Page Contents

MITRE ATT&CK Analytics

MITRE ATT&CK Analytics¶

The MITRE ATT&CK alerts available in Alert Rules are:

LP_Bypass User Account Control using Registry¶

Trigger condition: Bypass of User Account Control (UAC) is detected. Adversaries bypass UAC mechanisms to elevate process privileges on the system. The alert queries for *\mscfile\shell\open\command\* or *\ms-settings\shell\open\command\*.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Bypass User Account Control
ATT&CK ID: T1548
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\mscfile\shell\open\command\*" or target_object="*\ms-settings\shell\open\command\*") -user IN EXCLUDED_USERS

LP_Mimikatz Detection LSASS Access Detected¶

Trigger condition: Process access to LSASS is detected, which is typical for Mimikatz (0x1000 PROCESS_QUERY_LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_INFORMATION “only old versions”, 0x0010 PROCESS_VM_READ).
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=10 image="C:\windows\system32\lsass.exe" access IN ["0x1410", "0x1010"] -user IN EXCLUDED_USERS

LP_UAC Bypass via Sdclt Detected¶

Trigger condition: User Account Control (UAC) bypass methods via changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand and HKCU:\Software\Classes\Folder\shell\open\command.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Bypass User Account Control
ATT&CK ID: T1548, T1548.002
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id="13" target_object IN ["HKU\*Classes\exefile\shell\runas\command\isolatedCommand", "HKU\*Classes\Folder\shell\open\command"]

LP_Unsigned Image Loaded Into LSASS Process¶

Trigger condition: Loading of unsigned images like DLL or EXE into the LSASS process is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, LSASS Memory
ATT&CK ID: T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=7 image="*\lsass.exe" signed="false" -user IN EXCLUDED_USERS

LP_Usage of Sysinternals Tools Detected¶

Trigger condition: The use of Sysinternals tools is detected due to the addition of accepteula key to a registry.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon

Query:

(event_id="13" target_object="*\EulaAccepted") OR (event_id="1" command="* -accepteula*")

LP_Microsoft SharePoint Remote Code Execution Detected¶

Trigger condition: The execution of a remote code in Microsoft SharePoint (CVE-2019-19781).
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, IDS/IPS, Web server

Query:

request_method=POST (url='*_layouts/15/Picker.aspx*WebControls.ItemPickerDialog*' OR resource='*_layouts/15/Picker.aspx*WebControls.ItemPickerDialog*')

LP_DenyAllWAF SQL Injection Attack¶

Trigger condition: DenyALLWAF detects SQL injection attack.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: DenyAll WAF

Query:

norm_id=DenyAllWAF label=SQL label=Injection

LP_Mitre - Initial Access - Valid Account - Unauthorized IP Access¶

Trigger condition: A user login event is detected from unauthorized countries. For this alert to work, you must update the KNOWN_COUNTRY list with countries where login is denied.
ATT&CK Category: Initial Access, Persistence, Privilege Escalation, Defense Evasion
ATT&CK Tag: Valid Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: Windows

Query:

label=User label=Login source_address=* | process geoip(source_address) as country | search -country IN KNOWN_COUNTRY

LP_Windows CryptoAPI Spoofing Vulnerability Detected¶

Trigger condition: Vulnerability related to CVE-2020-0601 is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Subvert Trust Controls, Code Signing
ATT&CK ID: T1553, T1553.002
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer label=CVE label=Exploit label=Detect cve_id="CVE-2020-0601" -user IN EXCLUDED_USERS

LP_Malicious use of Scriptrunner Detected¶

Trigger condition: The malicious use of Scriptrunner.exe is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="create" label="process" ("process"="*\ScriptRunner.exe" OR file="ScriptRunner.exe") command="* -appvscript *"

LP_Javascript conversion to executable Detected¶

Trigger condition: A windows executable jsc.exe is used to convert javascript files to craft malicious executables.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Trusted Developer Utilities Proxy Execution
ATT&CK ID: TT1127
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="create" label="process" "process"="*\jsc.exe" command="*.js*"

LP_Suspicious Execution of Gpscript Detected¶

Trigger condition: A group policy script gpscript.exe is used to execute logon or startup scripts configured in Group Policy.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="create" label="process" "process"="*\gpscript.exe" command IN ["* /logon*", "* /startup*"]

LP_Proxy Execution via Desktop Setting Control Panel¶

Trigger condition: A windows internal binary rundll32 with desk.cpl is used to execute spoof binary with “.cpl” extension.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Rundll32
ATT&CK ID: T1218.011
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="Process" label="Create" "process"="*\rundll32.exe" command="*desk.cpl*InstallScreenSaver*.scr*"

LP_ScreenSaver Registry Key Set Detected¶

Trigger condition: A file name masqueraded as .scr extension ran via rundll32 with desk.cpl, is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Rundll32
ATT&CK ID: T1218.011
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label=Registry label=Value label=Set "process"="*\rundll32.exe" detail="*.scr" -detail in ["*C:\Windows\system32\*","*C:\Windows\SysWOW64\*" ] target_object="*\Control Panel\Desktop\SCRNSAVE.EXE"

LP_Xwizard DLL Side Loading Detected¶

Trigger condition: The use of xwizard binary from the non-default directory is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: DLL Side-Loading
ATT&CK ID: T1574.002
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="Process" label=Create "process"="*\xwizard.exe" -"process"="C:\Windows\System32\*"

LP_DLL Side Loading Via Microsoft Defender¶

Trigger condition: An execution of mpcmdrun binary from non default path is detected.
ATT&CK Category: Persistence, Defense Evasion
ATT&CK Tag: DLL Side-Loading (2)
ATT&CK ID: T1574.002
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label=Image label=Load "process" IN ["*\MpCmdRun.exe","*\NisSrv.exe"] -"process" IN ["C:\Program Files\Windows Defender\*","'C:\ProgramData\Microsoft\Windows Defender\Platform\*"] image="*\mpclient.dll"

LP_ZIP File Creation or Extraction via Printer Migration CLI Tool¶

Trigger condition: The creation or extraction of .zip file via printbrm utility is detected.
ATT&CK Category: Defense Evasion, Command and Control
ATT&CK Tag: Ingress Tool Transfer, NTFS File Attributes
ATT&CK ID: T1105, T1564.004
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="Process" label="Create" "process"="*\printbrm.exe" command="*f *" command="*.zip*"

LP_Credentials Capture via Rpcping Detected¶

Trigger condition: The creation of Remote Procedure Call (RPC) via Rpcping binary is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="Process" label="Create" "process"="*\rpcping.exe" command="*s *" ( (command="*u *" command="*NTLM*") OR ( command="*t *" command="*ncacn_np*"))

LP_Suspicious ConfigSecurityPolicy Execution Detected¶

Trigger condition: A local file upload via ConfigSecurityPolicy binary to attack the control server is detected.
ATT&CK Category: Exfiltration
ATT&CK Tag: Exfiltration Over Web Service
ATT&CK ID: T1567
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="Process" label="Create" "process"="*\ConfigSecurityPolicy.exe" command IN ["*https://*","*http://*","*ftp://*"]

LP_C-Sharp Code Compilation Using Ilasm Detected¶

Trigger condition: C# code is either compiled into executables or into DLL using Ilasm utility.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Trusted Developer Utilities Proxy Execution
ATT&CK ID: T1127
Minimum Log Source Requirement: Windows Sysmon

Query:

label="Process" label="Create" ("process"="*\ilasm.exe" OR file="ilasm.exe")

LP_Process Dump via Resource Leak Diagnostic Tool¶

Trigger condition: A process dump is detected using a Microsoft Windows native tool rdrleakdiag.exe.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory
ATT&CK ID: T1003.001
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="process" label=create ("process"="*\RdrLeakDiag.exe" or file="RdrLeakDiag.exe") command="*fullmemdmp*"

LP_Suspicious DLL execution via Register-Cimprovider¶

Trigger condition: A dll file load/execution is detected using a Microsoft Windows native tool Register-Cimprovider.exe.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Hijack Execution Flow
ATT&CK ID: TT1574
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

label="process" label="create" "process"="*\register-cimprovider.exe" command="*-path*" command="*dll*"

Accessibility features - Process¶

Trigger condition: An adversary establishes persistence and/or elevate privileges by executing malicious content by process features.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, Accessibility Features
ATT&CK ID: T1546,T1546.008
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 parent_image="*winlogon.exe" (image="*sethc.exe" or image="*utilman.exe" or image="*osk.exe" or image="*magnify.exe" or image="*displayswitch.exe" or image="*narrator.exe" or image="*atbroker.exe") -user IN EXCLUDED_USERS

LP_Accessibility Features-Registry¶

Trigger condition: An adversary establishes persistence and/or elevates privileges by executing malicious content, replacing accessibility feature binaries, pointers, or references to these binaries in the registry.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, Accessibility Features
ATT&CK ID: T1546,T1546.008
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*" -user IN EXCLUDED_USERS

LP_Account Discovery Detected¶

Trigger condition: Adversaries attempt to get a listing of accounts on a system or within an environment that can help them determine which accounts exist to aid in follow-on behavior.
ATT&CK Category: -
ATT&CK Tag: Account Discovery, Local Account, Domain Account
ATT&CK ID: T1087,T1087.001,T1087.002
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (image="*net.exe" or image="*powershell.exe") (command="*net* user*" or command="*net* group*" or command="*net* localgroup*" or command="*cmdkey*\/list*" or command="*get-localuser*" or command="*get-localgroupmembers*" or command="*get-aduser*" or command="*query*user*") -user IN EXCLUDED_USERS

LP_Active Directory DLLs Loaded By Office Applications¶

Trigger condition: Kerberos DLL or DSParse DLL loaded by the Office products like WinWord, Microsoft PowerPoint, Microsoft Excel, or Microsoft Outlook.
ATT&CK Category: Initial Access
ATT&CK Tag: Phishing, Spearphishing Attachment
ATT&CK ID: T1566,T1566.001
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.exe*", "*\excel.exe*", "*\outlook.exe*"] image IN ["*\kerberos.dll*","*\dsparse.dll*"] -user IN EXCLUDED_USERS

LP_DCSync detected¶

Trigger condition: The abuse of Active Directory Replication Service (ADRS) detected from a non-machine account to request credentials or DC Sync by creating a new SPN.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, DCSync
ATT&CK ID: T1003,T1003.006
Minimum Log Source Requirement: Windows

Query:

((norm_id=WinServer event_id=4662 access_mask="0x100" properties IN ["*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*", "*Replicating Directory Changes All*"] -user="*$" -user="MSOL_*") or (norm_id=WinServer event_id=4742
service="*GC/*"))-user IN EXCLUDED_USERS

LP_Active Directory Replication User Backdoor¶

Trigger condition: Modification of the security descriptor of a domain object for granting Active Directory replication permissions to a user.
ATT&CK Category: Defense Evasion
ATT&CK Tag: File and Directory Permissions Modification, Windows File and Directory Permissions Modification
ATT&CK ID: T1222,T1222.001
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=5136 ldap_display="ntsecuritydescriptor" attribute_value IN ["*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*"] -user IN EXCLUDED_USERS

LP_Active Directory Schema Change Detected¶

Trigger condition: The directory service object is changed, created, moved, deleted, or restored.
ATT&CK Category: Persistence, Privilege Escalation, Credential Access
ATT&CK Tag: Create or Modify System Process, Windows Service, Exploitation for Credential Access, Exploitation for Privilege Escalation
ATT&CK ID: T1212, T1068, T1543, T1543.003
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer* label=Directory label=Service label=Object (label=Change or label=Create or label=Move or label=Delete or label=Undelete) -user IN EXCLUDED_USERS

LP_AD Object WriteDAC Access Detected¶

Trigger condition: WRITE_DAC, which can modify the discretionary access-control list (DACL) in the object security descriptor, is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: File and Directory Permissions Modification
ATT&CK ID: T1222
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=4662 object_server="DS" access_mask=0x40000 object_type IN ["19195a5b-6da0-11d0-afd3-00c04fd930c9", "domainDNS"] -user IN EXCLUDED_USERS

LP_AD Privileged Users or Groups Reconnaissance Detected¶

Trigger condition: priv users or groups recon based on 4661 event ID and privileged users or groups SIDs are detected. The object names must be; domain admin, KDC service account, admin account, enterprise admin, group policy creators and owners, backup operator, or remote desktop users.
ATT&CK Category: Discovery
ATT&CK Tag: Account Discovery, Local Account, Domain Account
ATT&CK ID: T1087,T1087.001,T1087.002
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=4661 object_type IN ["SAM_USER", "SAM_GROUP"] object_name IN ["*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551", "*-555", "*admin*"] -user IN EXCLUDED_USERS

LP_Addition of SID History to Active Directory Object¶

Trigger condition: Addition of SID History to Active Directory Object is detected. An attacker can use the SID history attribute to gain additional privileges.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Access Token Manipulation, SID-History Injection
ATT&CK ID: T1134,T1134.005
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer (event_id IN ["4765", "4766"] OR (norm_id=WinServer event_id=4738 -SidHistory IN ["-", "%%1793"])) -user IN EXCLUDED_USERS

LP_Admin User Remote Logon Detected¶

Trigger condition: Successful remote login by the administrator depending on the internal pattern is detected.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=4624 logon_type="10" (authentication_package="Negotiate" OR package="Negotiate") user="Admin-*" -user IN EXCLUDED_USERS | rename package as authentication_package

LP_Adobe Flash Use-After-Free Vulnerability Detected¶

Trigger condition: The exploitation of use-after-free vulnerability (CVE-2018-4878) in Adobe Flash is detected.
ATT&CK Category: Execution
ATT&CK Tag: User Execution
ATT&CK ID: T1204
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon label=Image label=Load source_image IN ["*winword.exe", "*excel.exe"] image='*Flash32*.ocx' -user IN EXCLUDED_USERS

LP_Adwind RAT JRAT Detected¶

Trigger condition: The applications like javaw.exe, cscript in the AppData folder, or set values of Windows Run* register used by Adwind or JRAT are detected.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, Visual Basic, JavaScript/JScript, Windows Command Shell, PowerShell
ATT&CK ID: T1059, T1059.001, T1059.003, T1059.005, T1059.007
Minimum Log Source Requirement: Windows Sysmon

Query:

(event_id=1 command IN ["*\AppData\Roaming\Oracle*\java*.exe *", "*cscript.exe *Retrive*.vbs *"]) OR (event_id=11 file IN ["*\AppData\Roaming\Oracle\bin\java*.exe", "*\Retrive*.vbs"]) OR (event_id=13 target_object="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*" detail="%AppData%\Roaming\Oracle\bin\*")

LP_Alternate PowerShell Hosts Detected¶

Trigger condition: Alert detects alternate Command and Scripting Interpreter or PowerShell hosts bypassing detections for the powershell.exe.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059,T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

(norm_id=WinServer event_id IN [4103, 400] event_source="Microsoft-Windows-PowerShell" -application="*powershell.exe") OR (norm_id=WindowsSysmon event_id=7 message="*system.management.automation*" image="*system.management.automation*" -source_image="*\powershell.exe") OR (norm_id=WindowsSysmon event_id=17 pipe="\PSHost*" -image="*\powershell.exe") -user IN EXCLUDED_USERS | rename image as "process", pipe as application

LP_Antivirus Exploitation Framework Detection¶

Trigger condition: Antivirus’s alert reports exploitation in a framework.
ATT&CK Category: Execution, Command and Control
ATT&CK Tag: Exploitation for Client Execution,Remote Access Tools
ATT&CK ID: T1203,T1219
Minimum Log Source Requirement: Antivirus

Query:

signature IN ["*MeteTool*", "*MPreter*", "*Meterpreter*", "*Metasploit*", "*PowerSploit*", "*CobaltSrike*",  "*Swrort*", "*Rozena*", "*Backdoor.Cobalt*", "*Msfvenom*", "*armor*", "*Empire*" ,"*SilentTrinity*", "*Ntlmrelayx"]

LP_Antivirus Password Dumper Detected¶

Trigger condition: Antivirus’s alert reports a password dumper.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

status IN ["*DumpCreds*", "*Mimikatz*", "*PWCrack*", "HTool/WCE", "*PSWtool*", "*PWDump*", "*SecurityTool*", "*PShlSpy*","*laZagne*"]

LP_Antivirus Web Shell Detected¶

Trigger condition: Antivirus’s alert reports a Web Shell.
ATT&CK Category: Persistence
ATT&CK Tag: Server Software Component, Web Shell
ATT&CK ID: T1505, T1505.003
Minimum Log Source Requirement: Antivirus

Query:

signature IN ["PHP/Backdoor*", "JSP/Backdoor*", "ASP/Backdoor*", "Backdoor.PHP*", "Backdoor.JSP*", "Backdoor.ASP*", "*Webshell*"]

LP_Apache Struts 2 Remote Code Execution Detected¶

Trigger condition: A remote code execution vulnerability (CVE-2017-5638) in Apache Struts 2 is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: ApacheTomcat

Query:

norm_id=ApacheTomcatServer label=Content label=Invalid label=Type | norm on content_type #cmd=<command:quoted>

LP_AppCert DLLs Detected¶

Trigger condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, AppCert DLLs
ATT&CK ID: T1546, T1546.009
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*\System\CurrentControlSet\Control\Session Manager\AppCertDlls\*" -user IN EXCLUDED_USERS

LP_Application Shimming - File Access Detected¶

Trigger condition: Adversaries establish persistence and/or elevate privileges by executing malicious content initiated by application shims.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, Application Shimming
ATT&CK ID: T1546,T1546.011
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon ((event_id=11 file="*C:\Windows\AppPatch\Custom\*") or (event_id=1 image="*sdbinst.exe") or ((event_id=12 or event_id=13 or event_id=14) target_object="*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*"))  -user IN EXCLUDED_USERS

LP_Application Whitelisting Bypass via Bginfo Detected¶

Trigger condition: Adversaries bypass the process and/or signature-based defenses by executing a VBscript code referenced within the .bgi file.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 image="*\bginfo.exe" command="*/popup*" command="*/nolicprompt*" -user IN EXCLUDED_USERS

LP_Application Whitelisting Bypass via DLL Loaded by odbcconf Detected¶

Trigger condition: Adversaries bypass the process and/or signature-based defenses via odbcconf.exe execution to load DLL.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, Odbcconf
ATT&CK ID: T1218, T1218.008
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 ((image="*\odbcconf.exe" command IN ["*-f*", "*regsvr*"]) OR (parent_image="*\odbcconf.exe" image="*\rundll32.exe")) -user IN EXCLUDED_USERS

LP_Application Whitelisting Bypass via Dnx Detected¶

Trigger condition: Adversaries bypass the process and/or signature-based defenses by execution of C# code located in the consoleapp folder.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 image="*\dnx.exe" -user IN EXCLUDED_USERS

LP_Audio Capture Detected¶

Trigger condition: The use of Powershell, sound recorder application, or command to get the audio device is detected. Adversaries attempt to leverage peripheral devices or applications to obtain audio recordings for sensitive conversations.
ATT&CK Category: Collection
ATT&CK Tag: Audio Capture
ATT&CK ID: T1123
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 ((image="*SoundRecorder.exe" and command="*/FILE*") or command="*Get-AudioDevice*" or command="*WindowsAudioDevice-Powershell-Cmdlet*") -user IN EXCLUDED_USERS

LP_Authentication Package Detected¶

Trigger Condition: The LSA process is loaded by services other than lssac, svchos, msiexec, and services. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at the system start. Adversaries may abuse authentication packages to execute DLLs when the system boots.
ATT&CK Category: Persistence
ATT&CK Tag: Boot or Logon Autostart Execution, Authentication Package, Security Support Provider
ATT&CK ID: T1547, T1547.002, T1547.005
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\SYSTEM\CurrentControlSet\Control\Lsa\*") -image in ["*C:\WINDOWS\system32\lsass.exe","*C:\Windows\system32\svchost.exe","*C:\Windows\system32\services.exe","C:\Windows\system32\msiexec.exe","C:\Windows\system32\Msiexec.exe"]
-user IN EXCLUDED_USERS

LP_Autorun Keys Modification Detected¶

Trigger Condition: Modification of autostart extensibility point (ASEP) in the registry is detected. ASEP allows a particular program to run automatically when a user logs into the system. Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: T1547 - Boot or Logon Autostart Execution (2), T1547.001 - Registry Run Keys / Startup Folder (2)
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=13 target_object IN ["*\software\Microsoft\Windows\CurrentVersion\Run*", "*\software\Microsoft\Windows\CurrentVersion\RunOnce*", "*\software\Microsoft\Windows\CurrentVersion\RunOnceEx*", "*\software\Microsoft\Windows\CurrentVersion\RunServices*", "*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*", "*\software\Microsoft\Windows NT\CurrentVersion\Windows*", "*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*"] -user IN EXCLUDED_USERS

LP_Batch Scripting Detected¶

Trigger Condition: Adversaries abuse command and script interpreters to execute commands, scripts or binaries.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter
ATT&CK ID: T1059
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=11 file in ["*.bat", "*.cmd"] -user IN EXCLUDED_USERS

LP_BITS Jobs - Network Detected¶

Trigger Condition: The BITS job network connection is detected. An adversary abuses BITS jobs to execute or clean up after executing malicious payload.
ATT&CK Category: Defense Evasion, Persistence
ATT&CK Tag: BITS Jobs
ATT&CK ID: T1197
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=3 image="*bitsadmin.exe" -user IN EXCLUDED_USERS

LP_BITS Jobs - Process Detected¶

Trigger Condition: Creation of the BITS job process. An adversary abuses BITS jobs to execute or clean up after executing the malicious payload.
ATT&CK Category: Defense Evasion, Persistence
ATT&CK Tag: BITS Jobs
ATT&CK ID: T1197
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (image="*bitsamin.exe" or command="*Start-BitsTransfer*") -user IN EXCLUDED_USERS

LP_Bloodhound and Sharphound Hack Tool Detected¶

Trigger Condition: Command-line parameters used by Bloodhound and Sharphound hack tools are detected.
ATT&CK Category: Discovery
ATT&CK Tag: Account Discovery
ATT&CK ID: T1087
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (image IN ["*\Bloodhound.exe*", "*\SharpHound.exe*"] OR command IN ["* -CollectionMethod All *", "*.exe -c All -d *", "*Invoke-Bloodhound*", "*Get-BloodHoundData*"] OR (command="* -JsonFolder *" command="* -ZipFileName *") OR (command="* DCOnly *" command="* --NoSaveCache *")) -user IN EXCLUDED_USERS

LP_BlueMashroom DLL Load Detected¶

Trigger Condition: DLL loading from AppData Local path described in BlueMashroom report is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32
ATT&CK ID: T1218, T1218.010
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 command IN ["*\regsvr32*\AppData\Local\*", "*\AppData\Local\*, DllEntry*"] -user IN EXCLUDED_USERS

LP_Browser Bookmark Discovery¶

Trigger Condition: Adversaries search Mozilla Firefox’s places.sqlite file containing bookmark. They attempt to enumerate browser bookmarks to extract information on compromised hosts, users, and internal resources.
ATT&CK Category: Discovery
ATT&CK Tag: Browser Bookmark Discovery
ATT&CK ID: T1217
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (command="*firefox*places.sqlite*") -user IN EXCLUDED_USERS

LP_CACTUSTORCH Remote Thread Creation Detected¶

Trigger Condition: Creation of a remote thread from CACTUSTORCH.
ATT&CK Category: Execution
ATT&CK Tag: Process Injection, Command and Scripting Interpreter
ATT&CK ID: T1055, T1059
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=8 source_image IN ["*\System32\cscript.exe", "*\System32\wscript.exe", "*\System32\mshta.exe", "*\winword.exe", "*\excel.exe"] image="*\SysWOW64\*" -start_module=* -user IN EXCLUDED_USERS

LP_Call to a Privileged Service Failed¶

Trigger Condition: The privileged service call using LsaRegisterLogonProcess fails.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: Valid Account
ATT&CK ID: T1078
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=4673 service="LsaRegisterLogonProcess()" event_type="*Failure*" -user IN EXCLUDED_USERS

LP_Capture a Network Trace with netsh¶

Trigger Condition: Network trace capture via netsh.exe trace functionality is detected.
ATT&CK Category: Discovery
ATT&CK Tag: Network Sniffing
ATT&CK ID: T1040
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 command="*netsh*" command="*trace*" command="*start*" -user IN EXCLUDED_USERS

LP_CEO Fraud - Possible Fraudulent Email Behavior¶

Trigger Condition: An email received from a threat source in the internal network exhibits fraudulent behavior. For this alert to work, you must update the following:
- HOME_DOMAIN, which is the list of selected domain names. For example, logpoint.com
- MANAGERS, which is the list of selected managers and executives. For example, Alice
- SERVER_ADDRESS, which is the list of trusted clients or servers from where the emails are received.
ATT&CK Category: Initial Access
ATT&CK Tag: Phishing
ATT&CK ID: T1566, T1566.001
Minimum Log Source Requirement: Exchange MT

