ransomware intrusions before deploying unsigned ransomware payloads. | |
windows_ | CRITICAL | Windows CMD Command Injection | cmd.exe /c or /k receives a string interpolated from {{ user_command }}. cmd metacharacters in the variable yield trivial command injection on Windows targets. | |
wmic_ | CRITICAL | WMIC Command Injection | wmic process call create receives a {{ user_command }} argument. WMIC executes the string in the SYSTEM context on the target. | |
advanced_ | HIGH | Advanced Data Harvesting | for-loop iterates over /etc/passwd and /etc/shadow as config_file values. Reading shadow requires root and is the shape used to stage offline password cracking. | |
ci_ | HIGH | CI/CD Pipeline Injection | curl POSTs to jenkins/gitlab/github build, pipeline, or dispatches endpoints with attacker-controllable variables. The shape injects work into a CI system that runs with high-trust credentials. | |
data_ | HIGH | Data Archiving for Exfiltration | tar -czf {{ … }}.tar.gz packages a templated source path into a single archive. Archives are the standard staging shape before egress. | |
database_ | HIGH | Database Credential Exposure | mysql/PGPASSWORD/sqlplus/sqlcmd/cqlsh invocation embeds -p with a literal or templated value on argv. The credential appears in /proc/ | |
dns_ | HIGH | DNS Rebinding Record - Same Name Resolves To Public IP + RFC1918/Localhost IP (SSRF Primitive) | A task renders DNS zone content (nsupdate, route53, cloudflare_dns_record, bind zone file, dnsmasq.conf, hosts file entry) where a SINGLE hostname has multiple A records mixing a public IP (1.2.3.4) with an internal (10.x, 172.16-31.x, 192.168.x), loopback (127.x), link-local (169.254.x), or metadata (169.254.169.254) IP. Also catches low-TTL records (TTL: 0 / TTL: 1) typical of rebinding attacks. Modern dns-rebind-toolkit / rebind.network / singularity attacks: attacker-controlled DNS server returns public IP for first query (user’s browser loads attacker JS), then returns internal IP for subsequent queries from the same page (browser’s same-origin policy is DNS-name-based, not IP-based) -> attacker JS now talks to victim’s internal network as if same-origin. Catches both malicious config AND accidentally-vulnerable DNS patterns from split-horizon bugs. | |
enterprise_ | HIGH | Enterprise Service Exploitation | curl to Okta or Auth0 with Authorization: SSWS|Bearer {{ ... }}. The shape exercises identity-provider APIs with playbook-resident bearer tokens. | |
generic_ | HIGH | Generic Template Variable Injection | Using dangerous template variables that could allow command injection | |
hidden_ | HIGH | Hidden Command Execution | Commands with output suppression that could hide malicious activity | |
mobile_ | HIGH | Mobile Platform Exploitation | adb shell su -c or mount -o remount,rw /system. The shape remounts the Android system partition writable from a playbook-driven exploit chain. | |
monitoring_ | HIGH | Monitoring System Compromise | curl targets elasticsearch _security/users, grafana admin users, or splunk authentication users. Compromising the monitoring tier disables the audit trail attackers want to evade. | |
msbuild_ | HIGH | MSBuild Inline-Task XML (.csproj/.xml) Executed As LOLBIN For Unsigned Code Execution | A task creates a .csproj, .xml, .proj, or .targets file containing an <UsingTask> with inline Code Type="Class" / Code Type="Fragment" containing C# source, then invokes MSBuild.exe <file> / msbuild /t:<target> - OR the task uses powershell to execute MSBuild against a payload. MSBuild is a Microsoft-signed Windows binary (%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe) present on EVERY Windows host since .NET 4, so it bypasses AppLocker ‘signed executables only’ policies, bypasses Constrained Language Mode (runs C# not PowerShell), and its build output looks legitimate in EDR telemetry. Cobalt Strike, Brute Ratel, and Nighthawk all ship MSBuild inline-task templates for exactly this reason. 2024 Red Canary Threat Report lists msbuild.exe as #4 most-abused LOLBIN. | |
multi_ | HIGH | Multi-Platform Exploitation | powershell.exe -ExecutionPolicy Bypass or cmd.exe /c|/k with a {{ }} expression. The dual-shape signals a payload designed to run across both Windows shell stacks. | |
persistence_ | HIGH | Persistence Mechanism Installation | cat heredoc writes a LaunchDaemons .plist, or schtasks /create with a templated /tr action. Both shapes install persistence that survives reboot and respawns the payload. | |
registry_ | HIGH | Windows Registry Manipulation | reg.exe add HKLM... with the value containing ‘password’, ‘secret’, ‘key’, or ’token’. The shape persists secret data in system-wide Windows registry hives. | |
suspicious_ | HIGH | Suspicious Database Maintenance | Database operations hidden in maintenance scripts with output suppression | |
system_ | HIGH | Dangerous File Permissions | chmod 666 / 777 targets ~/.bashrc, ~/.ssh, ~/.aws, or ~/.docker. World-writable config files let any local user inject commands into the next shell or auth lookup. | |
file_ | MEDIUM | File Permission Tampering | chmod 666 against a {{ … }} path opens a templated file to world-writable. The shape disables filesystem isolation to land follow-on writes. | |
network_ | MEDIUM | Network Enumeration | nmap -sS -O or masscan –rate is invoked with {{ }} arguments. Active port scanning from inside the network is the canonical lateral-movement preamble. | |
system_ | MEDIUM | System Information Gathering | find -name -exec, ps aux | grep, netstat | grep, or env | grep filtered against SECRET/PASSWORD/TOKEN. The combination is the post-exploitation reconnaissance shape. | |
systemd_ | MEDIUM | Systemd Service Exploitation | systemd-run –scope –user receives a {{ }} expression. User-scoped systemd units inherit the invoker’s session and are a quiet way to run code on managed hosts. |