Query:

norm_id=ExchangeMT event_id=receive sender=* receiver IN HOME_DOMAIN original_client_address=* -original_client_address IN SERVER_ADDRESS | norm on sender <target_manager:all>@<domain:string> |
norm on message_id @<original_domain:'.*'><:'\>'> | search target_manager IN MANAGERS

LP_Certutil Encode Detected¶

Trigger Condition: The certutil command, sometimes used for data exfiltration, is used to encode files.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Obfuscated Files or Information
ATT&CK ID: T1027
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 command IN ["certutil -f -encode *", "certutil.exe -f -encode *", "certutil -encode -f *", "certutil.exe -encode -f *"] -user IN EXCLUDED_USERS

LP_Chafer Activity Detected¶

Trigger Condition: The Chafer activity attributed to OilRig reported in Nyotron report in March 2018 is detected.
ATT&CK Category: Execution, Persistence, Privilege Escalation
ATT&CK Tag: Scheduled Task/Job, Scheduled Task
ATT&CK ID: T1053, T1053.005
Minimum Log Source Requirement: Windows

Query:

norm_id=WindowsSysmon event_id=1 (command="*Get-History*" or command="*AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt*" or command="*(Get-PSReadlineOption).HistorySavePath*") -user IN EXCLUDED_USERS

LP_Change of Default File Association Detected¶

Trigger Condition: A registry value is set to change the file association. Adversaries establish persistence by executing malicious content triggered by a file type association.
ATT&CK Category: Persistence
ATT&CK Tag: Event Triggered Execution, Change Default File Association
ATT&CK ID: T1546, T1546.001
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon label=Registry label=Set label=Value target_object="*HKEY_CLASSES_ROOT\mscfile*" detail in ["*powershell*", "*.exe*", "*.dat*"] -user IN EXCLUDED_USERS

LP_Citrix ADC VPN Directory Traversal Detected¶

Trigger Condition: The exploitation of directory traversal vulnerability (CVE-2019-19781) in Citrix ADC is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: External Remote Services
ATT&CK ID: T1133
Minimum Log Source Requirement: Webserver, Firewall

Query:

norm_id=* (url="*/../vpns/*" OR resource="*/../vpns/*")

LP_Clear Command History¶

Trigger Condition: Deletion of command history is detected. Adversaries delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indicator Removal on Host, Clear Command History
ATT&CK ID: T1070, T1070.003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (command="*rm (Get-PSReadlineOption).HistorySavePath*" or command="*del (Get-PSReadlineOption).HistorySavePath*" or command="*Set-PSReadlineOption -HistorySaveStyle SaveNothing*" or command="*Remove-Item (Get-PSReadlineOption).HistorySavePath*") -user IN EXCLUDED_USERS

LP_Clearing of PowerShell Logs Detected¶

Trigger Condition: Clearance of console history logs is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indicator Removal on Host
ATT&CK ID: T1070
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=4103 (command_name="Remove-Item" OR command="Remove-Item") payload="*consolehost*history*" -user IN EXCLUDED_USERS | rename command_name as command

LP_Clipboard Data Access Detected¶

Trigger Condition: Adversaries collect data stored in a clipboard from users copying information within or between applications.
ATT&CK Category: Collection
ATT&CK Tag: Clipboard Data
ATT&CK ID: T1115
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (image="*clip.exe" or command="*Get-Clipboard*") -user IN EXCLUDED_USERS

LP_Clop Ransomware Emails Sent to Attacker¶

Trigger Condition: Email communication is established to or from Clop Ransomware listed emails.
ATT&CK Category: Exfiltration, Collection
ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection
ATT&CK ID: T1041, T1114
Minimum Log Source Requirement: Exchange MT

Query:

(receiver in CLOP_RANSOMWARE_EMAILS OR sender in CLOP_RANSOMWARE_EMAILS) sender=* receiver=* (host=* OR source_host=*) | rename source_host as host

LP_Clop Ransomware Infected Host Detected¶

Trigger Condition: Clop ransomware infected host is detected.
ATT&CK Category: Impact
ATT&CK Tag: Data Encrypted for Impact
ATT&CK ID: T1486
Minimum Log Source Requirement: Windows Sysmon

Query:

host=* hash=* hash IN CLOP_RANSOMWARE_HASHES

LP_Cmdkey Cached Credentials Recon Detected¶

Trigger Condition: The usage of cmdkey to detect cached credentials.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 image="*\cmdkey.exe" command="* /list *" -user IN EXCLUDED_USERS

LP_CMSTP Detected¶

Trigger Condition: Adversary abuses CMSTP for proxy execution of malicious code. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Also, the adversary supplies CMSTP.exe with INF files infected with malicious commands.
ATT&CK Category: Defense Evasion, Execution
ATT&CK Tag: Signed Binary Proxy Execution, CMSTP
ATT&CK ID: T1218, T1218.003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 image="*CMSTP.exe" -user IN EXCLUDED_USERS

LP_CMSTP Execution Detected¶

Trigger Condition: Loading and execution of local or remote payloads using CMSTP. Adversaries abuse CMSTP.exe to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. The execution bypasses AppLocker, and other whitelisting defenses since CMSTP.exe is a legitimate and signed Microsoft application.
ATT&CK Category: Defense Evasion, Execution
ATT&CK Tag: Signed Binary Proxy Execution, CMSTP
ATT&CK ID: T1218, T1218.003
Minimum Log Source Requirement: Windows Sysmon

Query:

(event_id=12 target_object="*\cmmgr32.exe*") OR (event_id=13 target_object="*\cmmgr32.exe*") OR (event_id=10 call_trace="*cmlua.dll*") OR (event_id=1 parent_image="*\cmstp.exe")

LP_CMSTP UAC Bypass via COM Object Access¶

Trigger Condition: Loading and execution of local or remote payloads using CMSTP. Adversaries abuse CMSTP.exe to bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.
ATT&CK Category: Defense Evasion, Privilege Escalation, Execution
ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control, Signed Binary Proxy Execution, CMSTP
ATT&CK ID: T1548, T1218, T1218.003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 parent_command="*\DllHost.exe" parent_command IN ["*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "*{3E000D72-A845-4CD9-BD83-80C07C3B881F}"] -user IN EXCLUDED_USERS

LP_CobaltStrike Process Injection Detected¶

Trigger Condition: Creation of remote threat with specific characteristics that are typical for Cobalt Strike beacons.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Process Injection
ATT&CK ID: T1055
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=8 start_address IN ["*0B80", "*0C7C", "*0C88"] -user IN EXCLUDED_USERS

LP_Windows Command Line Execution with Suspicious URL and AppData Strings¶

Trigger Condition: Execution of Windows command line with command line parameters URL and AppData string used by droppers.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Process Injection
ATT&CK ID: T1055
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=8 start_address IN ["*0B80", "*0C7C", "*0C88"] -user IN EXCLUDED_USERS

LP_Compiled HTML File Detected¶

Trigger Condition: Adversary abuses Compiled HTML files (.chm) to conceal malicious code.
ATT&CK Category: Defense Evasion, Execution
ATT&CK Tag: Signed Binary Proxy Execution, Compiled HTML File
ATT&CK ID: T1218, T1218.001
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 image="*hh.exe" -user IN EXCLUDED_USERS

LP_Component Object Model Hijacking Detected¶

Trigger Condition: Adversaries establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
ATT&CK Category: Defense Evasion, Persistence
ATT&CK Tag: Inter-Process Communication, Event Triggered Execution, Component Object Model Hijacking
ATT&CK ID: T1546, T1546.015
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*\Software\Classes\CLSID*" -user IN EXCLUDED_USERS

LP_Connection to Hidden Cobra Source¶

Trigger Condition: Hosts establish an outbound connection to Hidden Cobra sources.
ATT&CK Category: Command and Control, Defense Evasion
ATT&CK Tag: Command and Control, Defense Evasion
ATT&CK ID: T1090, T1211
Minimum Log Source Requirement: Firewall, IDS/IPS

Query:

(source_address=* OR destination_address=*) destination_address in HIDDEN_COBRA_IPS | process dns(source_address) as host | process geoip(destination_address) as country

LP_Console History Discovery Detected¶

Trigger Condition: Adversaries attempt to get detailed information about the console history discovery.
ATT&CK Category: Discovery
ATT&CK Tag: System Information Discovery
ATT&CK ID: T1082
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (command="*Get-History*" or command="*AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt*" or command="*(Get-PSReadlineOption).HistorySavePath*") -user IN EXCLUDED_USERS

LP_Control Panel Items - Process Detected¶

Trigger Condition: Adversary abuses control.exe for proxy execution of malicious payloads.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items
ATT&CK ID: T1218, T1218.002
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (command="*control \/name*" or command="*rundll32 shell32.dll, Control_RunDLL*") -user IN EXCLUDED_USERS

LP_Control Panel Items - Registry Detected¶

Trigger Condition: Adversary abuses control.exe for proxy execution of malicious payloads.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items
ATT&CK ID: T1218, T1218.002
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace*" or target_object="*\Software\Microsoft\Windows\CurrentVersion\Controls Folder\*\Shellex\PropertySheetHandlers\*" or target_object="*\Software\Microsoft\Windows\CurrentVersion\Control Panel\*") -user IN EXCLUDED_USERS

LP_Control Panel Items Detected¶

Trigger Condition: Adversary attempts to use a control panel item (.cpl) outside the System32 folder.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items
ATT&CK ID: T1218, T1218.002
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 command="*.cpl" -command IN ["*\System32\*", "*%System%*"] -user IN EXCLUDED_USERS

LP_Copying Sensitive Files with Credential Data¶

Trigger Condition: Copying of sensitive files with credential data is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 ((image="*\esentutl.exe" command IN ["*vss*", "* /m *", "* /y *"]) OR command IN ["*\windows\ntds\ntds.dit*", "*\config\sam*", "*\config\security*", "*\config\system *", "*\repair\sam*", "*\repair\system*", "*\repair\security*", "*\config\RegBack\sam*", "*\config\RegBack\system*", "*\config\RegBack\security*"]) -user IN EXCLUDED_USERS

LP_Copyright Violation Email¶

Trigger Condition: An email with copyright or infringement contents as message subject is received. For this alert to work, the list KNOWN_SERVER_HOST must be updated known mail servers.
ATT&CK Category: Collection
ATT&CK Tag: Email Collection
ATT&CK ID: T1114
Minimum Log Source Requirement: ExchangeMT

Query:

device_category=Email* sender=* receiver=* -source_host IN KNOWN_SERVER_HOST subject IN ["*copyright*", "*infringement*"] | norm on receiver <user:all>@<domain:string>

LP_CrackMapExecWin Detected¶

Trigger Condition: CrackMapExecWin activity as described by NCSC is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\crackmapexec.exe"] -user IN EXCLUDED_USERS

LP_CreateMiniDump Hacktool Detected¶

Trigger Condition: The use of the CreateMiniDump hack tool to dump the LSASS process memory for credential extraction on the attacker’s machine is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping, LSASS Memory
ATT&CK ID: T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon

Query:

(event_id=1 (image="*\CreateMiniDump.exe*" OR hash="4a07f944a83e8a7c2525efa35dd30e2f")) OR (event_id=11 file="*\lsass.dmp*")

LP_CreateRemoteThread API and LoadLibrary¶

Trigger Condition: The use of CreateRemoteThread API and LoadLibrary function to inject DLL into a process is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Process Injection
ATT&CK ID: T1055
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=8 start_module="*\kernel32.dll" start_function="LoadLibraryA" -user IN EXCLUDED_USERS

LP_Command Obfuscation in Command Prompt¶

Trigger Condition: Adversaries abuse the Windows command shell for the execution of commands, scripts, or binaries.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell
ATT&CK ID: T1059, T1059.003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command IN ['*^*^*^*^*', '*set*=*call*%*%*','*s^*e^*t*']

LP_Command Obfuscation via Character Insertion¶

Trigger Condition: Command obfuscation of command prompt by character insertion is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell
ATT&CK ID: T1059, T1059.003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command='cmd*/c*' | norm on parent_command <command_match:'[^\w](s\^+e\^*t|s\^*e\^+t)[^\w]'>| search command_match=*

LP_Command Obfuscation via Environment Variable Concatenation Reassembly¶

Trigger Condition: Command obfuscation in command prompt by environment variable concatenation reassembly is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell
ATT&CK ID: T1059, T1059.003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command='cmd*/c*' | norm on parent_command <command_match:'%[^%]+%{4}'> | search command_match=*

LP_Credential Access via Input Prompt Detected¶

Trigger Condition: Adversary captures user input to obtain credentials or collect information via Input Prompt.
ATT&CK Category: Credential Access, Collection
ATT&CK Tag: Input Capture, GUI Input Capture
ATT&CK ID: T1056, T1056.002
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=4104 (scriptblocktext="*UI.prompt*credential*" OR script_block="*UI.prompt*credential*") -user IN EXCLUDED_USERS | rename scriptblocktext as script_block

LP_Credential Dump Tools Dropped Files Detected¶

Trigger Condition: Creation of files with a well-known filename (i.e., parts of credential dump software or files produced by them) is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=11 file IN ["*\pwdump*", "*\kirbi*", "*\pwhashes*", "*\wce_ccache*", "*\wce_krbtkts*", "*\fgdump-log*", "*\test.pwd", "*\lsremora64.dll", "*\lsremora.dll", "*\fgexec.exe", "*\wceaux.dll", "*\SAM.out", "*\SECURITY.out", "*\SYSTEM.out", "*\NTDS.out", "*\DumpExt.dll", "*\DumpSvc.exe", "*\cachedump64.exe", "*\cachedump.exe", "*\pstgdump.exe", "*\servpw.exe", "*\servpw64.exe", "*\pwdump.exe", "*\procdump64.exe"] -user IN EXCLUDED_USERS

LP_Credential Dumping - Process Creation¶

Trigger Condition: An adversary attempts to dump credentials for obtaining account login and credential material using different commands like ntdsutil, procdump, wce, or gsecdump, in the form of a hash or a clear text password from operating systems and software.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (command="*Invoke-Mimikatz -DumpCreds*" or command="*gsecdump -a*" or command="*wce -o*" or command="*procdump -ma lsass.exe" or command="*ntdsutil*ac i ntds*ifm*create full*") -user IN EXCLUDED_USERS

LP_Credential Dumping - Process Access¶

Trigger Condition: An adversary attempts to dump credentials for obtaining account login and credential material using different commands like ntdsutil, procdump, wce, or gsecdump, in the form of a hash or a clear text password from operating systems and software.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=10 target_image="*C:\Windows\system32\lsass.exe" (access="*0x1010*" or access="*0x1410*" or access="*0x147a*" or access="*0x143a*") call_trace="*C:\Windows\SYSTEM32\ntdll.dll" or call_trace="*C:\Windows\system32\KERNELBASE.dll" or call_trace="*|UNKNOWN(*)" -user IN EXCLUDED_USERS

LP_Credential Dumping - Registry Save¶

Trigger Condition: Adversary attempts to dump credentials for obtaining account login and credential material exploiting registries, generally in the form of a hash or a clear text password from operating systems and software using different commands like ntdsutil, procdump, wce, or gsecdump.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 image="*reg.exe" (command="*save*HKLM\sam*" or command="*save*HKLM\system*") -user IN EXCLUDED_USERS

LP_Credential Dumping with ImageLoad Detected¶

Trigger Condition: Adversaries dump credentials to obtain account login and credential material using dll images.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=7 (image="*C:\Windows\System32\samlib.dll*" or image="*C:\Windows\System32\WinSCard.dll*" or image="*C:\Windows\System32\cryptdll.dll*" or image="*C:\Windows\System32\hid.dll*" or image="*C:\Windows\System32\vaultcli.dll*") (image!="*\Sysmon.exe" or image!="*\svchost.exe" or image!="*\logonui.exe") -user IN EXCLUDED_USERS

LP_Credentials Access in Files Detected¶

Trigger Condition: Adversaries searching for files containing insecurely stored credentials in local file systems and remote file shares are detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Unsecured Credentials, Credentials in Files
ATT&CK ID: T1552, T1552.001
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (command="*findstr* /si pass*" or command="*select-string -Pattern pass*" or command="*list vdir*/text:password*") -user IN EXCLUDED_USERS

LP_Credentials Dumping Tools Accessing LSASS Memory¶

Trigger Condition: A process accessing LSASS memory, which is typical for credentials dumping tools, is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping, LSASS Memory
ATT&CK ID: T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon

Query:

event_id=10 image="*\lsass.exe" access IN ["*0x40*", "*0x1000*", "*0x1400*", "*0x100000*", "*0x1410*", "*0x1010*", "*0x1438*", "*0x143a*", "*0x1418*", "*0x1f0fff*", "*0x1f1fff*", "*0x1f2fff*", "*0x1f3fff*"] -"process" IN ["*\wmiprvse.exe", "*\taskmgr.exe", "*\procexp64.exe", "*\procexp.exe", "*\lsm.exe", "*\csrss.exe", "*\wininit.exe", "*\vmtoolsd.exe"] -user IN EXCLUDED_USERS

LP_Credentials in Registry Detected¶

Trigger Condition: Adversaries search registry of compromised systems to obtain insecurely stored credentials.
ATT&CK Category: Credential Access
ATT&CK Tag: Unsecured Credentials, Credentials in Registry
ATT&CK ID: T1552, T1552.002
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (command="*reg query HKLM \/f password \/t REG_SZ \/s*" or command="*reg query HKCU \/f password \/t REG_SZ \/s*" or command="*Get-UnattendedInstallFile*" or command="*Get-Webconfig*" or command="*Get-ApplicationHost*" or command="*Get-SiteListPassword*" or command="*Get-CachedGPPPassword*" or command="*Get-RegistryAutoLogon*") -user IN EXCLUDED_USERS

LP_Curl Start Combination Detected¶

Trigger Condition: Adversaries attempt to use curl to download payloads remotely and execute them. Windows 10 build 17063 and later includes Curl by default.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 command="*curl* start *" -user IN EXCLUDED_USERS

LP_CVE-2019-0708 RDP RCE Vulnerability Detected¶

Trigger Condition: The use of a scanner by zerosum 0x0 discovers targets vulnerable to CVE-2019-0708 RDP RCE known as BlueKeep.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Exploitation of Remote Services
ATT&CK ID: T1210
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=4625 user="AAAAAAA" -user IN EXCLUDED_USERS

LP_Data Compression Detected in Windows¶

Trigger Condition: Adversary compresses and/or encrypt data that is collected before exfiltration is detected using PowerShell or RAR.
ATT&CK Category: Collection
ATT&CK Tag: Archive Collected Data
ATT&CK ID: T1560
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (image="*powershell.exe" command="*-Recurse Compress-Archive*") or (image="*rar.exe" command="*rar*a*") -user IN EXCLUDED_USERS

LP_Data Staging Process Detected in Windows¶

Trigger Condition: Adversaries attempt to stage collected data in a central location or directory before exfiltration is detected.
ATT&CK Category: Collection
ATT&CK Tag: Data Staged
ATT&CK ID: T1074
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 ((command="*DownloadString" command="*Net.WebClient*") or (command="*New-Object" command="*IEX*")) -user IN EXCLUDED_USERS

LP_Default Accepted Traffic From Bad IP¶

Trigger Condition: A connection is allowed from known bad IP. For this alert to work, you must update the list ALERT_BAD_IP.
ATT&CK Category: Command and Control, Initial Access
ATT&CK Tag: Proxy, External Remote Services
ATT&CK ID: T1090, T1133
Minimum Log Source Requirement: Firewall, IDS/IPS

Query:

label=Connection label=Allow source_address IN ALERT_BAD_IP

LP_Default Account Created but Password Not Changed¶

Trigger Condition: Creation of a new account with a default password and the password is not changed within 24 hours, is detected.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts, Account Manipulation, Create Account
ATT&CK ID: T1078, T1098, T1136
Minimum Log Source Requirement: Windows

Query:

[label=User label=Create label=Account] as s1 left join [label=User label=Password (label=Change OR label=Reset)] as s2 on s1.target_user=s2.user | search -s2.user=* | rename s1.target_user as User, s1.log_ts as UserCreated_ts | process current_time(a) as time_ts | chart max((time_ts - UserCreated_ts)/60/60) as Duration by User, UserCreated_ts | search Duration>24

LP_Default Account privilege elevation followed by restoration of previous account state¶

Trigger Condition: A user is added to a group or assigned privilege followed by restoration or removal from those rights.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Account Manipulation, Exploitation for Privilege Escalation
ATT&CK ID: T1098, T1068
Minimum Log Source Requirement: Windows

Query:

[label=User label=Group label=Management label=Add | rename target_user as account]as s1 followed by [ label=User label=Group (label=Remove or label=Delete) -target_user=*$ | rename target_user as account] as s2 on s1.account=s2.account | rename s1.log_ts as ElevationTime_ts, s2.log_ts as RestorationTime_ts, s1.user as UserElevation, s2.user as UserRestoration, s1.account as Account, s1.message as PrivilegeElevation, s2.message as PrivilegeRestoration

LP_Default Audit Policy Changed¶

Trigger Condition: An audit policy is changed in the system.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Domain Policy Modification, Group Policy Modification
ATT&CK ID: T1484, T1484.001
Minimum Log Source Requirement: Windows
Query:
```
label=Audit label=Policy label=Change
```

LP_Default Blocked Inbound Traffic followed by Allowed Event¶

Trigger Condition: Blocked inbound traffic followed by allowed traffic is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Firewall, IDS/IPS

Query:

[norm_id=*firewall or norm_id=*IDS label=Block or label=Deny label=Connection -source_address IN HOMENET destination_address IN HOMENET] as s1 followed by [norm_id=*firewall label=Allow label=Connection -source_address IN HOMENET destination_address IN HOMENET] as s2 on s1.source_address=s2.source_address | rename s1.source_address as source

LP_Default Blocked Outbound Traffic followed by Allowed Event¶

Trigger Condition: Blocked outbound traffic followed by allowed traffic is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Firewall, IDS/IPS

Query:

[norm_id=*firewall or norm_id=*IDS label=Block or label=Deny label=Connection source_address IN HOMENET -destination_address IN HOMENET] as s1 followed by [norm_id=*firewall label=Allow label=Connection source_address IN HOMENET -destination_address IN HOMENET]
as s2 on s1.source_address=s2.source_address | rename s1.source_address as source

LP_Default Brute Force Attack Attempt - Multiple Unique Sources¶

Trigger Condition: Failed login attempts from the same user using multiple sources. The default value for multiple unique sources is five.
ATT&CK Category: Credential Access, Privilege Escalation, Defense Evasion
ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts
ATT&CK ID: T1110, T1187, T1078
Minimum Log Source Requirement: Windows

Query:

label=User label=Login label=Fail | rename target_user as user | chart distinct_count(source_address) as DC by user | search DC>5

LP_Default Brute Force Attack Attempt - Multiple Unique Users¶

Trigger Condition: Multiple user authentication fails from the same source within ten minutes. The default value for unique multiple users is five.
ATT&CK Category: Credential Access, Initial Access, Persistence, Privilege Escalation, Defense Evasion
ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts
ATT&CK ID: T1110, T1187, T1078
Minimum Log Source Requirement: Windows

Query:

label=User label=Login label=Fail source_address=* -target_user=*$| rename target_user as user | chart distinct_count(user) as DC by source_address | search DC>5

LP_Default Brute Force Attack Successful¶

Trigger Condition: Five failed users login attempts followed by a successful login from the same user within five minutes is detected.
ATT&CK Category: Credential Access, Initial Access, Persistence, Privilege Escalation, Defense Evasion
ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts
ATT&CK ID: T1110, T1187, T1078
Minimum Log Source Requirement: Windows

Query:

[label=User label=Login label=Fail -target_user=*$ | rename target_user as user | chart count() as cnt by user | search cnt > 5 ] as s1 followed by [label=User label=Login label=Successful | rename target_user as user] as s2 on s1.user = s2.user | rename s2.user as User

LP_Default Connection Attempts on Closed Port¶

Trigger Condition: A connection is established on closed ports. For the alert to work, you must update the list ALERT_OPEN_PORTS, which includes a list of open ports.
ATT&CK Category: Command And Control, Persistence, Privilege Escalation
ATT&CK Tag: Traffic Signaling, Port Knocking
ATT&CK ID: T1205, T1205.001
Minimum Log Source Requirement: Firewall, IDS/IPS

Query:

label=Connection -destination_port IN ALERT_OPEN_PORTS source_address=* destination_port=*

LP_Default CPU Usage Status¶

Trigger Condition: The use of CPU exceeds 90%.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: LogPoint

Query:

label=Metrics label=CPU label=Usage use>90

LP_Default Device Stopped Sending Logs for Half an Hour¶

Trigger Condition: A device has not sent logs for more than half an hour. You can customize the time according to your need.
ATT&CK Category: Impact, Defense Evasion
ATT&CK Tag: Service Stop, Data Destruction, Indicator Removal on Host
ATT&CK ID: T1489, T1485, T1070
Minimum Log Source Requirement: All the log sources

Query:

| chart max(col_ts) as max_time_ts by device_ip | process current_time(a) as time | chart max(time-max_time_ts) as elapsed_time by max_time_ts, device_ip | search elapsed_time>1800

LP_Default DNS Tunneling Detection - Data Transfer Size¶

Trigger Condition: The size of data transmitted using the Application Layer Protocol and DNS port is greater than 10MB in five minutes.
ATT&CK Category: Command and Control, Exfiltration
ATT&CK Tag: Application Layer Protocol, DNS, Data Transfer Size Limits
ATT&CK ID: T1071, T1071.004, T1030
Minimum Log Source Requirement: Firewall, IDS/IPS

Query:

destination_port=53 source_address IN HOMENET -destination_address IN HOMENET | chart sum(datasize) as DNSBYTES by source_address | search DNSBYTES > 10000000

LP_Default DNS Tunneling Detection - Multiple domains¶

Trigger Condition: A source address with queries for more than 50 domains are detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain Generation Algorithms, Proxy, Domain Fronting
ATT&CK ID: T1071, T1071.004, T1568, T1568.002, T1090, T1090.004
Minimum Log Source Requirement: Webserver, Firewall

Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | chart distinct_count(domain) as DomainCount by source_address | search DomainCount > 50

LP_Default DNS Tunneling Detection - Multiple Subdomains¶

Trigger Condition: Domains with more than ten subdomains from a single source address are detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain Generation Algorithms, Proxy, Domain Fronting
ATT&CK ID: T1071, T1071.004, T1568, T1568.002, T1090, T1090.004
Minimum Log Source Requirement: Webserver, Firewall

Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | norm on domain <subdomain:.*><:'\.'><main_domain:'[a-z0-9]+.\w{3}'> | search subdomain=* | chart distinct_count(subdomain) as uniqueSubdomain by main_domain, source_address |search uniqueSubdomain>10

LP_Default DNS Tunneling Detection - Query Size¶

Trigger Condition: Traffic with more than 64 characters in Application Layer Protocol and DNS is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain Generation Algorithms
ATT&CK ID: T1071,T1071.004,T1568,T1568.002
Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver, DNS Server

Query:

norm_id=* "DNS" qname=* | process count_char(qname) as charCount | search charCount>64

LP_Default Excessive Authentication Failures¶

Trigger Condition: More than 100 authentication failures of a user within ten minutes is detected.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access
ATT&CK Tag: Valid Accounts, Brute Force
ATT&CK ID: T1078, T1110
Minimum Log Source Requirement: Windows

Query:

label=Fail label=Authentication -user=*$| chart count() as cnt by user | search cnt>100

LP_Default Excessive Blocked Connections¶

Trigger Condition: 50 blocked or denied connections are observed from the same source within a minute.

ATT&CK Category: Impact, Command and Control

ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service, Proxy

ATT&CK ID: T1498, T1499, T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
[50 label=Connection (label=Deny OR label=Block) source_address=* having same source_address within 1 minute]

LP_Default Excessive HTTP Errors¶

Trigger Condition: 20 or more unique HTTP errors are detected.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service

ATT&CK ID: T1498

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* status_code IN HTTP_ERROR | chart distinct_count(status_code) as cnt by host, source_address, norm_id | search cnt>20

LP_Default File Association Changed¶

Trigger Condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by a file type association.

ATT&CK Category: Persistence

ATT&CK Tag: Event Triggered Execution, Change Default File Association

ATT&CK ID: T1546, T1546.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\SOFTWARE\Classes\*" or target_object="*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\GlobalAssocChangedCounter*") -user IN EXCLUDED_USERS

LP_Default Guest Account Added to Administrative Group¶

Trigger Condition: A guest account is added to security group management.

ATT&CK Category: Credential Access, Persistence, Privilege Escalation, Defense Evasion, Initial Access

ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Access Control, Valid Accounts

ATT&CK ID: T1098, T1548, T1548.002, T1078

Minimum Log Source Requirement: Windows
Query:
label=Security label=Group label=Management label=Add (member_sid="S-1-5-21-*-501" OR target_id="S-1-5-21-*-501") | rename target_user as member, group as group_name

LP_Default High Unique DNS Traffic¶

Trigger Condition: Application Layer Protocol and DNS traffic event greater than 50 is detected.

ATT&CK Category: Command And Control

ATT&CK Tag: Application Layer Protocol, DNS

ATT&CK ID: T1071, T1071.004

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
destination_port=53 source_address=* | chart count() as Event by source_address | search Event>50

LP_Default High Unique SMTP Traffic¶

Trigger Condition: More than 50 SMTP traffics from the same source within a minute is detected.

ATT&CK Category: Command And Control

ATT&CK Tag: Application Layer Protocol, Mail Protocols

ATT&CK ID: T1071, T1071.003

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
source_address=* destination_port=25 | chart count() as Event by source_address | search Event>50

LP_Default High Unique Web-Server traffic¶

Trigger Condition: More than 50 web server traffics from the same source within a minute is detected.

ATT&CK Category: Command And Control

ATT&CK Tag: Application Layer Protocol, Web Protocols

ATT&CK ID: T1071, T1071.001

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
source_address=* destination_port=80 | chart count() as Event by source_address | search Event>50

LP_Default Inbound Connection with Non-Whitelist Country¶

Trigger Condition: An inbound connection established with a non-whitelisted country is detected. For this alert to work, you must update the list WHITELIST_COUNTRY.

ATT&CK Category: Command And Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
-source_address IN HOMENET destination_address IN HOMENET | process geoip(source_address) as country | search -country IN WHITELIST_COUNTRY

LP_Default Inbound Queries Denied by Firewalls¶

Trigger Condition: A firewall denies more than 100 inbound connections within five minutes.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service

ATT&CK ID: T1498

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Connection label=Deny -source_address IN HOMENET destination_address in HOMENET | chart count() as Event by source_address, destination_address | search Event>100

LP_Default Inbound RDP Connection¶

Trigger Condition: Inbound RDP traffic events on destination port 3389 is detected.

ATT&CK Category: Lateral Movement, Command And Control

ATT&CK Tag: Remote Services, Application Layer Protocol

ATT&CK ID: T1021, T1071

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Connection -source_address IN HOMENET destination_address in HOMENET destination_port=3389

LP_Default Inbound SMB Connection¶

Trigger Condition: Inbound SMB traffic events on destination port 445 is detected.

ATT&CK Category: Lateral Movement, Command And Control

ATT&CK Tag: Application Layer Protocol

ATT&CK ID: T1071

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Connection -source_address IN HOMENET destination_address in HOMENET destination_port=445

LP_Default Inbound SMTP Connection¶

Trigger Condition: Inbound SMTP traffic event on destination ports 25, 456, 587, 2525, and 2526 is detected.

ATT&CK Category: Command And Control

ATT&CK Tag: Application Layer Protocol

ATT&CK ID: T1071

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Connection -source_address IN HOMENET destination_address in HOMENET destination_port in [25,465,587,2525,2526]

LP_Default Inbound SSH Connection¶

Trigger Condition: Inbound Remote Services SSH traffic event on destination port 22 is detected.

ATT&CK Category: Lateral Movement, Command and Control

ATT&CK Tag: Remote Services, Application Layer Protocol

ATT&CK ID: T1021, T1071

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Connection -source_address IN HOMENET destination_address in HOMENET destination_port=22

LP_Default Internal Attack¶

Trigger Condition: More than ten attack patterns from a home network are detected.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

ATT&CK ID: T1498, T1499

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Attack -label=Deny source_address IN HOMENET | chart count() as Event by source_address, destination_address | search Event>10

LP_Default Internal Virus Worm Outburst¶

Trigger Condition: Ten or more viruses in a host is detected within an hour.

ATT&CK Category: Impact, Defense Evasion

ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

ATT&CK ID: T1021, T1071

Minimum Log Source Requirement: Antivirus
Query:
(label=Worm OR label=Virus OR label=Malware) source_address IN HOMENET malware=* | chart distinct_count(malware) as Virus by source_address | search Virus>10

LP_Default IRC connection¶

Trigger Condition: The IRC connection is detected. For this alert to work, you must update ALERT_IRC_PORT list with possible IRC ports.

ATT&CK Category: Command and Control, Discovery

ATT&CK Tag: Proxy, Network Service Scanning

ATT&CK ID: T1090, T1046

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
(destination_port IN ALERT_IRC_PORT OR destination_port=6667)

LP_Default Malware Detected¶

Trigger Condition: A malware or a virus is detected in the system.

ATT&CK Category: Resource Development

ATT&CK Tag: Develop Capabilities, Malware

ATT&CK ID: T1587, T1587.001

Minimum Log Source Requirement: Antivirus
Query:
(label=Virus OR label=Malware ) (label=Detect OR label=Find) (virus=* OR malware=* OR file=* OR path=*) | rename malware as virus

LP_Default Malware Detected in Various Machines¶

Trigger Condition: The same malware or virus is detected on multiple hosts.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery, Impair Defenses,Impair Defenses, Disable or Modify Tools

ATT&CK ID: T1046, T1211, T1518, T1518.001, T1562, T1562.001

Minimum Log Source Requirement: Antivirus
Query:
(label=Virus OR label=Malware ) (label=Detect OR label=Find) source_address=* malware=* | chart distinct_count(source_address) as Event by malware | search Event>1

LP_Default Malware not Cleaned¶

Trigger Condition: A malware clean events including deletion, removal, and quarantine, is followed by detecting the same malware in the same host.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning,Exploitation for Defense Evasion,Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1211, T1518, T1518.001

Minimum Log Source Requirement: Antivirus
Query:
norm_id=* malware=* action IN ["*delete*", "*remove*", "*quarantine*"] ] as s1 followed by [norm_id=* malware=* source_address=*] as s2 on s1.malware=s2.malware | process compare(s1.source_address, s2.source_address) as match | search match=true | rename s1.source_address as source_address, s1.malware as malware

LP_Default Malware Removed¶

Trigger Condition: Removal of malware or a virus from the system is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Indicator Removal on Host, Obfuscated Files or Information, Indicator Removal from Tools

ATT&CK ID: T1070, T1027, T1027.005

Minimum Log Source Requirement: Antivirus
Query:
(label=Virus OR label=Malware ) (label=Remove OR label=Clean OR label=Delete) -label="Not" -label=Error | rename malware as virus | search virus=*

LP_Default Memory Usage Status¶

Trigger Condition: The memory usage exceeds 90% of the total memory available.

ATT&CK Category: Collection

ATT&CK Tag: Automated Collection

ATT&CK ID: T1119

Minimum Log Source Requirement: LogPoint
Query:
label=Metrics label=Memory label=Usage use>90

LP_Default Network Configuration Change on Network Device¶

Trigger Condition: A change in the core network event source, such as a router or switch, is detected.

ATT&CK Category: Persistence, Credential Access, Defense Evasion, Privilege Escalation

ATT&CK Tag: Modify Existing Service, Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Access Control, Impair Defenses, Indicator Blocking, Modify Registry, Exploitation for Privilege Escalation

ATT&CK ID: T1098, T1548, T1562, T1562.006, T1112, T1068

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Network label=Configuration (label=Change OR label=Modify OR label=Reset OR label=Enable OR label=Disable OR label=Add or label=Delete or label=Undelete)

LP_Default Outbound Connection with Non-Whitelist Country¶

Trigger Condition: Outbound connections with non-whitelisted countries are detected. For this alert to work, you must update the list WHITELIST_COUNTRY.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
source_address IN HOMENET -destination_address IN HOMENET | process geoip(destination_address) as country | search -country IN WHITELIST_COUNTRY

LP_Default Outbound Traffic from Unusual Source¶

Trigger Condition: Outbound traffic is detected from an unusual source. For this alert to work, you must update the list ALERT_UNUSUAL_SOURCE with source addresses from which outbound connections are not established.

ATT&CK Category: Command and Control, Exfiltration

ATT&CK Tag: Proxy, Automated Exfiltration, Exfiltration Over C2 Channel

ATT&CK ID: T1090, T1020, T1041

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
source_address IN ALERT_UNUSUAL_SOURCE source_address IN HOMENET (label=Traffic OR label=Connection) -destination_address IN HOMENET

LP_Default Port Scan Detected¶

Trigger Condition: A source hits a destination on 50 different ports in five minutes.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning

ATT&CK ID: T1046

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
destination_port=* | chart distinct_count(destination_port) as CNT by source_address, destination_address | search CNT>50

LP_Default Possible Cross Site Scripting Attack Detected¶

Trigger Condition: The script tag indicating the XSS attack is detected in the URL.

ATT&CK Category: Initial Access

ATT&CK Tag: Exploiting Public-Facing Application

ATT&CK ID: T1190

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* url IN ["*<script>*", "*%3c%73%63%72%69%70%74%3e*", "*%3cscript%3e*"] or resource IN ["*<script>*", "*%3c%73%63%72%69%70%74%3e*", "*%3cscript%3e*"] | rename resource as url

LP_Default Possible Network Performance Degradation Detected¶

Trigger Condition: 100 or more network-related errors are detected in security devices within five minutes.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service

ATT&CK ID: T1498

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
norm_id=* ((label=Connection (label=Error or label=Fail or label=Deny or label=Drop)) or (label="Limit" label=Exceed) or (label=Packet label=Drop) or (label=Protocol label=Deny)) | chart count() as Event by device_ip, norm_id | search Event>1000

LP_Default Possible Non-PCI Compliant Inbound Network Traffic Detected¶

Trigger Condition: An inbound connection is detected in secure devices over non-compliant ports as specified by PCI compliance practices. For this alert to work, you must update the list NON_PCI_COMPLIANT_PORT.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Inbound label=Connection destination_port IN NON_PCI_COMPLIANT_PORT -source_address IN HOMENET

LP_Default Possible Spamming Zombie¶

Trigger Condition: Systems other than mail servers attempt to establish an outbound SMTP connection is detected. For this alert to work, you must update the list MAIL_SERVERS with possible mail servers to remove false positives. For example, exchange, postfix, and so on.

ATT&CK Category: Command and Control, Impact

ATT&CK Tag: Proxy, Application Layer Protocol, Network Denial of Service

ATT&CK ID: T1090, T1071, T1498

Minimum Log Source Requirement: All except Mail Server
Query:
-norm_id IN MAIL_SERVERS destination_port IN ["25", "587"]

LP_Default Possible SQL Injection Attack¶

Trigger Condition: SQL character injection in the input field of a web application is detected.

ATT&CK Category: Initial Access

ATT&CK Tag: Exploit Public-Facing Application

ATT&CK ID: T1190

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* url IN SQL_INJECTION_CHARACTER or resource IN SQL_INJECTION_CHARACTER | rename resource as url

LP_Default Possible System Instability State Detected¶

Trigger Condition: The instability of a system is detected. For example, a system shut down or restarts more than five times within ten minutes. A correlation rule is designed to detect if a system has become unstable.

ATT&CK Category: Impact

ATT&CK Tag: System Shutdown/Reboot

ATT&CK ID: T1529

Minimum Log Source Requirement: OS
Query:
[5 (-label=Require -label=Request -label=Reply) (label=Restart OR label=Shutdown OR label=Boot) having same device_ip within 10 minutes]

LP_Default PowerSploit and Empire Schtasks Persistence¶

Trigger Condition: Creation of a schtask via PowerSploit or Empire Default Configuration is detected.

ATT&CK Category: Execution, Persistence, Privilege Escalation

ATT&CK Tag: Scheduled Task/Job, Scheduled Task,Command and Scripting Interpreter, PowerShell + ATT&CK ID: T1053, T1053.005, T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image IN ["*\powershell.exe"] command IN ["*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*"] -user IN EXCLUDED_USERS

LP_Default Successful Login outside Normal Hour¶

Trigger Condition: Successful user login beyond regular office hour is detected. You can adjust the regular work hour according to your company.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Valid Accounts

ATT&CK ID: T1078

Minimum Log Source Requirement: Windows
Query:
label=Login label=Successful target_user=* ((day_of_week(log_ts)=2 OR day_of_week(log_ts)=3 OR day_of_week(log_ts)=4 OR day_of_week(log_ts)=5 OR day_of_week(log_ts)=6) (hour(log_ts)>0 hour(log_ts)<9) OR hour(log_ts)>17) OR (day_of_week(log_ts) IN [1, 7]) | rename target_user as user

LP_Default Successful Login Using a Default Account¶

Trigger Condition: Successful login attempts using a vendor default account is detected. The alert is essential for those organizations employing Payment Card Industry (PCI) Compliance.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Valid Accounts, Default Accounts

ATT&CK ID: T1078, T1078.001

Minimum Log Source Requirement: Windows
Query:
label=User label=Login label=Successful (target_user=* OR user=*) (target_user IN DEFAULT_USERS OR user IN DEFAULT_USERS) | rename target_user as user

LP_Default Suspicious DNS Queries with Higher Data Size¶

Trigger Condition: DNS queries having data size greater than 2K signaling exfiltration of data via DNS.

ATT&CK Category: Command and Control

ATT&CK Tag: Exfiltration Over Alternative Protocol, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

ATT&CK ID: T1048, T1048.003

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
datasize=* destination_port=53 datasize>2000

LP_Default System Time Change¶

Trigger Condition: The system time is changed or when LogPoint command /opt/immune/installed/system/root_actions/*_ntp.sh is executed.

ATT&CK Category: Persistence, Impact

ATT&CK Tag: Modify Existing Service, Data Destruction

ATT&CK ID: T1485

Minimum Log Source Requirement: Windows
Query:
(label=System label=Time label=Change) OR (label=Execute label=Command command="/opt/immune/installed/system/root_actions/*_ntp.sh")

LP_Default TCP Port Scan¶

Trigger Condition: 100 or more different TCP port sweep events are detected within five minutes from external sources.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning

ATT&CK ID: T1046

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Connection label=Traffic -source_address IN HOMENET destination_address IN HOMENET protocol=TCP | chart distinct_count(destination_port) as DistinctPort by source_address, destination_address order by DistinctPort desc | search DistinctPort>100

LP_Default TCP Probable SynFlood Attack¶

Trigger Condition: Security devices detect ten TCP Syn flood events within a minute.

ATT&CK Category: Impact

ATT&CK Tag: Endpoint Denial of Service

ATT&CK ID: T1499

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
[10 TCP SYN having same source_address within 1 minute]

LP_Default UDP Port Scan¶

Trigger Condition: 100 or more different UDP port sweep events are detected within five minutes from an external source.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning

ATT&CK ID: T1046

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Connection label=Traffic -source_address IN HOMENET destination_address IN HOMENET protocol=UDP |
chart distinct_count(destination_port) as DistinctPort by source_address, destination_address order by
DistinctPort desc | search DistinctPort>100

LP_Default Unapproved Port Activity Detected¶

Trigger Condition: A user uses unapproved ports.

ATT&CK Category: Defense Evasion, Persistence, Command And Control

ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors, Traffic Signaling, Port Knocking

ATT&CK ID: T1547, T1547.01, T1205, T1205.001

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* source_port IN UNAPPROVED_PORT or destination_port IN UNAPPROVED_PORT or port IN UNAPPROVED_PORT | rename source_port as port, destination_port as port

LP_Default Unusual Number of Failed Vendor User Login¶

Trigger Condition: Failed user logins using default credentials for more than 10 times are detected. For this alert to work, you must update the list DEFAULT_USERS with default vendor user names.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Valid Accounts, Default Accounts

ATT&CK ID: T1078, T1078.001

Minimum Log Source Requirement: Windows
Query:
label=User label=Login label=Fail (target_user=* OR user=*) (target_user IN DEFAULT_USERS OR user IN DEFAULT_USERS) |rename target_user as user | chart count() as Event by user, source_address | search Event>10

LP_Detection of PowerShell Execution via DLL¶

Trigger Condition: Command and Scripting Interpreter, PowerShell strings applied to rundllas observed in PowerShdll.dll is detected.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*\rundll32.exe" OR message="*Windows-Hostprozess (Rundll32)*") command IN ["*Default.GetString*", "*FromBase64String*"] -user IN EXCLUDED_USERS

LP_Devtoolslauncher Executes Specified Binary¶

Trigger Condition: When adversaries attempt to bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries using devtoolslauncher (which is a part of VS/VScode installation) and LaunchForDeploy command.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Signed Binary Proxy Execution

ATT&CK ID: T1218

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\devtoolslauncher.exe" command="*LaunchForDeploy*" -user IN EXCLUDED_USERS

LP_DHCP Callout DLL Installation Detected¶

Trigger Condition: Installation of a Callout DLL via CalloutDlls and CalloutEnabled parameters in the registry, used to execute code in the context of the DHCP server is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, Modify Registry

ATT&CK ID: T1574, T1574.002, T1112

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=13 target_object IN ["*\Services\DHCPServer\Parameters\CalloutDlls", "*\Services\DHCPServer\Parameters\CalloutEnabled"] -user IN EXCLUDED_USERS

LP_DHCP Server Error Failed Loading the CallOut DLL¶

Trigger Condition: DHCP server error in which a specified Callout DLL in registry cannot be loaded.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

ATT&CK ID: T1574, T1574.002

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WinServer event_id IN ["1031", "1032", "1034"] event_source="Microsoft-Windows-DHCP-Server" -user IN EXCLUDED_USERS

LP_DHCP Server Loaded the CallOut DLL¶

Trigger Condition: A DHCP server loads callout DLL in the registry. The alert has been translated from its corresponding sigma rule. For more information, you can check the sigma rule.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

ATT&CK ID: T1574, T1574.002

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=1033 -user IN EXCLUDED_USERS

LP_Direct Autorun Keys Modification Detected¶

Trigger Condition: A modification to the direct autorun keys on a system (ASEP) in the registry using reg.exe. These keys are used to run programs or scripts automatically when a specific event occurs, such as when the system starts up or when a user logs in. Adversaries may use this technique to establish persistence on a system and ensure that their malware or other malicious programs are launched automatically whenever the system is restarted. They may also use it to evade detection by disguising their malware as a legitimate program automatically launched by the system. This alert requires registry auditing to be enabled. When an admin user modifies the keys, false positive alerts may be triggered.

ATT&CK Category: Persistence

ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/tartup Folder

ATT&CK ID: T1547, T1547.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\reg.exe" command="*add*" command IN ["*\software\Microsoft\Windows\CurrentVersion\Run*", "*\software\Microsoft\Windows\CurrentVersion\RunOnce*", "*\software\Microsoft\Windows\CurrentVersion\RunOnceEx*", "*\software\Microsoft\Windows\CurrentVersion\RunServices*", "*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*", "*\software\Microsoft\Windows NT\CurrentVersion\Windows*", "*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*", "*\system\CurrentControlSet\Control\SafeBoot\AlternateShell*"] -user IN EXCLUDED_USERS

LP_Disable of ETW Trace Detected¶

Trigger Condition: A command that clears or disables the ETW trace log, indicating a logging evasion attempt by adversaries. Adversaries can cease the flow of logging temporarily or permanently without generating any additional event clear log entries from this method.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Indicator Blocking

ATT&CK ID: T1562.006

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((command="* cl */Trace*") OR (command="* clear-log */Trace*") OR (command="* sl* /e:false*") OR (command="* set-log* /e:false*") OR (command="*Remove-EtwTraceProvider*" command="*EventLog-Microsoft-Windows-WMI-Activity-Trace*" command="*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*") OR (command="*Set-EtwTraceProvider*" command="*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*" command="*EventLog-Microsoft-Windows-WMI-Activity-Trace*" command="*0x11*") OR (command="*logman update trace*" command="* --p *" command="* -ets *")) -user IN EXCLUDED_USERS

LP_MiniNt Registry Key Addition¶

Trigger Condition: The addition of a key MiniNt to the registry is detected. Windows Event Log service will stop the write events after reboot.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Disable or Modify Tools

ATT&CK ID: T1562, T1562.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon label=Registry label=Set label=Value target_object="HKLM\SYSTEM\CurrentControlSet\Control\MiniNt" -user IN EXCLUDED_USERS

LP_Discovery of a System Time Detected¶

Trigger Condition: The use of various commands to query a system’s time is identified. Adversaries may attempt to manipulate the system time to throw off logs’ accuracy or hide their activities. They may also use the system time to trigger the execution of malicious payloads or scripts at specific times.

ATT&CK Category: Discovery

ATT&CK Tag: System Time Discovery

ATT&CK ID: T1124

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((image IN ["*\net.exe", "*\net1.exe"] command="*time*") OR (image="*\w32tm.exe" command="*tz*") OR (image="*\powershell.exe" command="*Get-Date*")) -user IN EXCLUDED_USERS

LP_Discovery using Bloodhound Detected¶

Trigger Condition: Enumeration attempt by a user using the IPC$ share.

ATT&CK Category: Discovery

ATT&CK Tag: System Owner/User Discovery

ATT&CK ID: T1033

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=3 service=ldap image IN ['*cmd.exe', '*powershell.exe', '*sharphound.exe'] -user IN EXCLUDED_USERS | chart count() as eventCount by host, service, image | search eventCount > 10

LP_Discovery via File and Directory Discovery Using Command Prompt¶

Trigger Condition: A file and directory enumerated, or searching of a specific location of a host or network share within a file system using command prompt is detected.

ATT&CK Category: Discovery

ATT&CK Tag: File and Directory Discovery

ATT&CK ID: T1083

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4688 (commandline = "tree*" OR command = "tree*") -user IN EXCLUDED_USERS | rename commandline as command

LP_Discovery via Discovery via PowerSploit Recon Module Detected¶

Trigger Condition: Adversaries abuse Command and Script Interpreters to execute scripts via the PowerSploitReconnaissance module. For this alert to work, you must update the list POWERSPLOIT_RECON_MODULES.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4104 (scriptblocktext in POWERSPLOIT_RECON_MODULES OR script_block in POWERSPLOIT_RECON_MODULES) -user IN EXCLUDED_USERS | rename scriptblocktext as script_block

LP_DLL Load via LSASS Detected¶

Trigger Condition: A method to load DLL via the LSASS process using an undocumented registry key is detected.

ATT&CK Category: Execution

ATT&CK Tag: Boot or Logon Autostart Execution, LSASS Driver

ATT&CK ID: T1547, T1547.008

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id IN ["12", "13"] target_object IN ["*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*", "*\CurrentControlSet\Services\NTDS\LsaDbExtPt*"]

LP_DNS Exfiltration Tools Execution Detected¶

Trigger Condition: Execution of tools for Application Layer Protocol and DNS Exfiltration.

ATT&CK Category: Exfiltration

ATT&CK Tag: Exfiltration Over Alternative Protocol

ATT&CK ID: T1048

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*\iodine.exe" OR image="*\dnscat2*") -user IN EXCLUDED_USERS

LP_DNS Server Error Failed Loading the ServerLevelPluginDLL¶

Trigger Condition: Application Layer Protocol and DNS server error where a specified plugin DLL in the registry connot be loaded.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

ATT&CK ID: T1574, T1574.002

Minimum Log Source Requirement: DNS Server
Query:
event_source="DNS Server" event_id IN ["150", "770"]

LP_DNS ServerLevelPluginDll Install¶

Trigger Condition: Installation of a plugin DLL via the ServerLevelPluginDll parameter in the registry used to execute code in Application Layer Protocol and DNS server.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

ATT&CK ID: T1574, T1574.002

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=13 target_object="*\services\DNS\Parameters\ServerLevelPluginDll") OR (event_id=1 command="dnscmd.exe /config /serverlevelplugindll *") -user IN EXCLUDED_USERS

LP_Domain Trust Discovery Detected¶

Trigger Condition: Adversaries attempt to gather information on domain trust relationships. Domain trust is a relationship between two domains that allows users in one domain to be authenticated in the other domain. It enables users to access resources in a trusted domain as if they were local. Adversaries may attempt to establish domain trusts to gain access to additional resources or to move laterally within an organization’s network. They may also use domain trusts to hide their activities or to evade detection.

ATT&CK Category: Discovery

ATT&CK Tag: Domain Trust Discovery

ATT&CK ID: T1482

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((image="*\dsquery.exe" command="*-filter*" command="*trustedDomain*") OR (image="*\nltest.exe" command="*domain_trusts*")) -user IN EXCLUDED_USERS

LP_DoppelPaymer Ransomware Connection to Malicious Domains¶

Trigger Condition: Any connection to DoppelPaymer Double Extortion ransomware related domains is detected.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* (url IN DOPPELPAYMENR_RANSOMWARE_DOMAINS OR domain IN DOPPELPAYMENR_RANSOMWARE_DOMAINS)

LP_DoppelPaymer Ransomware Exploitable Vulnerabilities Detected¶

Trigger Condition: Vulnerability management detects the presence of vulnerability linked to DoppelPaymer ransomware.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
norm_id=VulnerabilityManagement cve_id="*CVE-2019-19781*"

LP_DoppelPaymer Ransomware Infected Host Detected¶

Trigger Condition: DoppelPaymer Double Extortion ransomware-infected host is detected.

ATT&CK Category: Impact

ATT&CK Tag: Data Encrypted for Impact

ATT&CK ID: T1486

Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon
Query:
host=* hash=* hash IN DOPPELPAYMER_RANSOMWARE_HASHES

LP_dotNET DLL Loaded Via Office Applications¶

Trigger Condition: Assembly of DLL loaded by the Office Product is detected.

ATT&CK Category: Initial Access

ATT&CK Tag: Phishing, Spearphishing Attachment

ATT&CK ID: T1566, T1566.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.exe*", "*\excel.exe*", "*\outlook.exe*"] image="*C:\Windows\assembly\\*" -user IN EXCLUDED_USERS

LP_DPAPI Domain Backup Key Extraction Detected¶

Trigger Condition: Tools extracting the LSA secret DPAPI domain backup key from Domain Controllers are detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows
Query:
(norm_id=WinServer event_id=4662 object_type="SecretObject" access_mask="0x2" object_name="*BCKUPKEY") -user IN EXCLUDED_USERS

LP_DPAPI Domain Master Key Backup Attempt¶

Trigger Condition: An attempt to backup DPAPI master key is detected. The event is generated on the source and not on the Domain Controller.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4692 -user IN EXCLUDED_USERS

LP_DragonFly - File Upload with Trojan Karagany¶

Trigger Condition: Updation of a file with the use of Trojan Karagany is detected.

ATT&CK Category: Defense Evasion, Credential Access, Privilege Escalation

ATT&CK Tag: Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation for Privilege Escalation, Exploitation for Defense Evasion

ATT&CK ID: T1211, T1212, T1068, T1211

Minimum Log Source Requirement: -
Query:
filename "identifiant"| norm on filename=<file:all>&identifiant | search file=*

LP_DragonFly - Malicious File Creation¶

Trigger Condition: Creation of a malicious file.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter
ATT&CK ID: T1059
Minimum Log Source Requirement: Integrity Scanner

Query:

("*TMPprovider*" OR "*sysmain*" OR "*sydmain*") OR (norm_id=IntegrityScanner file_path IN DRAGONFLY_MALICIOUS_FILES OR file_path IN DRAGONFLY_MALICIOUS_FOLDER OR registry IN DRAGONFLY_MALICIOUS_FILES) | rename registry as file_path | norm on file_path <path:.*>\<file:string> | process regex("(?P<file>(TMPprovider[0-9]{3}\.dll|sy[ds]main\.dll))", msg) | search file=*

LP_DragonFly - Watering Hole Sources¶

Trigger Condition: Dragonfly watering hole sources are detected.

ATT&CK Category: Initial Access

ATT&CK Tag: Drive by Compromise

ATT&CK ID: T1189

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* url IN ["*script*iframe*", "*dwd", "*dwe", "*fnd", "*fne"] source_address=*

LP_Dridex Process Pattern Detected¶

Trigger Condition: A typical dridex process patterns are detected.

ATT&CK Category: Defense Evasion, Privilege Escalation

ATT&CK Tag: Process Injection

ATT&CK ID: T1055

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (command="*\svchost.exe C:\Users\*\Desktop\*" OR (parent_image="*\svchost.exe*" command IN ["*whoami.exe /all", "*net.exe view"])) -user IN EXCLUDED_USERS

LP_Droppers Exploiting CVE-2017-11882 Detected¶

Trigger Condition: The exploitation using CVE-2017-11882 to start EQNEDT32.EXE and other sub-processes like mshta.exe are detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Exploitation for Defense Evasion

ATT&CK ID: T1211

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\EQNEDT32.EXE" -user IN EXCLUDED_USERS

LP_Drupal Arbitrary Code Execution Detected¶

Trigger Condition: The exploitation of arbitrary code execution vulnerability (CVE-2018-7600) in Drupal, is detected.

ATT&CK Category: Initial Access

ATT&CK Tag: Exploit Public-Facing Application

ATT&CK ID: T1190

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* label=Access request_method=POST resource='*ajax_form*drupal*ajax*'

LP_DTRACK Process Creation Detected¶

Trigger Condition: Specific process parameters, as seen in DTRACK infections are detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Process Injection

ATT&CK ID: T1055

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="* echo EEEE > *" -user IN EXCLUDED_USERS

LP_Elevated Command Prompt Activity by Non-Admin User Detected¶

Trigger Condition: The execution of an elevated command prompt by a non-admin user.

ATT&CK Category: Execution

ATT&CK Tag: Command-Line Interface

ATT&CK ID: T1059

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4688 -user IN ADMINS "process"="*cmd.exe" token_elevation_type="*(2)*" -user IN EXCLUDED_USERS

LP_Elise Backdoor Detected¶

Trigger Condition: Elise backdoor activity used by APT32 is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control + ATT&CK ID: T1548

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((image="C:\Windows\SysWOW64\cmd.exe" command="*\Windows\Caches\NavShExt.dll *") OR command="*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll, Setting") -user IN EXCLUDED_USERS

LP_EMC Possible Ransomware Detection¶

Trigger Condition: Suspicious data activity affecting more than 200 files or in-house baseline is detected.

ATT&CK Category: Impact

ATT&CK Tag: Data Encrypted for Impact, Data Destruction, Proxy

ATT&CK ID: T1486, T1485, T1090

Minimum Log Source Requirement: EMC
Query:
label=EMC -"bytesWritten"="0" -"bytesWritten"="0x0" event="0x80" flag=0x2 userSid=*| chart count() as handle by userSid, clientIP | search handle>200

LP_Emissary Panda Malware SLLauncher Detected¶

Trigger Condition: The execution of DLL side-loading malware used by threat group Emissary Panda, also known as APT27 is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Exploitation for Defense Evasion

ATT&CK ID: T1211

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\sllauncher.exe" image="*\svchost.exe" -user IN EXCLUDED_USERS

LP_Emotet Process Creation Detected¶

Trigger Condition: Emotet like process executions that are not covered by the more generic rules are detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Process Injection

ATT&CK ID: T1055

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["* -e* PAA*", "*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*", "*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*", "*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*", "*IgAoACcAKgAnACkAOwAkA*",
"*IAKAAnACoAJwApADsAJA*", "*iACgAJwAqACcAKQA7ACQA*", "*JABGAGwAeAByAGgAYwBmAGQ*"] -user IN EXCLUDED_USERS

LP_Empire PowerShell Launch Parameters¶

Trigger Condition: Suspicious PowerShell command line parameters used in Empire are detected.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["* -NoP -sta -NonI -W Hidden -Enc *", "* -noP -sta -w 1 -enc *", "* -NoP -NonI -W Hidden -enc *"] -user IN EXCLUDED_USERS

LP_Empire PowerShell UAC Bypass Detected¶

Trigger Condition: Empire Command and Scripting Interpreter and PowerShell UAC bypass methods are detected.

ATT&CK Category: Defense Evasion, Privilege Escalation

ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control

ATT&CK ID: T1548

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["* -NoP -NonI -w Hidden -c x =((gp HKCU:Software\Microsoft\Windows Update).Update)*", "* -NoP -NonI -c x =((gp HKCU:Software\Microsoft\Windows Update).Update)*"] -user IN EXCLUDED_USERS

LP_Enabled User Right in AD to Control User Objects¶

Trigger Condition: LogPoint detects a scenario where if a user is assigned the SeEnableDelegation Privilege right in Active Directory, thay will be allowed to control other Active Directory user’s objects.

ATT&CK Category: Privilege Escalation

ATT&CK Tag: Valid Accounts

ATT&CK ID: T1078

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4704 message="*SeEnableDelegationPrivilege*" -user IN EXCLUDED_USERS

LP_Encoded FromBase64String Detected¶

Trigger Condition: The .NET method “FromBase64String” decodes a Base64-encoded string. Base64 is a widely used encoding scheme representing binary data in an ASCII string format. It is often used to encode data for transfer over networks or store data in databases or files. Adversaries may use Base64 encoding to conceal the contents of their payloads or communications, making it more difficult for defenders to detect and analyze their activities. They may also use the “FromBase64String” method to decode Base64-encoded data as part of their attack. False Positive: Some legitimate processes might use encoded commands

ATT&CK Category: Execution, Defense Evasion

ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Deobfuscate/Decode Files or Information

ATT&CK ID: T1059, T1059.001, T1140

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*OjpGcm9tQmFzZTY0U3RyaW5n*", "*o6RnJvbUJhc2U2NFN0cmluZ*", "*6OkZyb21CYXNlNjRTdHJpbm*"] -user IN EXCLUDED_USERS

LP_Encoded IEX Detected¶

Trigger Condition: When the use of the “IEX” (Invoke-Expression) cmdlet is detected to execute encoded PowerShell commands. “IEX” is a built-in cmdlet in PowerShell that allows users to run scripts or commands that are stored in a string. Adversaries may use encoding to conceal the contents of their scripts or commands, making it more difficult for defenders to detect and analyze their activities. Adversaries may use the “IEX” cmdlet to execute encoded PowerShell commands as part of their attack. They may also use encoding to hide their activities’ true nature or evade detection. False Positive: Some legitimate processes might use encoded commands.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Deobfuscate/Decode Files or Information

ATT&CK ID: T1059, T1059.001, T1140

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*SUVYIChb*", "*lFWCAoW*", "*JRVggKF*", "*aWV4IChb*", "*lleCAoW*", "*pZXggKF*", "*aWV4IChOZX*", "*lleCAoTmV3*", "*pZXggKE5ld*", "*SUVYIChOZX*", "*lFWCAoTmV3*", "*JRVggKE5ld*"] -user IN EXCLUDED_USERS

LP_Encoded PowerShell Command Detected¶

Trigger Condition: Execution of encoded Command and Scripting Interpreter and PowerShell commands are detected.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*powershell.exe" command IN ["*-enc*", "*-ec*"] -user IN EXCLUDED_USERS

LP_Endpoint Protect Multiple Failed Login Attempt¶

Trigger Condition: A user fails to log in even after multiple attempts.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Exploitation for Credential Access, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Brute Force

ATT&CK ID: T1212, T1068, T1211, T1110

Minimum Log Source Requirement: EndPoint Protector
Query:
norm_id=EndPointProtector label=User (label=Login OR label=Authentication) label= Fail user=* caller_user=* | chart count() as CNT by user, caller_user order by CNT desc | search "CNT">5

LP_Equation Group DLL_U Load Detected¶

Trigger Condition: A specific tool and export used by the EquationGroup is detected.

ATT&CK Category: Execution, Defense Evasion

ATT&CK Tag: Command-Line Interface, Signed Binary Proxy Execution, Rundll32

ATT&CK ID: T1059, T1218, T1218.011

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((image="*\rundll32.exe" command="*, dll_u") OR command="* -export dll_u *") -user IN EXCLUDED_USERS

LP_Eventlog Cleared Detected¶

Trigger Condition: One of the Windows Event logs has been cleared.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Indicator Removal on Host

ATT&CK ID: T1070

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=104 event_source="Microsoft-Windows-Eventlog" -user IN EXCLUDED_USERS

LP_ExchangeMT Possible Data Theft - Email with Attachment Outside Organization¶

Trigger Condition: An email with attachment is sent to the receiver outside the organization domain.

ATT&CK Category: Exfiltration, Collection

ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

ATT&CK ID: T1041, T1114

Minimum Log Source Requirement: ExchangeMT
Query:
norm_id=ExchangeMT -receiver IN HOME_DOMAIN datasize=* |chart sum(datasize/1000000) as "Emailsize(MB)" by sender |search "Emailsize(MB)">50

LP_ExchangeMT Unusual Outbound Email¶

Trigger Condition: 60 or more emails are sent from the same sender within an hour.

ATT&CK Category: Command and Control, Exfiltration, Collection

ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email Collection

ATT&CK ID: T1090, T1041, T1020, T1114

Minimum Log Source Requirement: ExchangeMT
Query:
norm_id=ExchangeMT sender=* receiver=* -receiver in HOME_DOMAIN| chart count(receiver=*) as MailSent by sender | search MailSent>60

LP_Executables Stored in OneDrive¶

Trigger Condition: A user stores files that are executable in OneDrive.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Office365
Query:
event_source=OneDrive source_file_extension IN EXECUTABLES | chart count() by user_id, source_address, source_file, source_file_extension, source_relative_url

LP_Execution in Non-Executable Folder Detected¶

Trigger Condition: Execution of a suspicious program from a different folder is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Office365
Query:
norm_id=WindowsSysmon event_id=1 image IN ["*\$Recycle.bin", "*\Users\All Users\*", "*\Users\Default\*", "*\Users\Public\*", "C:\Perflogs\*", "*\config\systemprofile\*", "*\Windows\Fonts\*", "*\Windows\IME\*", "*\Windows\addins\*"] -user IN EXCLUDED_USERS

LP_Execution in Outlook Temp Folder Detected¶

Trigger Condition: Execution of a suspicious program in the Outlook’s temp folder is detected.

ATT&CK Category: Initial Access

ATT&CK Tag: Phishing, Spearphishing Attachment

ATT&CK ID: T1566, T1566.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\Temporary Internet Files\Content.Outlook\*" -user IN EXCLUDED_USERS

LP_Execution in Webserver Root Folder Detected¶

Trigger Condition: Execution of a suspicious program in the Outlook’s temp folder is detected.

ATT&CK Category: Initial Access

ATT&CK Tag: Phishing, Spearphishing Attachment

ATT&CK ID: T1566, T1566.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\Temporary Internet Files\Content.Outlook\*" -user IN EXCLUDED_USERS

LP_Execution of Renamed PaExec Detected¶

Trigger Condition: Execution of renamed paexec via imphash and executable product string is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 product IN ["*PAExec*"] hash_imphash IN ["11D40A7B7876288F919AB819CC2D9802", "6444f8a34e99b8f7d9647de66aabe516", "dfd6aa3f7b2b1035b76b718f1ddc689f", "1a6cca4d5460b1710a12dea39e4a592c"] -image="*paexec*" -user IN EXCLUDED_USERS

LP_Execution via Control Panel Items¶

Trigger Condition: Execution of binary via Signed Binary Proxy Execution, Control Panel items are detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

ATT&CK ID: T1218

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*control.exe" command="*control*cpl*" -user IN EXCLUDED_USERS

LP_Execution via HTA using IE JavaScript Engine Detected¶

Trigger Condition: The execution of an HTA (HTML Application) file using the Internet Explorer JavaScript engine. HTAs are standalone applications written in HTML and can execute scripts, such as JavaScript or VBScript, on a system. Adversaries may use HTAs as a delivery mechanism for their payloads or execute arbitrary code on a system. Adversaries may use HTAs as a way to bypass security controls or to evade detection. They may also use them to execute arbitrary code on a system, potentially allowing them to access sensitive information or compromise the system.

ATT&CK Category: Execution, Defense Evasion

ATT&CK Tag: Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 source_image="*mshta.exe" image="*jscript9.dll" -user IN EXCLUDED_USERS

LP_Execution via Squiblydoo Technique Detected¶

Trigger Condition: Execution of the Squiblydoo technique is detected. Squiblydoo runs payloads or scripts by leveraging the Windows Script Host (WSH) and its default file associations. Adversaries may use Squiblydoo to bypass security controls or to evade detection. Adversaries may use the Squiblydoo technique to execute arbitrary code on a system, potentially allowing them to access sensitive information or compromise the system. They may also use it to hide their activities’ true nature or evade detection.

ATT&CK Category: Execution, Defense Evasion

ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

ATT&CK ID: T1218, T1218.01

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 image="*scrobj.dll" -user IN EXCLUDED_USERS

LP_Execution via Windows Scripting Host Component Detected¶

Trigger Condition: This alert detects the execution of a script using the Windows Scripting Host (WSH) component on a system. WSH is a Microsoft technology that allows users to run scripts and automate tasks on Windows systems. Adversaries may use WSH to execute their payloads or automate their system activities. Adversaries may use the WSH component to execute arbitrary code on a system, potentially allowing them to access sensitive information or compromise the system. They may also use it to hide their activities’ true nature or evade detection.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter

ATT&CK ID: T1059

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 image in ["*wshom.ocs", "*scrrun.dll", "*vbscript.dll"] -user IN EXCLUDED_USERS

LP_Exfiltration and Tunneling Tools Execution¶

Trigger Condition: Execution of tools for data exfiltration and tunneling are detected.

ATT&CK Category: Exfiltration

ATT&CK Tag: Automated Exfiltration

ATT&CK ID: T1020

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 new_process IN ["*\plink.exe", "*\socat.exe", "*\stunnel.exe", "*\httptunnel.exe"] -user IN EXCLUDED_USERS

LP_Exim MTA Remote Code Execution Vulnerability Detected¶

Trigger Condition: Remote code execution vulnerability in Exim MTA is detected. The U.S. National Security Agency (NSA) reported that Russian military cyber actors, also known as Sandworm Team, have been actively exploiting a critical vulnerability in Exim MTA since August 2019.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
norm_id=VulnerabilityManagement cve_id="*CVE-2019-10149*"

LP_Exim Remote Command Execution Detected¶

Trigger Condition: Remote command execution in Exim is detected (CVE-2019-10149 is detected).

ATT&CK Category: Execution

ATT&CK Tag: Exploitation for Client Execution

ATT&CK ID: T1203

Minimum Log Source Requirement: Mail Server
Query:
norm_id=* receiver="*${run*"

LP_Existing Service Modification Detected¶

Trigger Condition: A modification of an existing service via sc.exe system utility is detected. Adversaries abuse the Windows Service Control Manager to execute malicious commands or payloads without creating new services.

ATT&CK Category: Persistence,Privilege Escalation

ATT&CK Tag: Create or Modify System Process, Windows Service

ATT&CK ID: T1543, T1543.003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*sc.exe" or image="*powershell.exe" or image="*cmd.exe") command="*sc*config*binpath*" -user IN EXCLUDED_USERS

LP_Exploit for CVE-2017-0261 Detected¶

Trigger Condition: Winword initiating an uncommon subprocess FLTLDR.exe used for exploitation of CVE-2017-0261 and CVE-2017-0262 is detected.

ATT&CK Category: Defense Evasion, Privilege Escalation

ATT&CK Tag: Process Injection

ATT&CK ID: T1055

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image="*\FLTLDR.exe*" -user IN EXCLUDED_USERS

LP_Exploit for CVE-2017-8759 Detected¶

Trigger Condition: Winword starting unfamiliar subprocess csc.exe used in exploits for CVE-2017-8759 is detected.

ATT&CK Category: Execution

ATT&CK Tag: Exploitation for Client Execution

ATT&CK ID: T1203

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image="*\csc.exe" -user IN EXCLUDED_USERS

LP_Exploiting SetupComplete CVE-2019-1378 Detected¶

Trigger Condition: The exploitation attempt of privilege escalation vulnerability via Setup Complete.cmd and PartnerSetup Complete.cmd described in CVE-2019-1378 is detected.

ATT&CK Category: Defense Evasion, Privilege Escalation

ATT&CK Tag: Process Injection

ATT&CK ID: T1055

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_command IN ["*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd", "*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd"] -image IN ["C:\Windows\System32\*", "C:\Windows\SysWOW64\*", "C:\Windows\WinSxS\*", "C:\Windows\Setup\*"] -user IN EXCLUDED_USERS

LP_External Disk Drive or USB Storage Device Detected¶

Trigger Condition: External disk drives or plugged in USB devices are detected.

ATT&CK Category: Lateral Movement, Initial Access

ATT&CK Tag: Replication Through Removable Media, Hardware Additions

ATT&CK ID: T1091, T1200

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer ((event_id IN ["6416"] class="DiskDrive") OR message="USB Mass Storage Device") -user IN EXCLUDED_USERS

LP_Fail2ban IP Banned¶

Trigger Condition: A client’s IP address is banned after exceeding the limit for failed authentications.

ATT&CK Category: Credential Access, Persistence

ATT&CK Tag: Brute Force, Valid Accounts, Account Manipulation

ATT&CK ID: T1110, T1078, T1098

Minimum Log Source Requirement: Fail2ban
Query:
norm_id=Fail2ban label=IP label=Block | process geoip(source_address) as country

LP_File and Directory Discovery Using PowerShell Detected¶

Trigger Condition: Enumeration of files and directories via Command and Scripting Interpreter and PowerShell is detected.

ATT&CK Category: Discovery

ATT&CK Tag: File and Directory Discovery

ATT&CK ID: T1083

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4103 (command_name="get-childitem*" OR command="get-childitem*") -user IN EXCLUDED_USERS | rename command_name as command

LP_File Creation by Command Prompt¶

Trigger Condition: The creation of a new file using the command prompt on a system. The command prompt is a command-line interface allowing users to execute and run Windows systems’ scripts. Adversaries may use the command prompt to create new files, potentially to drop and execute malicious payloads or store data for later retrieval. For example, ipconfig /all > logs.dmp False positive Notice: Administrative tasks and genuine processes might cause the alert to trigger as well. Proper analysis and whitelisting is recommended.

ATT&CK Category: Execution

ATT&CK Tag: Command-Line Interface

ATT&CK ID: T1059

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 file=* source_image="*cmd.exe" -user IN EXCLUDED_USERS

LP_File Creation by PowerShell Detected¶

Trigger Condition: The creation of a new file using PowerShell on a system. PowerShell is a powerful scripting language that is built into Windows and can be used to automate a wide variety of tasks. Adversaries may use PowerShell to create new files, potentially to drop and execute malicious payloads or store data for later retrieval. False positive Notice: Administrative tasks and genuine processes might cause the alert to trigger as well. Proper analysis and whitelisting are recommended.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 file=* source_image="*powershell.exe" -file IN ["__PSScriptPolicyTest_*", "PowerShell_transcript.*", "powershell.exe.log", "StartupProfileData*", "ModuleAnalysisCache"] -user IN EXCLUDED_USERS -file IN ["*.mui"]

LP_File Deletion Detected¶

Trigger Condition: Adversaries delete files to erase the traces of the intrusion.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Indicator Removal on Host, File Deletion

ATT&CK ID: T1070, T1070.004

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (command="*remove-item*" or command="*vssadmin*Delete Shadows /All /Q*" or command="*wmic*shadowcopy delete*" or command="*wbdadmin* delete catalog -q*" or command="*bcdedit*bootstatuspolicy ignoreallfailures*" or command="*bcdedit*recoveryenabled no*") -user IN EXCLUDED_USERS

LP_File or Folder Permissions Modifications¶

Trigger Condition: Modifications to the permissions of files or folders on a system. File and folder permissions control a system’s access to files and directories and determine which users and processes are allowed to read, write, or execute them. Adversaries may attempt to modify these permissions to gain unauthorized access to sensitive files or to execute arbitrary code on a system. They may also use these modifications to escalate their system privileges or move laterally within an organization’s network.

ATT&CK Category: Defense Evasion

ATT&CK Tag: File and Directory Permissions Modification

ATT&CK ID: T1222

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((image IN ["*\takeown.exe", "*\cacls.exe", "*\icacls.exe"] command="*/grant*") OR (image="*\attrib.exe" command="*-r*")) -user IN EXCLUDED_USERS

LP_File System Permissions Weakness¶

Trigger Condition: A weakness in the file system permissions on a system is detected. File system permissions control access to files and directories and determine which users and processes can read, write, or execute them. Adversaries may exploit weaknesses in file system permissions to gain unauthorized access to sensitive files or execute arbitrary code on a system.

ATT&CK Category: Persistence, Privilege Escalation, Defense Evasion

ATT&CK Tag: Hijack Execution Flow, Services File Permissions Weakness

ATT&CK ID: T1574,T1574.010

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 (image="*\Temp\*" or image="*C:\Users\*" or status!="*Valid*") -user IN EXCLUDED_USERS

LP_Fireball Archer Installation Detected¶

Trigger Condition: Invocation of an Archer malware via rundll32 is detected.

ATT&CK Category: Execution, Defense Evasion

ATT&CK Tag: Command-Line Interface,Signed Binary Proxy Execution, Rundll32

ATT&CK ID: T1059, T1218, T1218.011

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="*\rundll32.exe *, InstallArcherSvc" -user IN EXCLUDED_USERS

LP_Firewall Configuration Modification Detected¶

Trigger Condition: When there is a change or modification to the Windows firewall configuration on a system. This could indicate malicious activity, as an adversary may be attempting to disable or bypass the firewall to gain unauthorized access to the system or network. False Positive Notice: Legitimate system maintenance or system administration tasks may involve the modification of firewall configurations, and these could potentially trigger the alert. It is essential to carefully review and investigate any instances of this alert before taking action to ensure that the activity detected is genuinely malicious.

ATT&CK Category: Command and Control

ATT&CK Tag: Non-Standard Port

ATT&CK ID: T1571

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4946 rule=* -user IN EXCLUDED_USERS

LP_Firewall Disabled via Netsh Detected¶

Trigger Condition: netsh command turns off the Windows firewall.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Process Injection

ATT&CK ID: T1055

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["netsh firewall set opmode mode=disable", "netsh advfirewall set * state off"] -user IN EXCLUDED_USERS

LP_First Time Seen Remote Named Pipe¶

Trigger Condition: The alert rule excludes the named pipes accessible remotely and notifies on new cases. Also, it helps to detect lateral movement and remote execution using named pipes.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Remote Services

ATT&CK ID: T1021

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=5145 share_name="IPC$" -relative_target IN ["atsvc", "samr", "lsarpc", "winreg", "netlogon", "srvsvc", "protected_storage", "wkssvc", "browser", "netdfs", "svcctl", "spoolss", "ntsvcs", "LSM_API_service", "HydraLsPipe", "TermSrv_API_service", "MsFteWds"] -user IN EXCLUDED_USERS

LP_FirstClass Failed Login Attempt¶

Trigger Condition: A user or a gateway attempts to log in with an incorrect password.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Exploitation for Credential Access, Exploitation for Privilege Escalation, Brute Force

ATT&CK ID: T1212, T1068, T1110

Minimum Log Source Requirement: Firstclass
Query:
norm_id=FirstClass label=Login label=Fail

LP_FirstClass Failed Password Change Attempt¶

Trigger Condition: A user fails to change their password.

ATT&CK Category: Credential Access, Persistence

ATT&CK Tag: Account Manipulation, Exploitation for Credential Access, Exploitation for Privilege Escalation

ATT&CK ID: T1098, T1212, T1068

Minimum Log Source Requirement: Firstclass
Query:
norm_id=FirstClass label=Password label=Change label=Fail

LP_Formbook Process Creation Detected¶

Trigger Condition: Formbook like process executions injecting code into a set of files in the System32 folder, which executes a unique command line to delete the dropper from the AppData Temp folder is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Process Injection

ATT&CK ID: T1055

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_command IN ["C:\Windows\System32\*.exe", "C:\Windows\SysWOW64\*.exe"] command IN ["* /c del *C:\Users\*\AppData\Local\Temp\*.exe", "* /c del *C:\Users\*\Desktop\*.exe", "* /C type nul > *C:\Users\*\Desktop\*.exe"] -user IN EXCLUDED_USERS

LP_FortiGate Admin Login Disable¶

Trigger Condition: The administrator login is disabled in the system.

ATT&CK Category: Impact, Credential Access, Persistence

ATT&CK Tag: Account Access Removal, Account Manipulation

ATT&CK ID: T1531, T1098

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=event sub_category=system message_id=32021 user=*

LP_FortiGate Anomaly¶

Trigger Condition: An anomaly in the system is detected.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning

ATT&CK ID: T1046

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=anomaly sub_category=anomaly log_level=alert attack=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country

LP_FortiGate Antivirus Botnet Warning¶

Trigger Condition: A botnet warning from antivirus is detected.

ATT&CK Category: Command and Control, Impact

ATT&CK Tag: Proxy, Network Denial of Service

ATT&CK ID: T1090, T1498

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* (event_category=av OR event_category=antivirus) sub_category=botnet message_id=9248 | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country

LP_FortiGate Antivirus Scan Engine Load Failed¶

Trigger Condition: Antivirus Scan Engine Load Failure is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

ATT&CK ID: T1562, T1562.001

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=av sub_category=scanerror message_id=8974 | process geoip(source_address) as source_location | process geoip(destination_address) as destination_location

LP_FortiGate Attack¶

Trigger Condition: An attack in the system is detected.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service

ATT&CK ID: T1498

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* attack=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country

LP_FortiGate Critical Events¶

Trigger Condition: Critical events in the system are detected.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning

ATT&CK ID: T1046

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=event sub_category=system log_level=critical

LP_FortiGate Data Leak Protection¶

Trigger Condition: An attempt to data leak is detected.

ATT&CK Category: Exfiltration

ATT&CK Tag: Automated Exfiltration

ATT&CK ID: T1020

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=utm sub_category=dlp file=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country

LP_FortiGate IPS Events¶

Trigger Condition: An intrusion attempt is detected in the system.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

ATT&CK ID: T1046, T1211

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=utm sub_category=ips user=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country

LP_FortiGate Malicious URL Attack¶

Trigger Condition: A malicious attack in a system is detected. This alert rule is valid only for FortiOS V6.0.4.

ATT&CK Category: Initial Access

ATT&CK Tag: Phishing, Spearphishing Link

ATT&CK ID: T1566, T1566.002

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=ips sub_category="malicious-url" message_id=16399 | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country

LP_FortiGate Virus¶

Trigger Condition: A virus attack is detected.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

ATT&CK ID: T1046, T1211

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=utm sub_category=virus | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country

LP_FortiGate VPN SSL User Login Failed¶

Trigger Condition: A VPN SSL login failure is detected.

ATT&CK Category: Initial Access, Credential Access

ATT&CK Tag: Valid Accounts, Brute Force

ATT&CK ID: T1078, T1110

Minimum Log Source Requirement: Fortigate
Query:
norm_id=Forti* event_category=event sub_category=vpn message_id=39426 user=*

LP_FromBase64String Command Line Detected¶

Trigger Condition: When the “FromBase64String” command is used in a command line interface on a system. This command decodes a string that has been encoded using base64 encoding. The FromBase64String command is not necessarily malicious, as it can be used for legitimate purposes such as decoding base64-encoded data. However, an adversary may use this command as part of a malicious attack. For example, they may use it to decode a base64-encoded payload injected into the system to execute arbitrary code. False positive Notice: Legitimate system maintenance or system administration tasks may involve the use of the FromBase64String command, and these could potentially trigger the alert. It is essential to carefully review and investigate any instances of this alert before taking any action to ensure that the activity being detected is truly malicious.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: T1059.001 - PowerShell, T1059.003 - Windows Command Shell, T1140 - Deobfuscate/Decode Files or Information

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="*::FromBase64String(*" -user IN EXCLUDED_USERS

LP_FSecure File Infection¶

Trigger Condition: An infected file is detected.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, File and Directory Discovery

ATT&CK ID: T1046, T1083

Minimum Log Source Requirement: Fsecure Gatekeeper
Query:
norm_id=FSecureGatekeeper label=Infection label=File label=Attack

LP_FSecure Virus Detection¶

Trigger Condition: Virus alert is detected while scanning.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

ATT&CK ID: T1046, T1211

Minimum Log Source Requirement: Fsecure
Query:
norm_id=FSecure* label=Detect label=Malware malware=*

LP_Fsutil Suspicious Invocation Detected¶

Trigger Condition: When the “fsutil” command is used in a suspicious or potentially malicious way on a system. The fsutil command is a utility that allows users to perform various file system tasks, such as creating hard links, managing to reparse points and dismounting volumes. It might indicate that a ransomware attack (seen by NotPetya and others) has occurred.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Indicator Removal on Host

ATT&CK ID: T1070

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*\fsutil.exe" OR file="fsutil.exe") command IN ["*deletejournal*", "*createjournal*"] -user IN EXCLUDED_USERS

LP_GAC DLL Loaded Via Office Applications Detected¶

Trigger Condition: GAC DLL loaded by an Office Product is detected.

ATT&CK Category: Initial Access

ATT&CK Tag: Phishing, Spearphishing Attachment

ATT&CK ID: T1566, T1566.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.exe*", "*\excel.exe*", "*\outlook.exe*"] image IN ["*C:\Windows\Microsoft.NET\assembly\GAC_MSIL*"] -user IN EXCLUDED_USERS

LP_GALLIUM Artifacts Detected¶

Trigger Condition: Artifacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019 are detected.
ATT&CK Category: Credential Access, Command and Control
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

(norm_id=WindowsSysmon event_id=1 hash_sha1 IN ["53a44c2396d15c3a03723fa5e5db54cafd527635", "9c5e496921e3bc882dc40694f1dcc3746a75db19", "aeb573accfd95758550cf30bf04f389a92922844", "79ef78a797403a4ed1a616c68e07fff868a8650a", "4f6f38b4cec35e895d91c052b1f5a83d665c2196", "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d", "e841a63e47361a572db9a7334af459ddca11347a", "c28f606df28a9bc8df75a4d5e5837fc5522dd34d", "2e94b305d6812a9f96e6781c888e48c7fb157b6b", "dd44133716b8a241957b912fa6a02efde3ce3025", "8793bf166cb89eb55f0593404e4e933ab605e803", "a39b57032dbb2335499a51e13470a7cd5d86b138", "41cc2b15c662bc001c0eb92f6cc222934f0beeea", "d209430d6af54792371174e70e27dd11d3def7a7", "1c6452026c56efd2c94cea7e0f671eb55515edb0", "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a", "4923d460e22fbbf165bbbaba168e5a46b8157d9f", "f201504bd96e81d0d350c3a8332593ee1c9e09de", "ddd2db1127632a2a52943a2fe516a2e7d05d70d2"]) OR (event_source="DNS Server" event_id=257 domain IN ["asyspy256.ddns.net", "hotkillmail9sddcc.ddns.net", "rosaf112.ddns.net", "cvdfhjh1231.myftp.biz", "sz2016rose.ddns.net", "dffwescwer4325.myftp.biz", "cvdfhjh1231.ddns.net"]) OR (event_id=1 hash_sha1="e570585edc69f9074cb5e8a790708336bd45ca0f" -image IN ["*:\Program Files(x86)\\*", "*:\Program Files\\*"])

LP_Generic Password Dumper Activity on LSASS Detected¶

Trigger Condition: Process handle on LSASS process with access mask is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer (event_id=4656 OR event_id="4663") object_name="*\lsass.exe" access_mask IN ["*0x40*", "*0x1400*", "*0x1000*", "*0x100000*", "*0x1410*", "*0x1010*", "*0x1438*", "*0x143a*", "*0x1418*", "*0x1f0fff*", "*0x1f1fff*", "*0x1f2fff*", "*0x1f3fff*"] -user IN EXCLUDED_USERS

LP_Grabbing Sensitive Hives via Reg Utility¶

Trigger Condition: Grabbing of Sensitive Hives via Reg Utility.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\reg.exe" command IN ["*save*", "*export*"] command IN ["*hklm*", "*hkey_local_machine*"] command IN ["*\system", "*\sam", "*\security"] -user IN EXCLUDED_USERS

LP_Hacktool Ruler Detected¶

Trigger Condition: Sensepost uses a Hacktool ruler.

ATT&CK Category: Discovery, Execution

ATT&CK Tag: Account Discovery, Use Alternate Authentication Material, Pass the Hash, Email Collection, Command-Line Interface + ATT&CK ID: T1087, T1550, T1550.002, T1114, T1059

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id IN ["4776", "4624", "4625"] workstation="RULER" -user IN EXCLUDED_USERS

LP_HH Execution Detected¶

Trigger Condition: When the “hh.exe” process is detected running on a system. HH.exe is a legitimate process associated with the Windows HTML Help feature and is used to display compiled help files (.chm) on a system. While the execution of hh.exe in itself is not necessarily malicious, an adversary may use this process as part of a larger attack. For example, they may embed malicious code in a compiled help file and use hh.exe to execute it on a target system. False Positive Note: Legitimate applications or system processes may use hh.exe to display help files, which could potentially trigger the alert. It is essential to carefully review and investigate any instances of this alert before taking any action to ensure that the activity being detected is truly malicious.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, Compiled HTML File

ATT&CK ID: T1218, T1218.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\hh.exe" command="*.chm*" -user IN EXCLUDED_USERS

LP_Hidden Cobra Affected Host¶

Trigger Condition: Windows Server is affected by Hidden Cobra.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1211, T1518, T1518.001

Minimum Log Source Requirement: Windows
Query:
(object IN HIDDEN_COBRA_FILES OR file in HIDDEN_COBRA_FILES OR hash in HIDDEN_COBRA_FILES) host=* | rename object as file

LP_Hidden Cobra Emails Sent to Attacker¶

Trigger Condition: LogPoint detects an email sent to Hidden Cobra listed emails.

ATT&CK Category: Exfiltration, Collection

ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

ATT&CK ID: T1041, T1114

Minimum Log Source Requirement: Mail Server
Query:
sender=* receiver=* receiver in HIDDEN_COBRA_EMAIL (host=* OR source_host=*) | rename source_host as host

LP_Hidden Cobra Vulnerable Sources¶

Trigger Condition: Vulnerability Scanning Tools detect Hidden Cobra’s vulnerable hosts.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1211, T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
cve_id in HIDDEN_COBRA_CVE source_address=* | rename title as vulnerability, domain as host

LP_Hidden Files and Directories - VSS Detected¶

Trigger Condition: Adversaries hide files and directories to evade detection.

ATT&CK Category: Defense Evasion, Persistence

ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

ATT&CK ID: T1564, T1564.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*\VolumeShadowCopy*\*" or command="*\VolumeShadowCopy*\*") -user IN EXCLUDED_USERS

LP_Hidden Files and Directories Detected¶

Trigger Condition: When the presence of hidden files and directories on a system is detected. Adversaries may use hidden files and directories to conceal malicious files or activities from the victim. They may also use these files to store command and control information or to persist on a system after an initial compromise. By hiding their files and directories, adversaries can make it more difficult for defenders to detect and respond to their activities.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

ATT&CK ID: T1564, T1564.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*attrib.exe" (command="*+h*" or command="*+s*") -user IN EXCLUDED_USERS

LP_Hidden PowerShell Window Detected¶

Trigger Condition: When a hidden PowerShell window is detected on the system. Adversaries can use hidden PowerShell windows to conceal their actions and execute malicious code without the victim’s knowledge. These windows can be challenging to detect and can be used to persist on a system after an initial compromise. It is important to identify and address hidden PowerShell windows, as they may indicate an active adversary on the system. Log source requirement: This alert requires the log source to be a system event log with Event ID 1074.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Hide Artifacts, Hidden Window

ATT&CK ID: T1564, T1564.003

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4688 "process"="*powershell.exe" (commandline="*-w*hid*" OR command="*-w*hid*") -user IN EXCLUDED_USERS

LP_Hiding Files with Attrib Detected¶

Trigger Condition: The use of attrib.exe to hide files from users is detected.

ATT&CK Category: Defense Evasion, Persistence

ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

ATT&CK ID: T1564, T1564.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\attrib.exe" command="* +h *" -(command="*\desktop.ini *" OR (parent_image="*\cmd.exe" command="+R +H +S +A \*.cui" parent_command="*\WINDOWS\system32\*.bat")) -user IN EXCLUDED_USERS

LP_Hooking Activities Detected¶

Trigger Condition: Adversaries try to capture user input to obtain credentials or collect information. Adversaries may use hooking to intercept and modify system or application function calls, allowing them to gain unauthorized access to sensitive information or perform malicious actions. Hooking can also be used to bypass security controls and evade detection.

ATT&CK Category: Collection, Credential Access

ATT&CK Tag: Input Capture, Credential API Hooking

ATT&CK ID: T1056, T1056.004

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*mavinject.exe" or command="*/INJECTRUNNING*") -user IN EXCLUDED_USERS

LP_Hurricane Panda Activity Detected¶

Trigger Condition: LogPoint detects Hurricane Panda activity.

ATT&CK Category: Privilege Escalation

ATT&CK Tag: Exploitation for Privilege Escalation

ATT&CK ID: T1068

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["* localgroup administrators admin /add", "*\Win64.exe*"] -user IN EXCLUDED_USERS

LP_IIS Native-Code Module Command Line Installation¶

Trigger Condition: LogPoint detects suspicious IIS native-code module installations via the command line.

ATT&CK Category: Persistence

ATT&CK Tag: Server Software Component, Web Shell

ATT&CK ID: T1505, T1505.003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*\APPCMD.EXE install module /name:*"] -user IN EXCLUDED_USERS

LP_Image File Execution Options Injection¶

Trigger Condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.

ATT&CK Category: Privilege Escalation, Persistence, Defense Evasion

ATT&CK Tag: Event Triggered Execution, Image File Execution Options Injection

ATT&CK ID: T1546, T1546.012

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*" or target_object="*\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*") -user IN EXCLUDED_USERS

LP_Impair Defenses - Disable or Modify Tools - Service Stopped¶

Trigger Condition: Adversaries maliciously modify components of a victim environment to hinder or disable defensive mechanisms.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

ATT&CK ID: T1562, T1562.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*net.exe" or image="*sc.exe") command="*stop*" -user IN EXCLUDED_USERS

LP_In-memory PowerShell Detected¶

Trigger Condition: Loading of essential DLL used by PowerShell, but not by the process powershell.exe is detected. In addition, it detects the Meterpreter’s Load PowerShell extension.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 image IN ["*\System.Management.Automation.Dll", "*\System.Management.Automation.ni.Dll"] -source_image IN ["*\powershell.exe", "*\powershell_ise.exe", "*\WINDOWS\System32\sdiagnhost.exe", "*\mscorsvw.exe", "*\WINDOWS\System32\RemoteFXvGPUDisablement.exe"] -user="NT AUTHORITY\SYSTEM" -user IN EXCLUDED_USERS

LP_Indicator Blocking - Driver Unloaded¶

Trigger Condition: Adversary blocks indicators or events captured by sensors from being gathered and analyzed.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Indicator Blocking

ATT&CK ID: T1562, T1562.006

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*fltmc.exe" or command="*fltmc*unload*") -user IN EXCLUDED_USERS

LP_Indicator Blocking - Sysmon Registry Edited¶

Trigger Condition: Adversary blocks indicators or events captured by sensors from being gathered and analyzed.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Indicator Blocking

ATT&CK ID: T1562, T1562.006

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*HKLM\System\CurrentControlSet\Services\SysmonDrv\*" or target_object="*HKLM\System\CurrentControlSet\Services\Sysmon\*" or target_object="*HKLM\System\CurrentControlSet\Services\Sysmon64\*") (image!="*Sysmon64.exe" or image!="*Sysmon.exe") -user IN EXCLUDED_USERS

LP_Indirect Command Execution Detected¶

Trigger Condition: When indirect command execution via Program Compatibility Assistant is detected. pcalua.exe, forfiles.exe. or pcalua.exe is a command-line tool that allows users to run programs with administrator access rights on Windows operating systems. It is useful for running programs that require elevated permissions, such as installing or modifying system-level software. forfiles.exe is a command-line tool that enables a user to run a command on multiple files in a specified directory. It helps batch process multiple files, such as deleting or renaming them. Adversaries can use it to achieve indirect command execution.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Indirect Command Execution

ATT&CK ID: T1202

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image IN ["*\pcalua.exe", "*\forfiles.exe"] -user IN EXCLUDED_USERS

LP_Install Root Certificate¶

Trigger Condition: Adversaries undermine security controls that will either warn users of the untrusted activity or prevent the execution of untrusted programs.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Subvert Trust Controls, Install Root Certificate

ATT&CK ID: T1553, T1553.004

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) image!="*svchost.exe" (target_object="*\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*" or target_object="*\Microsoft\SystemCertificates\Root\Certificates\*") -user IN EXCLUDED_USERS

LP_Suspicious InstallUtil Execution¶

Trigger Condition: Adversaries use InstallUtil for proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Typically, adversaries will utilize the most commonly found way to invoke via the InstallUtil Uninstall method.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, InstallUtil

ATT&CK ID: T1218, T1218.004

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=3 (image="*InstallUtil.exe" or command="*\/logfile= \/LogToConsole=false \/U*") -user IN EXCLUDED_USERS

LP_InvisiMole Malware Connection to Malicious Domains¶

Trigger Condition: A connection with domain related to the InvisiMole Malware is detected.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in INVISIMOLE_MALWARE_DOMAINS

LP_InvisiMole Malware Connection to Malicious Sources¶

Trigger Condition: A host makes an outbound connection to InvisiMole malware sources.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
(destination_address IN INVISIMOLE_MALWARE_IPS OR source_address IN INVISIMOLE_MALWARE_IPS) | process geoip(destination_address) as country

LP_InvisiMole Malware Exploitable Vulnerabilities Detected¶

Trigger Condition: Vulnerability Management detects the presence of vulnerabilities linked to InvisiMole malware that targets high-profile military and diplomatic entities.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
norm_id=VulnerabilityManagement (cve_id="*CVE-2017-0144*" OR cve_id="*CVE-2019-0708*")

LP_InvisiMole Malware Infected Host Detected¶

Trigger Condition: InvisiMole malware-infected host is detected.

ATT&CK Category: Impact

ATT&CK Tag: Data Destruction, Proxy

ATT&CK ID: T1485, T1090

Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon
Query:
host=* hash=* hash IN INVISIMOLE_MALWARE_HASHES

LP_Invocation of Active Directory Diagnostic Tool Detected¶

Trigger Condition: Execution of ntdsutil.exe used for various attacks against the OS Credential Dumping, NTDS database (OS Credential Dumping, NTDS.DIT) is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="*\ntdsutil*" -user IN EXCLUDED_USERS

LP_Java Running with Remote Debugging¶

Trigger Condition: LogPoint detects a JAVA process running with remote debugging, allowing the local host to connect.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning

ATT&CK ID: T1046

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="*transport=dt_socket, address=*" -command="*address=127.0.0.1*" -command="*address=localhost*" -user IN EXCLUDED_USERS

LP_Judgement Panda Exfil Activity¶

Trigger Condition: Judgement Panda activity described in Global Threat Report 2019 by Crowdstrike is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Credentials in Files, Credential Dumping

ATT&CK ID: T1552, T1552.001, T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((image="*\xcopy.exe" command="* /S /E /C /Q /H *") OR (image="*\adexplorer.exe" command="* -snapshot * c:\users\*")) -user IN EXCLUDED_USERS

LP_Judgement Panda Exfil Activity Detected¶

Trigger Condition: Judgement Panda activity described in Global Threat Report 2019 by Crowdstrike is detected.

ATT&CK Category: Lateral Movement, Credential Access, Exfiltration, Collection

ATT&CK Tag: Account Manipulation, Data Compressed, Archive Collected Data

ATT&CK ID: T1098, T1056

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (command IN ["*\ldifde.exe -f -n *", "*\7za.exe a 1.7z *", "* eprod.ldf", "*\aaaa\procdump64.exe*", "*\aaaa\netsess.exe*", "*\aaaa\7za.exe*", "*copy .\1.7z \*", "*copy \client\c$\aaaa\*"] OR image="C:\Users\Public\7za.exe") -user IN EXCLUDED_USERS

LP_JunOS Attack¶

Trigger Condition: LogPoint detects an attack pattern.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

ATT&CK ID: T1498, T1499

Minimum Log Source Requirement: JunOS
Query:
norm_id=JunOS (label=Application OR label=appddos OR threat=*dos*) label=Attack (label=Warning OR label=Successful)

LP_JunOS Authentication Failed¶

Trigger Condition: Failure of an authentication.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Valid Accounts, Brute Force

ATT&CK ID: T1078, T1110

Minimum Log Source Requirement: JunOS
Query:
norm_id=JunOS label=User (label=Authentication OR Login) label=Fail

LP_JunOS Policy Violation¶

Trigger Condition: A policy violation is detected.

ATT&CK Category: Defense Evasion, Privilege Escalation, Credential Access

ATT&CK Tag: Bypass User Access Control, Exploitation for Credential Access, Exploitation for Privilege Escalation

ATT&CK ID: T1548, T1212, T1068

Minimum Log Source Requirement: JunOS
Query:
norm_id=JunOS label=Policy (label=Violation OR label=Error)

LP_JunOS Security Log Clear¶

Trigger Condition: An administrator has cleared one or more audit logs.

ATT&CK Category: Defense Evasion, Impact

ATT&CK Tag: Indicator Removal on Host, Data Destruction, Indicator Removal on Host, File Deletion

ATT&CK ID: T1070, T1485, T1070, T1070.004

Minimum Log Source Requirement: JunOS
Query:
norm_id=JunOS label=Log label=Clear

LP_Kaspersky Antivirus - Outbreak Detection¶

Trigger Condition: This alert rule is triggered whenever a threat is detected.

ATT&CK Category: Impact

ATT&CK Tag: Software Discovery, Security Software Discovery

ATT&CK ID: T1518, T1518.001

Minimum Log Source Requirement: Kaspersky
Query:
norm_id=KasperskyAntivirus event_type="*threat*detected" | rename wstrPar5 as virus | chart distinct_count(win_name) as CNT by virus, event_type

LP_Kaspersky Antivirus - Update Fail¶

Trigger Condition: Automatic updates are disabled, not all the components are updated, or there is a network error.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

ATT&CK ID: T1562, T1562.001

Minimum Log Source Requirement: Kaspersky
Query:
norm_id=KasperskyAntivirus (event_type="Automatic updates are disabled" OR event_type="Not all components were updated" OR event_type="Network update error" OR event_type="Error updating component"
OR description="Error downloading update files" OR description="Update files are corrupted") | rename event_type as reason, description as reason

LP_Kaspersky Antivirus Extremely Out of Date Event¶

Trigger Condition: Outdated events are detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Indicator Blocking

ATT&CK ID: T1562, T1562.006

Minimum Log Source Requirement: Kaspersky
Query:
norm_id=KasperskyAntivirus event_type="*extremely out of date*"

LP_Kaspersky Antivirus Outbreak Detection by Source¶

Trigger Condition: More than one source is affected by the same virus.

ATT&CK Category: Impact

ATT&CK Tag: Software Discovery, Security Software Discovery

ATT&CK ID: T1518, T1518.001

Minimum Log Source Requirement: Kaspersky
Query:
norm_id=KasperskyAntivirus "event_type"="Threats have been detected" | chart distinct_count(win_name) as DC | search DC>1

LP_Kaspersky Antivirus Outbreak Detection by Virus¶

Trigger Condition: More than ten viruses are detected in the system.

ATT&CK Category: Impact

ATT&CK Tag: Software Discovery, Security Software Discovery

ATT&CK ID: T1518, T1518.001

Minimum Log Source Requirement: Kaspersky
Query:
norm_id=KasperskyAntivirus "event_type"="Threats have been detected" | chart distinct_count(wstrPar5) as DC | search DC>10

LP_Kaspersky Antivirus Threat Affecting Multiple Host¶

Trigger Condition: The same threat is detected in multiple hosts.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Indicator Blocking

ATT&CK ID: T1562, T1562.006

Minimum Log Source Requirement: Kaspersky
Query:
norm_id=KasperskyAntivirus event_type="*threat*detected" | chart distinct_count(win_name) as HostCount by event_type | process quantile(HostCount) | chart count() by event_type, quantile, HostCount

LP_Kerberoasting via PowerShell Detected¶

Trigger Condition: Steal or forge Kerberos tickets, Kerberoasting via Command and Scripting Interpreter, and PowerShell is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

ATT&CK ID: T1558, T1558.003

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4103 (command_name="Invoke-Kerberoast" OR command="Invoke-Kerberoast") -user IN EXCLUDED_USERS | rename command_name as command

LP_Kernel Firewall Connection Denied¶

Trigger Condition: Ten firewall connections are denied from the same source to the same destination in a minute.

ATT&CK Category: Impact, Command and Control

ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service, Proxy

ATT&CK ID: T1498, T1499, T1090

Minimum Log Source Requirement: Kernel
Query:
[10 norm_id=Kernel label=Firewall label=Connection label=Deny having same source_address, destination_address within 1 minute]

LP_Koadic Execution Detected¶

Trigger Condition: Command line parameters used by the Koadic hack tool is detected.

ATT&CK Category: Execution

ATT&CK Tag: Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*cmd.exe* /q /c chcp *"] -user IN EXCLUDED_USERS

LP_KRACK Vulnerable Source Detected¶

Trigger Condition: Sources vulnerable to KRACK are detected.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1211, T1518, T1518.001

Minimum Log Source Requirement: Qualys, Vulnerability Management
Query:
qualys_id=* qualys_id IN [176179, 91411, 196947, 170424, 170428, 196947] source_address=*

LP_Large ICMP Traffic¶

Trigger Condition: ICMP datagrams with a size greater than 1024 bytes are received.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning

ATT&CK ID: T1046

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
((label=Receive label=Packet) or label=Illegal label=Receive label=Packet) (packet_length>1024 or fragment_length>1024)

LP_Local Account Creation on Workstation Detected¶

Trigger Condition: Creation of a local account on a domain workstation that is not Windows Domain Controller (DC).

ATT&CK Category: Persistence

ATT&CK Tag: Create Account

ATT&CK ID: T1136

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label=User label=Account label=Create -target_user="*$" target_user=* -host in WINDOWS_DC -user IN EXCLUDED_USERS

LP_Local Accounts Discovery Detected¶

Trigger Condition: Valid Accounts, Account Discovery, or Local Accounts Discovery is detected.
ATT&CK Category: Discovery
ATT&CK Tag: System Owner/User Discovery, Account Discovery
ATT&CK ID: T1033, T1087
Minimum Log Source Requirement: Windows Sysmon

Query:

(norm_id=WindowsSysmon event_id=1 (((image="*\whoami.exe" OR (image="*\wmic.exe" command="*useraccount*" command="*get*") OR image IN ["*\quser.exe", "*\qwinsta.exe"] OR (image="*\cmdkey.exe" command="*/list*") OR (image="*\cmd.exe" command="*/c*" command="*dir *" command="*\Users\\*")) -(command IN ["* rmdir *"])) OR ((image IN ["*\net.exe", "*\net1.exe"] command="*user*") -(command IN ["*/domain*", "*/add*", "*/delete*", "*/active*", "*/expires*", "*/passwordreq*", "*/scriptpath*", "*/times*", "*/workstations*"])))) -user IN EXCLUDED_USERS

LP_Local Port Monitor¶

Trigger Condition: Adversaries configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

ATT&CK Category: Persistence, Privilege Escalation

ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors

ATT&CK ID: T1547, T1547.01

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*\SYSTEM\CurrentControlSet\Control\Print\Monitors\*" -user IN EXCLUDED_USERS

LP_LockCrypt Ransomware¶

Trigger Condition: LockCrypt ransomware encrypts a file.

ATT&CK Category: Impact

ATT&CK Tag: Disk Wipe, Disk Content Wipe, Data Encrypted for Impact, Data Destruction

ATT&CK ID: T1561, T1561.001, T1486, T1485

Minimum Log Source Requirement: Integrity Scanner
Query:
norm_id=IntegrityScanner label = File label="Rename" new_file=*.lock | norm on new_file <path:.*><:'\\'><EncryptedFileName:.*> | norm on file_path <:.*><:'\\'><OriginalFileName:.*> | rename hostname as host | chart count() by log_ts, host, path, OriginalFileName, EncryptedFileName order by count() desc limit 10

LP_LockerGoga Malware Affected Host¶

Trigger Condition: LockerGoga malware infects a host.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1211, T1518, T1518.001

Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon
Query:
host=* (hash IN LOCKERGOGA_HASHES OR hash_sha1 IN LOCKERGOGA_HASHES OR hash_sha256 IN LOCKERGOGA_HASHES OR file IN LOCKERGOGA_FILES OR object IN LOCKERGOGA_FILES) | rename hash_sha1 as hash, hash_sha256 as hash, object as file

LP_LockerGoga Malware Emails Sent to Attacker¶

Trigger Condition: An email is sent to or from LockerGoga malware listed emails.

ATT&CK Category: Command and Control, Exfiltration

ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email Collection

ATT&CK ID: T1090, T1041, T1020, T1114

Minimum Log Source Requirement: Mail Server
Query:
(receiver in LOCKERGOGA_EMAILS OR sender in LOCKERGOGA_EMAILS) sender=* receiver=* (host=* OR source_host=*) | rename source_host as host

LP_Log Files Creation of Dot-Net-to-JS Detected¶

Trigger Condition: Creation of log files of Dot-Net-to-JavaScript.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter

ATT&CK ID: T1059

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 path="*UsageLogs*" file in ["*cscript.exe.log", "*wscript.exe.log", "*wmic.exe.log", "*mshta.exe.log", "*svchost.exe.log", "*regsvr32.exe.log", "*rundll32.exe.log"] -user IN EXCLUDED_USERS

LP_Login with WMI Detected¶

Trigger Condition: Logins performed with WMI are detected.

ATT&CK Category: Execution

ATT&CK Tag: Windows Management Instrumentation

ATT&CK ID: T1047

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4624 "process"="*\WmiPrvSE.exe" -user IN EXCLUDED_USERS

LP_Logon Scripts Detected¶

Trigger Condition: Creation or execution of UserInitMprLogon Script persistence method.

ATT&CK Category: Persistence, Lateral Movement

ATT&CK Tag: Logon Scripts

ATT&CK ID: T1037

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=1 ((parent_image="*\userinit.exe" -image="*\explorer.exe" -command IN ["*\netlogon.bat", "*\UsrLogon.cmd"]) OR (command="*UserInitMprLogonScript*"))) OR (event_id IN ["11", "12", "13", "14"] target_object="*UserInitMprLogonScript*") -user IN EXCLUDED_USERS

LP_LSASS Access from Non System Account Detected¶

Trigger Condition: Potential mimikatz-like tools accessing LSASS from non system account is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id IN ["4663", "4656"] object_type="Process" object_name="*\lsass.exe" -user="*$" -user IN EXCLUDED_USERS

LP_LSASS Memory Dump Detected¶

Trigger Condition: Process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for Winodws10 is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=10 image="C:\windows\system32\lsass.exe" access="0x1fffff" call_trace IN ["*dbghelp.dll*", "*dbgcore.dll*"] -user IN EXCLUDED_USERS

LP_LSASS Memory Dump File Creation¶

Trigger Condition: LSASS memory dump creation using operating systems utilities is detected. Procdump uses process name in the output file if no name is specified.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 file="*lsass*dmp" -user IN EXCLUDED_USERS

LP_LSSAS Memory Dump with MiniDumpWriteDump API Detected¶

Trigger Condition: The use of MiniDumpWrite Dump API for dumping lsass.exe memory in a stealth way is detected.Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. For example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker’s machine.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
(norm_id=WindowsSysmon event_id=7 source_image IN ["*\dbghelp.dll", "*\dbgcore.dll"] image IN ["*\msbuild.exe", "*\cmd.exe", "*\svchost.exe", "*\rundll32.exe", "*\powershell.exe", "*\word.exe", "*\excel.exe", "*\powerpnt.exe", "*\outlook.exe", "*\monitoringhost.exe", "*\wmic.exe", "*\msiexec.exe", "*\bash.exe", "*\wscript.exe", "*\cscript.exe", "*\mshta.exe", "*\regsvr32.exe", "*\schtasks.exe", "*\dnx.exe", "*\regsvcs.exe", "*\sc.exe", "*\scriptrunner.exe"] -image="*Visual Studio*") OR (event_id=7 source_image IN ["*\dbghelp.dll", "*\dbgcore.dll"] Signed="FALSE" -image="*Visual Studio*") -user IN EXCLUDED_USERS

LP_LSASS Memory Dumping Detected¶

Trigger Condition: Creation of dump files containing the memory space of lsass.exe, containing sensitive credentials is detected. It identifies the use of Sysinternals procdump.exe to export the memory space of lsass.exe containing sensitive credentials.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((command="*lsass*" command="*.dmp*" -image="*\werfault.exe") OR (image="*\procdump*" image="*.exe" command="*lsass*")) -user IN EXCLUDED_USERS

LP_Macro file Creation Detected¶

Trigger Condition: Creation of a macro file is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Command and Scripting Interpreter

ATT&CK ID: T1059

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 file in ["*.docm", "*.pptm", "*.xlsm", "*.xlm", "*.dotm", "*.xltm", "*.potm", "*.ppsm", "*.sldm", "*.xlam", "*.xla"] -user IN EXCLUDED_USERS

LP_Magecart Exploitable Vulnerabilities Detected¶

Trigger Condition: Vulnerability Management detects the presence of Magento vulnerability linked to Magecart Card Skimming attack on E-Commerce Business.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
norm_id=VulnerabilityManagement cve_id="*CVE-2016-4010*"

LP_Magecart Threat Connection to Malicious Domains¶

Trigger Condition: Any connection to Magecart related domains is detected.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in MAGECART_DOMAINS

LP_Magecart Threat Connection to Malicious Sources¶

Trigger Condition: Hosts make an outbound connection to Magecart sources.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
(destination_address IN MAGECART_IPS OR source_address IN MAGECART_IPS) | process geoip(destination_address) as country

LP_Malicious Base64 Encoded PowerShell Keywords in Command Lines Detected¶

Trigger Condition: When base64 encoded strings are used in hidden malicious Command and Scripting Interpreter, PowerShell command lines. Adversaries hide their activities by encoding commands to bypass detection with this technique.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" command IN ["* hidden *", "*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*", "*aXRzYWRtaW4gL3RyYW5zZmVy*",
"*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*", "*JpdHNhZG1pbiAvdHJhbnNmZX*","*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*", "*Yml0c2FkbWluIC90cmFuc2Zlc*",
"*AGMAaAB1AG4AawBfAHMAaQB6AGUA*", "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*", "*JGNodW5rX3Npem*","*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*", "*RjaHVua19zaXpl*", "*Y2h1bmtfc2l6Z*",
"*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*", "*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", "*lPLkNvbXByZXNzaW9u*",
"*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", "*SU8uQ29tcHJlc3Npb2*", "*Ty5Db21wcmVzc2lvb*", "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*", "*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*",
"*lPLk1lbW9yeVN0cmVhb*","*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*", "*SU8uTWVtb3J5U3RyZWFt*", "*Ty5NZW1vcnlTdHJlYW*", "*4ARwBlAHQAQwBoAHUAbgBrA*", "*5HZXRDaHVua*","*AEcAZQB0AEMAaAB1AG4Aaw*",
"*LgBHAGUAdABDAGgAdQBuAGsA*", "*LkdldENodW5r*","*R2V0Q2h1bm*", "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*", "*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", "*RIUkVBRF9JTkZPNj*",
"*SFJFQURfSU5GTzY0*", "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*", "*VEhSRUFEX0lORk82N*",
"*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*", "*cmVhdGVSZW1vdGVUaHJlYW*", "*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*", "*NyZWF0ZVJlbW90ZVRocmVhZ*", "*Q3JlYXRlUmVtb3RlVGhyZWFk*",
"*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*", "*0AZQBtAG0AbwB2AGUA*", "*1lbW1vdm*", "*AGUAbQBtAG8AdgBlA*", "*bQBlAG0AbQBvAHYAZQ*", "*bWVtbW92Z*", "*ZW1tb3Zl*"] -user IN EXCLUDED_USERS

LP_Malicious File Execution Detected¶

Trigger Condition: Execution of a suspicious file by wscript and cscript.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter

ATT&CK ID: T1059

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image IN ["*\wscript.exe", "*\cscript.exe"] command IN ["*.jse", "*.vbe", "*.js", "*.vba"] -user IN EXCLUDED_USERS

LP_Malicious PowerShell Commandlet Names Detected¶

Trigger Condition: LogPoint detects Commandlet names from well-known Command and Scripting Interpreter, and PowerShell exploitation frameworks.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
(norm_id=WindowsSysmon event_id=11 file IN MALICIOUS_POWERSHELL_COMMANDLET_NAMES) or (norm_id=WinServer command IN MALICIOUS_POWERSHELL_COMMANDS) -user IN EXCLUDED_USERS

LP_Malicious Service Installations Detected¶

Trigger Condition: Malicious service installs appearing in lateral movement, credential dumping, and other suspicious activity are detected.

ATT&CK Category: Persistence, Privilege Escalation

ATT&CK Tag: Credential Dumping, System Services, Service Execution, New Service

ATT&CK ID: T1003, T1569, T1569.002, T1543

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=7045 service in ["*\PAExec*", "mssecsvc2.0", "*net user*", "WCESERVICE", "WCE SERVICE", "winexesvc.exe*", "*\DumpSvc.exe", "pwdump*", "gsecdump*", "cachedump*"] -user IN EXCLUDED_USERS

LP_Malware Shellcode in Verclsid Target Process¶

Trigger Condition: A process accessing verclsid.exe that injects shellcode from a Microsoft Office application or VBA macro is detected.

ATT&CK Category: Defense Evasion, Privilege Escalation

ATT&CK Tag: Process Injection, Signed Binary Proxy Execution, Verclsid

ATT&CK ID: T1055, T1218, T1218.012

Minimum Log Source Requirement: Windows Sysmon
Query:
event_id=10 image="*\verclsid.exe" access="0x1FFFFF" (call_trace="*|UNKNOWN(*VBE7.DLL*" OR (source_image="*\Microsoft Office\*" call_trace="*|UNKNOWN*")) -user IN EXCLUDED_USERS

LP_Malware Threat Affected Host¶

Trigger Condition: A malware infects a host.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1211, T1518, T1518.001

Minimum Log Source Requirement: Windows
Query:
(object IN MALWARE_FILES OR file in MALWARE_FILES OR hash in MALWARE_HASHES) host=* | rename object as file

LP_Malware Threat Connection from Malicious Source¶

Trigger Condition: Inbound connection from malicious sources is detected.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
(source_address=* OR destination_address=*) source_address in MALWARE_IP destination_address IN HOMENET | process geoip(source_address) as country

LP_Malware Threat Connection to Malicious Destination¶

Trigger Condition: Hosts make an outbound connection to malicious sources.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
(source_address=* OR destination_address=*) destination_address in MALWARE_IP source_address IN HOMENET |process geoip(destination_address) as country

LP_Malware Threat Connection to Malicious URLs¶

Trigger Condition: A connection to a malicious URL is detected.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
url=* source_address=* | process domain(url) as domain| search domain in MALWARE_URL

LP_Malware Threat Emails Sent to Attacker¶

Trigger Condition: Email is sent to malware listed emails.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email Collection

ATT&CK ID: T1090, T1041, T1020, T1114

Minimum Log Source Requirement: Mail Server
Query:
(receiver in MALWARE_EMAILS OR sender in MALWARE_EMAILS) sender=* receiver=* (host=* OR source_host=*) | rename source_host as host

LP_Masquerading Extension Detected¶

Trigger Condition: Masquerading of file extension is detected. Adversaries manipulate features of their artifacts to evade defenses and observation.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*.doc.*" or image="*.docx.*" or image="*.xls.*" or image="*.xlsx.*" or image="*.pdf.*" or image="*.rtf.*" or image="*.jpg.*" or image="*.png.*" or image="*.jpeg.*" or image="*.zip.*" or image="*.rar.*" or image="*.ppt.*" or image="*.pptx.*") -user IN EXCLUDED_USERS

LP_Masquerading File Location Detected¶

Trigger Condition: Masquerading of file location is detected. Adversaries manipulate features of their artifacts to evade defenses and observation.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 (source_image="*SysWOW64*" or source_image="*System32*" or source_image="*AppData*" or image="*Temp*") (file="*.exe" or file="*.dll*" or file="*.bat*" or file="*.com*" or file="*.ps1*" or file="*.py*" or file="*.js*" or file="*.vbs*" or file="*.hta*") -user IN EXCLUDED_USERS

LP_Matrix Encrypted Files¶

Trigger Condition: Matrix malware encrypted files are detected.

ATT&CK Category: Impact

ATT&CK Tag: Data Encrypted for Impact, Data Encrypted, Data Destruction

ATT&CK ID: T1486, T1022, T1485

Minimum Log Source Requirement: Integrity Scanner
Query:
norm_id=IntegrityScanner label="Rename" label=File new_file IN MATRIX_FILE | norm on new_file <path:.*><:'\\'><EncryptedFileName:string> | norm on file_path <:.*><:'\\'><OriginalFileName:string>

LP_Matrix Vulnerable Sources¶

Trigger Condition: Vulnerability scanner detects vulnerability related to Internet Explorer and Flash Player that relates to the Matrix Ransomware.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1211, T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
cve_id="*CVE-2016-0189*" or cve_id="*CVE-2015-8651*" source_address=*

LP_MavInject Process Injection Detected¶

Trigger Condition: Process injection using the signed Windows tool Mavinject32.exe is detected.

ATT&CK Category: Defense Evasion, Privilege Escalation

ATT&CK Tag: Process Injection, Signed Binary Proxy Execution

ATT&CK ID: T1055, T1218

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="* /INJECTRUNNING *" -user IN EXCLUDED_USERS

LP_Maze Ransomware Connection to Malicious Domains¶

Trigger Condition: Maze Double Extortion ransomware-related domains is detected.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in MAZE_RANSOMWARE_DOMAINS

LP_Maze Ransomware Connection to Malicious Sources¶

Trigger Condition: Hosts make an outbound connection to Maze Double Extortion ransomware sources.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
(destination_address IN MAZE_RANSOMWARE_IPS OR source_address IN MAZE_RANSOMWARE_IPS) | process geoip(destination_address) as country

LP_Maze Ransomware Exploitable Vulnerabilities Detected¶

Trigger Condition: Vulnerability management detects presence of vulnerability linked to Maze Double Extortion Ransomware.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
norm_id=VulnerabilityManagement cve_id IN MAZE_RANSOMWARE_CVE

LP_Maze Ransomware Infected Host Detected¶

Trigger Condition: MAZE Double Extortion ransomware-infected host is detected.

ATT&CK Category: Impact

ATT&CK Tag: Data Encrypted for Impact

ATT&CK ID: T1486

Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon
Query:
host=* hash=* hash IN MAZE_RANSOMWARE_HASHES

LP_Meltdown and Spectre Vulnerabilities¶

Trigger Condition: Meltdown and Spectre vulnerabilities are detected in the system.

ATT&CK Category: Discovery

ATT&CK Tag: Software Discovery, Security Software Discovery

ATT&CK ID: T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
title=*spectre* or title=*meltdown* source_address=* | rename host as source_address | chart count() by source_address, severity, cve_id, solution order by count() desc

LP_Meterpreter or Cobalt Strike Getsystem Service Start Detected¶

Trigger Condition: The use of getsystem Meterpreter or Cobalt Strike command to obtain SYSTEM privileges by detecting a specific service starting.

ATT&CK Category: Privilege Escalation

ATT&CK Tag: Access Token Manipulation

ATT&CK ID: T1134

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\services.exe" command IN ['*cmd* /c * echo *\pipe\*', '*%COMPSEC%* /c * echo *\pipe\*', '*rundll32*.dll,a*/p:*'] -command="*MpCmdRun*" -user IN EXCLUDED_USERS

LP_Microsoft ActiveX Control Code Execution Vulnerability Detected¶

Trigger Condition: Remote code execution in Microsoft ActiveX Control (CVE-2012-0158) is detected.

ATT&CK Category: Execution

ATT&CK Tag: Exploitation for Client Execution

ATT&CK ID: T1203

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon label=Key label="Map" label=Registry target_object='*Software\Microsoft\Office*Resiliency' -user IN EXCLUDED_USERS

LP_Microsoft Binary Github Communication Detected¶

Trigger Condition: Executable accessing GitHub in the Windows folder is detected.

ATT&CK Category: Microsoft Build Engine Loading Credential Libraries

ATT&CK Tag: Ingress Tool Transfer

ATT&CK ID: T1105

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=3 initiated="true" destination_host IN ["*.github.com", "*.githubusercontent.com"] image="C:\Windows\*" -user IN EXCLUDED_USERS

LP_Microsoft DotNET Framework Remote Code Execution Detected¶

Trigger Condition: Remote code execution vulnerability (CVE-2017-8759) in Microsoft .NET Framework is detected.

ATT&CK Category: Execution

ATT&CK Tag: User Execution, Malicious File

ATT&CK ID: T1204, T1204.002

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon label="Process" label=Create parent_image='*WINWORD.exe' parent_command='*.rtf*' image='*csc.exe' -user IN EXCLUDED_USERS

LP_Microsoft Office Memory Corruption Vulnerability CVE-2015-1641 Detected¶

Trigger Condition: The exploitation of memory corruption vulnerability (CVE-2015-1641) in Microsoft Office is detected.

ATT&CK Category: Execution

ATT&CK Tag: User Execution

ATT&CK ID: T1204

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon label=Image label=Load source_image IN ['*WINWORD.exe', '*EXCEL.exe'] image='*MSVCR71.DLL' -user IN EXCLUDED_USERS

LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-0199 Detected¶

Trigger Condition: The exploitation of memory corruption vulnerability (CVE-2017-0199) in Microsoft Office is detected.

ATT&CK Category: Execution

ATT&CK Tag: User Execution

ATT&CK ID: T1204

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon label=Network label=Connection image='*WINWORD.exe' destination_address IN MOST_EXPLOITABLE_IPS -user IN EXCLUDED_USERS

LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-11882 Detected¶

Trigger Condition: The exploitation of memory corruption vulnerability (CVE-2017-11882) in Microsoft Office is detected.

ATT&CK Category: Execution

ATT&CK Tag: User Execution

ATT&CK ID: T1204

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon label="Process" label=Create parent_image='*EQNEDT32.EXE' parent_command='*EQNEDT32.EXE*-Embedding' image='*.exe' -user IN EXCLUDED_USERS

LP_Microsoft Office Product Spawning Windows Shell¶

Trigger Condition: When Windows command line executables started from Microsoft Word, Excel, Powerpoint, Publisher and Visio are detected. Adversaries can use phishing to deliver malicious office documents and lure victims into executing the malicious file and gaining initial access to the system.

ATT&CK Category: Execution

ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell, T1059.003 - Windows Command Shell, T1204.002 - Malicious File

Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
label="Process" label=Create parent_process IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\OUTLOOK.EXE","*\MSACCESS.EXE","*EQNEDT32.EXE", "*\Onenote.exe"]
"process" IN ["*\cmd.exe", "*\powershell.exe", "*\pwsh.exe", "*\wscript.exe", "*\cscript.exe", "*\sh.exe", "*\bash.exe", "*\scrcons.exe", "*\schtasks.exe", "*\regsvr32.exe", "*\hh.exe", "*\wmic.exe", "*\mshta.exe", "*\rundll32.exe", "*\msiexec.exe", "*\forfiles.exe", "*\scriptrunner.exe", "*\mftrace.exe", "*\AppVLP.exe", "*\svchost.exe","*\msbuild.exe"]

LP_Mimikatz Command Line Detected¶

Trigger Condition: mimikatz command line argument is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 command IN ["*DumpCreds*", "*Invoke-Mimikatz*", "*rpc::*", "*token::*", "*crypto::*", "*dpapi::*", "*sekurlsa::*", "*kerberos::*", "*lsadump::*", "*privilege::*", "*process::*", "*misc::aadcookie*", "*misc::detours*", "*misc::memssp*", "*misc::mflt*", "*misc::ncroutemon*", "*misc::ngcsign*", "*misc::printnightmare*", "*misc::skeleton*", "*service::preshutdown*", "*ts::mstsc*", "*ts::multirdp*"] -user IN EXCLUDED_USERS

LP_Mitre - Initial Access - Hardware Addition - Removable Storage Connected¶

Trigger Condition: Removable storage is connected.

ATT&CK Category: Initial Access

ATT&CK Tag: Hardware Additions

ATT&CK ID: T1200

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer* event_id=2003 event_source="Microsoft-Windows-DriverFrameworks-UserMode/Operational" -user IN EXCLUDED_USERS

LP_Mitre - Initial Access - Valid Accounts - Impossible Travel¶

Trigger Condition: A user logs in from more than one GeoIP location.

ATT&CK Category: Initial Access

ATT&CK Tag: Valid Accounts

ATT&CK ID: T1078

Minimum Log Source Requirement: Windows
Query:
label=User label=Login source_address=* | process geoip(source_address) as country | chart distinct_count(country) as DC, distinct_list(country) as countries by user | search countries>1

LP_Mitre - Initial Access - Valid Accounts - Inactive User Accounts¶

Trigger Condition: User accounts are inactive for more than 30 days.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Valid Accounts

ATT&CK ID: T1078

Minimum Log Source Requirement: Windows
Query:
table AD_Users -lastLogon=0 lastLogon=* | process current_time(a) as time| chart max((time- (lastLogon/10000000 - 11644473600))/60/60/24) as number_of_days by sAMAccountName | search number_of_days>29

LP_Mitre Command and Control Using Uncommonly used Port Detected¶

Trigger Condition: Command and Control activity using uncommonly used ports is detected.

ATT&CK Category: Command and Control

ATT&CK Tag: Non-Standard Port

ATT&CK ID: T1571

Minimum Log Source Requirement: Proxy Server
Query:
norm_id=*Proxy* source_address=* destination_address=* destination_port IN COMMON_PORTS | process ti(destination_address)| rename et_category as ti_category | process eval("attack_class='Command and Control'")| process eval("technique='Commonly Used Port'") | search ti_category="*Command and Control*"

LP_Mitre Credential Access Using Credentials from Web Browsers Detected¶

Trigger Condition: Credential Access is detected using credentials from password stores and credentials from web browsers.

ATT&CK Category: Credential Access

ATT&CK Tag: Credentials from Password Stores, Credentials from Web Browsers

ATT&CK ID: T1555, T1555.003

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label=Object label=Access label=File "process"="*wsus.exe" (path="*firefox*" OR path="*chrome*") -user IN EXCLUDED_USERS | process eval("attack_class='Credential Access'")| process eval("technique='Credentials from Web Browsers'") | chart count() by user, domain, host, log_ts, path, file, attack_class, technique order by count() desc limit 10

LP_Mitre Credential Access Using Credentials in File Detected¶

Trigger Condition: Credential Access using attack technique Credentials in File is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Credentials in Files

ATT&CK ID: T1552, T1552.001

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create (commandline="*laZagne*.exe*" OR command="*laZagne*.exe*") -user IN EXCLUDED_USERS | process eval("attack_class='Credential Access'")| process eval("technique='Credentials in File'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Credential Access Using Input Capture Detected¶

Trigger Condition: Credential Access using attack technique Input Capture is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Input Capture

ATT&CK ID: T1056

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon label=Set label=Registry image="*keylogger_directx.exe" -user IN EXCLUDED_USERS| process eval("attack_class='Credential Access'")| process eval("technique='Input Capture'") | rename commandline as command | chart count() by user, host, domain, log_ts, image, attack_class, technique order by count() desc limit 10

LP_Mitre Defense Evasion Using Decode Files or Information Detected¶

Trigger Condition: Defense evasion uses decode files or information.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Deobfuscate/Decode Files or Information

ATT&CK ID: T1140

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WinServer label="Process" label=Create (command="*certutil.exe*" OR commandline="*certutil.exe*") -user IN EXCLUDED_USERS| process eval("attack_class='Defense Evasion'")| process eval("technique='Deobfuscate/Decode Files or Information'")| rename commandline as command

LP_Mitre Defense Evasion Using File Deletion Detected¶

Trigger Condition: Defense evasion uses file deletion technique.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Data Destruction, Indicator Removal on Host, File Deletion

ATT&CK ID: T1485, T1070, T1070.004

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label=Object label=Access access="*delete*" (relative_target="*.exe" OR relative_target="*.bat") -user IN EXCLUDED_USERS | process eval("attack_class='Defense Evasion'")| process eval("technique='File Deletion'") | rename relative_target as file

LP_Mitre Discovery Using Account Discovery Detected¶

Trigger Condition: An attack Discovery uses an attack technique Account Discovery.

ATT&CK Category: Discovery

ATT&CK Tag: Account Discovery

ATT&CK ID: T1087

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create (commandline="*dsquery*" OR command="*dsquery*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Account Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using File and Directory Discovery Detected¶

Trigger Condition: Discovery uses an attack technique File and Directory Discovery.
ATT&CK Category: Discovery
ATT&CK Tag: File and Directory Discovery
ATT&CK ID: T1083
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer label="Process" label=Create -commandline="*findstr*" (commandline="*cmd.exe*dir *" OR commandline="*tree.com*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='File and Directory Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using Network Service Scanning Detected¶

Trigger Condition: Discovery uses an attack technique Network Service Scanning.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning
ATT&CK ID: T1046
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer label="Process" label=Create (commandline="*nmap*" OR commandline="*RpcPing.exe*" OR commandline="*telnet.exe*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Network Service Scanning'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using Network Sniffing Detected¶

Trigger Condition: Discovery uses an attack technique Network Sniffing.

ATT&CK Category: Credential Access

ATT&CK Tag: Network Sniffing

ATT&CK ID: T1040

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create commandline="*tshark.exe*" -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Network Sniffing'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using Password Policy Discovery Detected¶

Trigger Condition: Discovery uses an attack technique Password Policy Discovery.

ATT&CK Category: Discovery

ATT&CK Tag: Password Policy Discovery

ATT&CK ID: T1201

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create commandline="*net.exe* accounts*" -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Password Policy Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using Permission Groups Discovery Detected¶

Trigger Condition: Discovery uses an attack technique Permission Groups Discovery.
ATT&CK Category: Discovery
ATT&CK Tag: Permission Groups Discovery
ATT&CK ID: T1069
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer label="Process" label=Create (command="*net*localgroup*" OR command="*net*group*" OR command="*get*localgroup*" OR commandline="*net*localgroup*" OR commandline="*net*group*" OR commandline="*get*localgroup*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Permission Groups Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using Query Registry Detected¶

Trigger Condition: Discovery uses an attack technique Query Registry.

ATT&CK Category: Discovery

ATT&CK Tag: Query Registry

ATT&CK ID: T1012

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create commandline="*reg query*" -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Query Registry'")| rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using Security Software Discovery Detected¶

Trigger Condition: Discovery uses an attack techniques Software Discovery and Security Software Discovery.

ATT&CK Category: Discovery

ATT&CK Tag: Software Discovery, Security Software Discovery

ATT&CK ID: T1518, T1518.001

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create (commandline="*findstr.exe*virus" OR commandline="*findstr.exe*cylance" OR commandline="*findstr.exe*defender" OR commandline="*findstr.exe*cb") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Security Software Discovery'") | rename commandline as command |
chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using System Information Discovery Detected¶

Trigger Condition: Discovery uses an attack technique System Information Discovery.

ATT&CK Category: Discovery

ATT&CK Tag: System Information Discovery

ATT&CK ID: T1082

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create commandline="*net.exe*config*" -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Information Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using System Network Configuration Discovery Detected¶

Trigger Condition: Discovery uses an attack technique System Network Configuration Discovery.
ATT&CK Category: Discovery
ATT&CK Tag: System Network Configuration Discovery
ATT&CK ID: T1016
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer label="Process" label=Create (commandline="*ipconfig.exe*" OR commandline="*route.exe*" OR commandline="*netsh advfirewall*" OR commandline="*arp.exe*" OR commandline="*nbtstat.exe*" OR commandline="*netsh.exe*interface show" OR commandline="*net*config") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Network Configuration Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using System Network Connections Discovery Detected¶

Trigger Condition: Discovery uses an attack technique System Network Connections Discovery.

ATT&CK Category: Discovery

ATT&CK Tag: System Network Connections Discovery

ATT&CK ID: T1049

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create (commandline="*netstat*" OR commandline="*net.exe*use" OR commandline="*net.exe*sessions*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Network Connections Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using System Owner or User Discovery Detected¶

Trigger Condition: Discovery uses an attack technique System Owner or User Discovery.
ATT&CK Category: Discovery
ATT&CK Tag: System Owner/User Discovery
ATT&CK ID: T1033
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer label="Process" label=Create (commandline="*whoami*" OR commandline="*quser*" OR commandline="*wmic.exe*useraccount get*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Owner/User Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Discovery Using System Service Discovery Detected¶

Trigger Condition: Discovery uses an attack technique System Service Discovery.

ATT&CK Category: Discovery

ATT&CK Tag: System Service Discovery

ATT&CK ID: T1007

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create (commandline="*net.exe*start*" OR commandline="*tasklist.exe*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Service Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10

LP_Mitre Exfiltration Over Alternative Protocol Detected¶

Trigger Condition: LogPoint detects exfiltration of data over alternative protocol.

ATT&CK Category: Exfiltration

ATT&CK Tag: Exfiltration Over Alternative Protocol Detected

ATT&CK ID: T1048

Minimum Log Source Requirement: Proxy Server
Query:
norm_id=*Proxy* source_address=* destination_address=* destination_address IN CLOUD_APPLICATION_IP | process eval("attack_class='Exfiltration'")| process eval("technique='Exfiltration Over Alternative Protocol'")

LP_Mitre Lateral Movement Using Remote Services Detected¶

Trigger Condition: Lateral Movement uses an attack technique Remote Services.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Exploitation of Remote Services

ATT&CK ID: T1210

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=7045 start_type="auto start" service="remotesvc" -user IN EXCLUDED_USERS | process eval("attack_class='Lateral Movement'")| process eval("technique='Remote Services'") | chart count() by user, image, log_ts, service, service_type, attack_class, technique order by count() desc limit 10

LP_Mitre Persistence Attack through Accessibility Process Feature¶

Trigger Condition: An OS’s accessibility features are used adversely to get a command prompt or backdoor without logging in to the system.

ATT&CK Category: Persistence

ATT&CK Tag: Event Triggered Execution, Accessibility Features

ATT&CK ID: T1546, T1546.008

Minimum Log Source Requirement: Windows
Query:
(label="Process" label=Create "process" IN PERSISTENCE_ACCESSIBILITY_PROCESS) OR (parent_image IN PERSISTENCE_ACCESSIBILITY_PROCESS) OR (target_object IN PERSISTENCE_ACCESSIBILITY_OBJECT) -user IN EXCLUDED_USERS

LP_Mitre Persistence Attack through AppInit DLLs¶

Trigger Condition: Suspicious AppInit_DLL functionality is detected in an environment that could be a persistence attack.

ATT&CK Category: Persistence

ATT&CK Tag: Event Triggered Execution, AppInit DLLs

ATT&CK ID: T1546, T1546.01

Minimum Log Source Requirement: Windows Sysmon
Query:
(target_object="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" OR target_object="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs")

LP_Mitre Persistence Using Account Creation Detected¶

Trigger Condition: The creation of an account with persistence is detected.

ATT&CK Category: Persistence

ATT&CK Tag: Account Manipulation

ATT&CK ID: T1098

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create commandline="*net*/add /y" -user IN EXCLUDED_USERS | process eval("attack_class='Persistence'")| process eval("technique='Create Account'") | rename commandline as command

LP_Mitre Persistence Using Account Manipulation Detected¶

Trigger Condition: Persistence uses an attack technique Account Manipulation.

ATT&CK Category: Persistence

ATT&CK Tag: Account Manipulation

ATT&CK ID: T1098

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer label="Process" label=Create commandline="*net.exe*localgroup*/add" -user IN EXCLUDED_USERS | process eval("attack_class='Persistence'")| process eval("technique='Account Manipulation'") | rename commandline as command

LP_Mitre Persistence via Winlogon Helper DLL Detected¶

Trigger Condition: Modifications in Winlogon registry keys are detected.

ATT&CK Category: Execution

ATT&CK Tag: Boot or Logon Autostart Execution, Winlogon Helper DLL

ATT&CK ID: T1547, T1547.004

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4657 object=Winlogon event_category=Registry path="*Windows NT\CurrentVersion*" new_value=* -user IN EXCLUDED_USERS

LP_Mitre Possible Privilege Escalation using Application Shimming¶

Trigger Condition: Installation or registration of shim databases to escalate privilege in an environment is detected.

ATT&CK Category: Privilege Escalation

ATT&CK Tag: Event Triggered Execution, Application Shimming

ATT&CK ID: T1546, T1546.011

Minimum Log Source Requirement: Windows
Query:
('process'=*sdbinst.exe OR image=*sdbinst.exe OR target_object IN APPLICATION_SHIM_OBJECTS) | rename 'process' as image

LP_Mitre Privilege Escalation Using Bypass User Access Control Detected¶

Trigger Condition: Privilege Escalation using Abuse Elevation Control Mechanism or Bypass User Access Control is detected.

ATT&CK Category: Privilege Escalation

ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control

ATT&CK ID: T1548

Minimum Log Source Requirement: Windows Sysmon
Query:
(norm_id=WindowsSysmon OR (commandline=* norm_id=WinServer)) label="Process" label=Create (command="*eventvwr.exe*" OR commandline="*eventvwr.exe*" OR command="*wscript.exe*" OR commandline="*wscript.exe*" OR token_elevation_type="TokenElevationTypeLimited*") -user IN EXCLUDED_USERS | process eval("attack_class='Privilege Escalation'")| process eval("technique='Bypass User Access Control'") | rename commandline as command

LP_MMC Spawning Windows Shell Detected¶

Trigger Condition: Windows command line executable starting from MMC is detected.

ATT&CK Category: Execution, Defense Evasion

ATT&CK Tag: Command and Scripting Interpreter, Indirect Command Execution

ATT&CK ID: T1059, T1202

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\mmc.exe" image IN ["*\cmd.exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\sh.exe", "*\bash.exe", "*\reg.exe", "*\regsvr32.exe", "*\BITSADMIN*"] -user IN EXCLUDED_USERS

LP_Most Exploitable Vulnerabilities Detected¶

Trigger Condition: The most exploitable vulnerabilities from 2015 are detected in a network. For this alert to work, MOST_EXPLOITABLE_CVE must be updated with the list of exploitable vulnerabilities.

ATT&CK Category: Discovery

ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1518, T1518.001

Minimum Log Source Requirement: Vulnerability Management
Query:
norm_id=VulnerabilityManagement cve_id IN MOST_EXPLOITABLE_CVE

LP_MS Office Product Spawning Exe in User Dir¶

Trigger Condition: An executable in the users directory from Microsoft Word, Excel, Powerpoint, Publisher, or Visio is detected.

ATT&CK Category: Execution, Defense Evasion

ATT&CK Tag: Command-Line Interface, Indirect Command Execution

ATT&CK ID: T1059, T1202

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\OUTLOOK.EXE"] image IN ["C:\users\*.exe"] -user IN EXCLUDED_USERS

LP_MSHTA - File Access Detected¶

Trigger Condition: Creation of a file with .hta extension. Adversaries abuse mshta.exe for proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=11 or event_id=15) file="*.hta*" -user IN EXCLUDED_USERS

LP_MSHTA - Network Detected¶

Trigger Condition: LogPoint detects network connection events initiated by mshta.exe. Adversaries abuse mshta.exe for proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=3 (command="*mshta.exe" or parent_command="*mshta.exe") -user IN EXCLUDED_USERS

LP_MSHTA - Process Detected¶

Trigger Condition: The execution of mshta.exe to create a malicious process. Adversaries abuse mshta.exe to proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (command="*mshta.exe" or parent_command="*mshta.exe") -user IN EXCLUDED_USERS

LP_Mshta JavaScript Execution Detected¶

Trigger Condition: The mshta.exe command is detected.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\mshta.exe" command="*javascript*" -user IN EXCLUDED_USERS

LP_MSHTA Spawning Windows Shell Detected¶

Trigger Condition: Windows command line executable started from MSHTA is detected.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\mshta.exe" image IN ["*\cmd.exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\sh.exe", "*\bash.exe", "*\reg.exe", "*\regsvr32.exe", "*\BITSADMIN*"] -user IN EXCLUDED_USERS

LP_MSHTA Spwaned by SVCHOST Detected¶

Trigger Condition: mshta.exe spawned by SVCHOST observed in LethalHTA is detected.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\svchost.exe" image="*\mshta.exe" -user IN EXCLUDED_USERS

LP_MSHTA Suspicious Execution Detected¶

Trigger Condition: mshta.exe suspicious execution patterns sometimes involving file polyglotism is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Deobfuscate/Decode Files or Information

ATT&CK ID: T1140

Minimum Log Source Requirement: Windows Sysmon
Query:
event_id=1 image="*\mshta.exe" command IN ["*vbscript*", "*.jpg*", "*.png*", "*.lnk*", "*.xls*", "*.doc*", "*.zip*"] -user IN EXCLUDED_USERS

LP_MsiExec Web Install Detected¶

Trigger Condition: The msiexec process starts with the web address as a parameter.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Signed Binary Proxy Execution, Msiexec

ATT&CK ID: T1218, T1218.007

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="* msiexec*://*" -user IN EXCLUDED_USERS

LP_MSTSC Shadowing Detected¶

Trigger Condition: Hijacking of RDP session using MSTSC shadowing is detected.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Remote Service Session Hijacking, RDP Hijacking

ATT&CK ID: T1563, T1563.002

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="*noconsentprompt*" command="*shadow:*" -user IN EXCLUDED_USERS

LP_Multiple Failed Login Followed by Successful Login Followed by Logoff¶

Trigger Condition: Multiple failed login attempts are followed by successful login, and then by log off from the same user are detected.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access

ATT&CK Tag: Valid Accounts, Brute Force

ATT&CK ID: T1078, T1110

Minimum Log Source Requirement: Windows
Query:
[incident_name="Multiple Failed User Login Followed by Successful Login" incident_user=*] as FirstAlert followed by [norm_id=WinServer* label=User label=Logoff user=* -user IN EXCLUDED_USERS] as Logoff on FirstAlert.incident_user=Logoff.user | rename Logoff.user as User, FirstAlert.incident_address as SourceAddress

LP_Mustang Panda Dropper Detected¶

Trigger Condition: Specific process parameters used by Mustang Panda droppers are detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Exploitation for Defense Evasion

ATT&CK ID: T1211

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (command IN ["*Temp\wtask.exe /create*", "*%windir:~-3, 1%%PUBLIC:~-9, 1%*", "*/E:vbscript * C:\Users\*.txt* /F", "*/tn *Security Script *", "*%windir:~-1, 1%*"]) OR (image IN ["*Temp\winwsh.exe"]) -user IN EXCLUDED_USERS

LP_Named Pipe added to Null Session Detected¶

Trigger Condition: Lateral Movement attempt by enabling of null session through named pipe is detected.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Remote Services

ATT&CK ID: T1021

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=13 image="*reg.exe" target_object="*lanmanserver*NullSessionPipes" detail="Binary Data" -user IN EXCLUDED_USERS

LP_Narrators Feedback-Hub Persistence Detected¶

Trigger Condition: Abusing Windows 10 Narrator’s Feedback-Hub is detected.

ATT&CK Category: Persistence

ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder

ATT&CK ID: T1547, T1547.001

Minimum Log Source Requirement: Windows Sysmon
Query:
(event_id=12 event_type="DeleteValue" target_object="*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute") OR (event_id=13 target_object="*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)")

LP_Nefilim Ransomware Infected Host Detected¶

Trigger Condition: Nefilim double extortion ransomware-infected host is detected.

ATT&CK Category: Impact

ATT&CK Tag: Data Encrypted for Impact

ATT&CK ID: T1486

Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon
Query:
host=* hash=* hash IN NEFILIM_RANSOMWARE_HASHES

LP_Net exe Execution Detected¶

Trigger Condition: The execution of Net.exe, which can be suspicious or benign, is detected.

ATT&CK Category: Lateral Movement, Discovery, Defense Evasion

ATT&CK Tag: Obfuscated Files or Information, System Network Connections Discovery, Remote Services, Network Share Discovery

ATT&CK ID: T1027, T1049, T1021, T1135

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image IN ["*\net.exe", "*\net1.exe"] command IN ["* group*", "* localgroup*", "* user*", "* view*", "* share", "* accounts*", "* use*", "* stop *"] -user IN EXCLUDED_USERS

LP_Net exe User Account Creation¶

Trigger Condition: The creation of local users via the net.exe command is detected.

ATT&CK Category: Persistence, Credential Access

ATT&CK Tag: Create Account

ATT&CK ID: T1136

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image IN ["*\net.exe", "*\net1.exe"] command="*user*" command="*add*" -user IN EXCLUDED_USERS

LP_NetNTLM Downgrade Attack Detected¶

Trigger Condition: When post-exploitation using NetNTLM downgrade attacks are detected. NetNTLM is a proprietary authentication protocol used by Microsoft Windows. Adversaries may use a downgrade attack to force the use of a weaker version of the protocol, allowing them to intercept and crack the password hashes used for authentication. This can allow the adversary to gain unauthorized access to the system.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Disable or Modify Tools, Modify Registry

ATT&CK ID: T1562, T1562.001, T1112

Minimum Log Source Requirement: Windows
Query:
(event_id=13 target_object IN ["*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel", "*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec", "*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic"]) OR (norm_id=WinServer event_id=4657 object_name="\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa" object_value IN ["LmCompatibilityLevel", "NtlmMinClientSec", "RestrictSendingNTLMTraffic"]) -user IN EXCLUDED_USERS

LP_Firewall Addition via Netsh Detected¶

Trigger Condition: A connection is allowed by port or application on Windows firewall.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Impair Defenses, Disable or Modify System Firewall

ATT&CK ID: T1562, T1562.004

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*netsh firewall add*"] -user IN EXCLUDED_USERS

LP_Netsh Helper DLL - Process Detected¶

Trigger Condition: Adversaries use Netshell helper DLLs to execute arbitrary code persistently. Netsh.exe is a command-line scripting utility used to interact with the network configuration of a system.

ATT&CK Category: Persistence

ATT&CK Tag: Event Triggered Execution, Netsh Helper DLL

ATT&CK ID: T1546, T1546.007

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*netsh.exe" command="*helper*") -user IN EXCLUDED_USERS

LP_Netsh Helper DLL - Registry Detected¶

Trigger Condition: Windows registry at HKLMSOFTWAREMicrosoftNetsh is detected. HKLMSOFTWAREMicrosoftNetsh is a path to registered netsh.exe helper DLLs.

ATT&CK Category: Persistence

ATT&CK Tag: Event Triggered Execution, Netsh Helper DLL

ATT&CK ID: T1546, T1546.007

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*\SOFTWARE\Microsoft\Netsh\*" -user IN EXCLUDED_USERS

LP_Netsh Port Forwarding Detected¶

Trigger Condition: The netsh command used in the configuration of port forwarding is detected.

ATT&CK Category: Persistence

ATT&CK Tag: Event Triggered Execution, Netsh Helper DLL

ATT&CK ID: T1546, T1546.007

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="netsh interface portproxy add v4tov4 *" -user IN EXCLUDED_USERS

LP_Netsh RDP Port Forwarding Detected¶

Trigger Condition: The netsh command used in the configuration of port forwarding of port 3389 for RDP is detected.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Remote Services

ATT&CK ID: T1021

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["netsh i* p*=3389 c*"] -user IN EXCLUDED_USERS

LP_Network Sniffing Detected¶

Trigger Condition: When the execution of network sniffing tools is detected. Adversaries may use network sniffing to intercept sensitive information, such as passwords or confidential data, as it is transmitted over the network. They may also use sniffing to gain visibility into network traffic and identify vulnerabilities or weaknesses.

ATT&CK Category: Credential Access, Discovery

ATT&CK Tag: Network Sniffing

ATT&CK ID: T1040

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*tshark.exe" or image="*windump.exe" or image="*logman.exe" or image="*tcpdump.exe" or image="*wprui.exe" or image="*wpr.exe") -user IN EXCLUDED_USERS

LP_New Driver File Creation Detected¶

Trigger Condition: Creation of a new driver file.

ATT&CK Category: Execution

ATT&CK Tag: Shared Modules

ATT&CK ID: T1129

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 path="C:\Windows*Drivers*" -user IN EXCLUDED_USERS

LP_New Firewall Port Opening Detected¶

Trigger Condition: An opening of a new port in a firewall is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Non-Standard Port
ATT&CK ID: T1571
Minimum Log Source Requirement: Windows

Query:

norm_id=WinServer event_id=4657 object=FirewallRules event_category=Registry object_name="*ControlSet*FirewallPolicy\FirewallRules" new_value=* -user IN EXCLUDED_USERS | norm on new_value <:all>Action=<action:word><:all>Active=<active:word><:all>Dir=<direction:word><:all>Protocol=<proto:int><:all>Port=<port:int><:all>Name=<rule:string><:'\|'> | process eval("protocol = if(proto == 6) {return 'TCP'} else {return 'UDP'}")

LP_New RUN Key Pointing to Suspicious Folder Detected¶

Trigger Condition: A new suspicious RUN key element pointing to an executable in a folder is detected.

ATT&CK Category: Persistence

ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder

ATT&CK ID: T1547, T1547.001

Minimum Log Source Requirement: Windows Sysmon
Query:
event_id=13 target_object IN ["*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*", "*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*"] detail IN ["*C:\Windows\Temp\*", "*\AppData\*", "%AppData%\*", "*C:\$Recycle.bin\*", "*C:\Temp\*", "*C:\Users\Public\*", "%Public%\*", "*C:\Users\Default\*", "*C:\Users\Desktop\*", "wscript*", "cscript*"] -detail IN ["*\AppData\Local\Microsoft\OneDrive\\*"] -user IN EXCLUDED_USERS

LP_New Service Creation¶

Trigger Condition: When the creation of a new service is detected. Windows Services can allow the creation and management of long-running processes. It can start automatically and keep running for a long time after the user logs off. Adversaries might leverage this functionality to maintain persistence and escalate their privilege.

ATT&CK Category: Persistence, Privilege Escalation

ATT&CK Tag: T1543 - Create or Modify System Process (2), T1543.003 - Windows Service (2)

Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
label="Create" label="Process" "process" IN ["*sc.exe", "*powershell.exe", "*cmd.exe"] command IN ["*New-Service*BinaryPathName*", "*sc*create*binpath*", "*Get-WmiObject*Win32_Service*create*"] -user IN EXCLUDED_USERS

LP_Non Interactive PowerShell Execution¶

Trigger Condition: Non-interactive Command and Scripting Interpreter and PowerShell activity by looking at powershell.exe with no explorer.exe as a parent.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" -parent_Image="*\explorer.exe" -user IN EXCLUDED_USERS

LP_NoPowerShell Tool Activity Detected¶

Trigger Condition: Execution of NoCommand and Scripting Interpreter and PowerShell tool.

ATT&CK Category: Execution

ATT&CK Tag: Shared Modules

ATT&CK ID: T1129

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 -file in ["*cscript.exe.log", "*wscript.exe.log", "*wmic.exe.log", "*mshta.exe.log", "*svchost.exe.log", "*regsvr32.exe.log", "*rundll32.exe.log"] file="*.exe.log" -user IN EXCLUDED_USERS

LP_NotPetya Ransomware Activity Detected¶

Trigger Condition: NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe is detected. The file system journal of drive C is deleted, and window event logs are cleared using wevtutil.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Signed Binary Proxy Execution, Rundll32, Indicator Removal on Host

ATT&CK ID: T1218, T1218.011, T1070

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (command="*\AppData\Local\Temp\* \.\pipe\*" OR (image="*\rundll32.exe" command="*.dat, #1")) -user IN EXCLUDED_USERS

LP_OceanLotus Registry Activity Detected¶

Trigger Condition: Creation of registry keys in OceanLotus attacks, which is also known as APT32.
ATT&CK Category: Persistence, Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon

Query:

event_id=13 target_object IN ["HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model", "HKU\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model",
"*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application",
"*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon","*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application",
"*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon",
"*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application", "*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon",
"HKU\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\*", "HKU\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\*",
"HKU\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\*"]
-user IN EXCLUDED_USERS

LP_Office365 Multiple Failed Login from Different Host by Single User¶

Trigger Condition: A user attempts multiple failed logins from distinct hosts with a count greater than one.

ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege Escalation, Initial Access

ATT&CK Tag: Brute Force, Valid Accounts

ATT&CK ID: T1110, T1078

Minimum Log Source Requirement: Office365
Query:
norm_id="Office365" source_address=* label=User label=Login label=Fail | chart distinct_count(source_address) as DC by user | search DC>1

LP_Office365 Multiple Failed Login from Same Host¶

Trigger Condition: Multiple failed logins from the same host with a count greater than five.

ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege Escalation, Initial Access

ATT&CK Tag: Brute Force, Valid Accounts

ATT&CK ID: T1110, T1078

Minimum Log Source Requirement: Office365
Query:
norm_id="Office365" source_address=* label=User label=Login label=Fail | chart count() as"Cnt" by user, source_address| search Cnt > 5

LP_Office365 Multiple Successful Login from Different Country by Single User¶

Trigger Condition: A user attempts multiple failed logins from different countries with a count greater than one.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Valid Accounts

ATT&CK ID: T1078

Minimum Log Source Requirement: Office365
Query:
norm_id="Office365" label=User label=login label=Successful source_address=* | process geoip(source_address) as country |chart distinct_count(country) as DC by user| search DC >1

LP_Office365 Multiple Successful Login From Different Host by Single User¶

Trigger Condition: A user attempts multiple successful logins from a distinct host with a count greater than one.

ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

ATT&CK Tag: Valid Accounts

ATT&CK ID: T1078

Minimum Log Source Requirement: Office365
Query:
norm_id="Office365" label=User label=login label=Successful source_address=* | chart distinct_count(source_address) as DC by user |search DC >1

LP_Office365 Password Resets¶

Trigger Condition: A user’s password is reset.

ATT&CK Category: Persistence

ATT&CK Tag: Account Manipulation

ATT&CK ID: T1098

Minimum Log Source Requirement: Office365
Query:
norm_id="Office365" label=Password label=Reset user=*

LP_OpenWith Execution of Specified Binary Detected¶

Trigger Condition: The execution of OpenWith.exe is detected as a specified binary. It characterized as a malicious activity when executed from a location other than C:WindowsSystem32* path.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Signed Binary Proxy Execution

ATT&CK ID: T1218

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\OpenWith.exe" command="*/c*" -user IN EXCLUDED_USERS

LP_Possible Operation Wocao Activity Detected¶

Trigger Condition: Activity mentioned in Operation Wocao report is detected.

ATT&CK Category: Defense Evasion,Execution, Persistence, Privilege Escalation

ATT&CK Tag: Exploitation for Defense Evasion, Obfuscated Files or Information, Masquerade Task or Service, Masquerading, Scheduled Task/Job, Scheduled Task

ATT&CK ID: T1211, T1012, T1036, T1036.004, T1053, T1053.005

Minimum Log Source Requirement: Windows Sysmon
Query:
((norm_id=WinServer event_id=4799 group="Administrators" "process"="*\checkadmin.exe") OR (norm_id=WindowsSysmon event_id=1 command IN ["*checkadmin.exe 127.0.0.1 -all*", "*netsh advfirewall firewall add rule name=powershell dir=in*", "*cmd /c powershell.exe -ep bypass -file c:\s.ps1*", "*/tn win32times /f*", "*create win32times binPath=*", "*\c$\windows\system32\devmgr.dll*", "* -exec bypass -enc JgAg*", "*type *keepass\KeePass.config.xml*", "*iie.exe iie.txt*", "*reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\\*"])) -user IN EXCLUDED_USERS

LP_Pandemic Registry Key Detected¶

Trigger Condition: LogPoint detects pandemic Windows implant. It turns file servers into patient zero on a local network, infecting machines requesting files with trojanized replacements.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Remote File Copy

ATT&CK ID: T1105

Minimum Log Source Requirement: Windows Sysmon
Query:
(event_id=13 target_object IN ["HKLM\SYSTEM\CurrentControlSet\services\null\Instance*"]) OR (event_id=1 command="loaddll -a *")

LP_Password Change on DSRM Account Detected¶

Trigger Condition: Password change in Directory Service Restore Mode (DSRM) account is detected.

ATT&CK Category: Persistence, Privilege Escalation

ATT&CK Tag: Account Manipulation

ATT&CK ID: T1098

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4794 -user IN EXCLUDED_USERS

LP_Password Dumper Remote Thread in LSASS¶

Trigger Condition: Password dumper activity by monitoring remote thread creation event ID 8 in combination with the lsass.exe process as TargetImage is detected. The process in the field Process is a malicious program and a single execution can lead to hundreds of events.

ATT&CK Category: Credential Access

ATT&CK Tag: Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=8 image="C:\Windows\System32\lsass.exe" -start_module=* -user IN EXCLUDED_USERS

LP_Password Spraying Attack Detected¶

Trigger Condition: Password spraying attack is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Brute Force

ATT&CK ID: T1110

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4625 -user IN EXCLUDED_USERS -user IN EXCLUDED_USERS | chart distinct_count(user) as UserCount, distinct_list(user) as Users by source_address | search UserCount > 5

LP_Persistence and Execution at Scale via GPO Scheduled Task¶

Trigger Condition: Lateral movement using GPO scheduled task used to deploy ransomware at scale is detected.

ATT&CK Category: Persistence, Lateral Movement, Execution, Privilege Escalation

ATT&CK Tag: Scheduled Task/Job, Scheduled Task

ATT&CK ID: T1053, T1053.005

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=5145 share_name="\*\SYSVOL" relative_target="*ScheduledTasks.xml" access="*WriteData*" -user IN EXCLUDED_USERS

LP_Petya Affected Hosts¶

Trigger Condition: Applications and commands like wevtutil,wmic,rundll,or schtasks are executed for defense evasion. For this alert to work, you must update the list PETYA_COMMAND.

ATT&CK Category: Discovery, Defense Evasion

ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

ATT&CK ID: T1046, T1211, T1518, T1518.001

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer* event_id=106 event_source="Microsoft-Windows-TaskScheduler" task IN PETYA_COMMAND -user IN EXCLUDED_USERS

LP_Petya Compromised Files¶

Trigger Condition: A file with IOC’s of Petya file digest value is detected.

ATT&CK Category: Impact

ATT&CK Tag: Data Encrypted for Impact, Data Destruction, Proxy

ATT&CK ID: T1486, T1485, T1090

Minimum Log Source Requirement: Integrity Scanner
Query:
norm_id=IntegrityScanner digest IN PETYA_DIGEST OR prev_digest IN PETYA_DIGEST path=*

LP_Ping Hex IP Detected¶

Trigger Condition: Ping command using a hex-encoded IP address is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Deobfuscate/Decode Files or Information, Obfuscated Files or Information

ATT&CK ID: T1140, T1027

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*\ping.exe 0x*", "*\ping 0x*"] -user IN EXCLUDED_USERS

LP_Ping of Death Attack¶

Trigger Condition: Datagrams with a size greater than 65536 are received.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service, Direct Network Flood

ATT&CK ID: -

Minimum Log Source Requirement: Windows Sysmon
Query:
label=Receive label=Packet (packet_length>65536 or fragment_length>65536)

LP_Possible Account Misuse-Abnormal Login¶

Trigger Condition: Admin is logged in or running an application beyond regular office hours is detected.

ATT&CK Category: Initial Access, Privilege Escalation, Defense Evasion, Persistence

ATT&CK Tag: Valid Accounts

ATT&CK ID: T1078

Minimum Log Source Requirement: Windows
Query:
(label=User label=Login label=Successful user in ADMINS ((day_of_week(log_ts) IN ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"]) and (hour(log_ts)<9 or hour(log_ts)>17)) or (day_of_week(log_ts) IN ["Saturday", "Sunday"] )) or (label=User label=Login label=Successful sub_status_code="0xC000006F") user=* (workstation=* or source_address=*)

LP_Possible Account Misuse-Privilege Escalation¶

Trigger Condition: The non-admin users are assigned privileged access. The event maps to event ID of 4648 and 4672 in Windows.

ATT&CK Category: Privilege Escalation, Persistence, Defense Evasion

ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Account Control

ATT&CK ID: -

Minimum Log Source Requirement: Windows
Query:
((label=Privilege label=Assign) or (label=Login label=Explicit label=Credential) user=* -user in ADMINS) OR (label=User label=Add label=Group user=* group=*admin*)

LP_Possible Applocker Bypass Detected¶

Trigger Condition: The execution of executables like msdt,installutil,regsvcs,regasm,or msbuild.ieexec is detected, which is used to bypass Applocker whitelisting.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Signed Binary Proxy Execution, Mshta, InstallUtil, Regsvcs/Regasm, Trusted Developer Utilities

ATT&CK ID: T1218, T1218.004, T1218.009, T1127, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*\msdt.exe*", "*\installutil.exe*", "*\regsvcs.exe*", "*\regasm.exe*", "*\msbuild.exe*", "*\ieexec.exe*"] -user IN EXCLUDED_USERS

LP_Possible Baby Shark Activity Detected¶

Trigger Condition: LogPoint detects activity related to Baby Shark malware involving access to registry keys of terminal server client, execution of mshta via powershell, and task kill of cmd.exe.

ATT&CK Category: Execution, Discovery, Defense Evasion

ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Query Registry, Signed Binary Proxy Execution, Mshta

ATT&CK ID: T1059, T1059.001, T1012, T1218, T1218.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["reg query *HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default*", "powershell.exe mshta.exe http*", "cmd.exe /c taskkill /im cmd.exe"] -user IN EXCLUDED_USERS

LP_Possible Bitsadmin Download Detected¶

Trigger Condition: The use of bitsadmin downloading a file is detected.

ATT&CK Category: Defense Evasion, Persistence

ATT&CK Tag: BITS Jobs

ATT&CK ID: T1197

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\bitsadmin.exe" (command="* /transfer *" OR command="*copy bitsadmin.exe*") -user IN EXCLUDED_USERS

LP_Possible Botnet Connection-DNS Server Modified¶

Trigger Condition: An unauthorized default Application Layer Protocol and DNS server modification are detected in Unix or Windows Server.

ATT&CK Category: Impact, Command and Control, Defense Evasion

ATT&CK Tag: Network Denial of Service, Proxy, Exploitation for Defense Evasion

ATT&CK ID: T1498, T1090, T1211

Minimum Log Source Requirement: Windows
Query:
((norm_id=Unix action="RUN" (file="etc/resolv.conf" or file="*\etc\host")) or (norm_id=WinServer* (label=File (label=Write or label=Modify) path="C:\Windows\System32\Drivers\etc" object="hosts") or (label=DNS label=Update (label=Successful or label=Request OR label=Fail)) (host=* or source_address=*))) -user IN EXCLUDED_USERS

LP_Possible Botnet Connection-IRC Port¶

Trigger Condition: The connection through the IRC port is detected. For this alert to work, you must update the list IRC_PORTS, including commonly used ports 6660 to 6669 and 6700.

ATT&CK Category: -

ATT&CK Tag: -

ATT&CK ID: -

Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
Query:
source_address=* destination_address=* destination_port in IRC_PORTS

LP_Possible Botnet Connection-Outbound DDOS¶

Trigger Condition: Multiple hosts connecting to the same destination address is detected.

ATT&CK Category: Impact, Command and Control, Defense Evasion

ATT&CK Tag: Network Denial of Service, Proxy, Exploitation for Defense Evasion

ATT&CK ID: T1498, T1090, T1211

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Connection source_address in HOMENET destination_address=* | chart distinct_count(source_address) as source by destination_address| search source>100

LP_Possible Botnet Connection-Outbound Spam¶

Trigger Condition: An unauthorized email sent through an open relay is detected.

ATT&CK Category: Command and Control, Defense Evasion, Impact

ATT&CK Tag: Proxy, Exploitation for Defense Evasion, Network Denial of Service

ATT&CK ID: T1090, T1211, T1498

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
(source_address=* or host=* method="HELO" or method="EHLO") or (label=Connection destination_port="25" source_address=* or host=*) | search -source_address IN MAIL_SERVER_IP

LP_Possible CLR DLL Loaded Via Office Applications¶

Trigger Condition: CLR DLL is loaded by an Office Product like WinWord, PowerPoint Excel, or Outlook.

ATT&CK Category: Initial Access

ATT&CK Tag: Phishing, Spearphishing Attachment

ATT&CK ID: T1566, T1566.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe", "*\powerpnt.exe", "*\excel.exe", "*\outlook.exe"] image IN ["*\clr.dll*"] -user IN EXCLUDED_USERS

LP_Possible Credential Dump-Tools Named Pipes Detected¶

Trigger Condition: A well-known credential dumping tool execution via specifically named pipes like lsadump, cachedump, or wceservicepipe is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: OS Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=17 pipe IN ["*\lsadump*", "*\cachedump*", "*\wceservicepipe*"] -user IN EXCLUDED_USERS

LP_Possible Data Breach¶

Trigger Condition: Unauthorized transfer of sensitive data is detected using mail applications, cloud applications, or other sources. For the alert to work, you must update the lists RESIGNED_EMPLOYEES, KNOWN_DOMAINS, and CLOUD_APPLICATIONS.

ATT&CK Category: Exfiltration

ATT&CK Tag: Exfiltration Over Web Service, Exfiltration to Cloud Storage

ATT&CK ID: T1567, T1567.002

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
(label=Mail object="*attachment*" sender in RESIGNED_EMPLOYEES -receiver in KNOWN_DOMAINS) or (label=Object label=Access (label=Write or label=Modify) event_category="*Removable*" user in RESIGNED_EMPLOYEES) or (label=Access label=Object (label=Write or label=Modify) path IN CLOUD_APPLICATIONS user in RESIGNED_EMPLOYEES) or (label=Data label=Transfer label=Sensitive source_address=* destination_address=*)

LP_Possible Data Breach-Off Hour Transfer¶

Trigger Condition: Unauthorized transfer of sensitive data during off-hours is detected.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: Firewall, IDS/IPS

Query:

(norm_id=*Firewall or norm_id=*IDS*) label=Connection source_address=* destination_address=* destination_port=* sent_datasize=* ((day_of_week(log_ts) IN ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"]) and (hour(log_ts)<9 or hour(log_ts)>17)) or (day_of_week(log_ts) IN ["Saturday", "Sunday"] ) | chart sum((sent_datasize)/1024/1024) as TotalSentMB by user | search TotalSentMB>20

LP_Possible DDOS Attack¶

Trigger Condition: A considerable number of inbound traffic within a short period is detected.

ATT&CK Category: Initial Access, Impact

ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service

ATT&CK ID: T1190, T1498

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Deny ((protocol=icmp or application="icmp" or service=icmp) or (protocol=http or protocol=https) or (protocol=udp) or 'dns reply' or 'SYN') source_address=* destination_address=*| chart count(source_address) as ddos_source by destination_address| search ddos_source>2000

LP_Possible Detection of SafetyKatz¶

Trigger Condition: SafetyKatz behavior where a temp file debug.bin is created in temp folder to dump credentials using lsass.

ATT&CK Category: Credential Access

ATT&CK Tag: OS Credential Dumping, LSASS Memory

ATT&CK ID: T1003, T1003.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 path="*\Temp" file="debug.bin" -user IN EXCLUDED_USERS

LP_Possible DNS Rebinding Detected¶

Trigger Condition: Different DNS answers by one domain with IPs from internal and external networks are detected. Typically, DNS-answer contains TTL greater than 100. Application Layer Protocol and DNS-record are saved in the host cache during TTL.

ATT&CK Category: Command and Control

ATT&CK Tag: -

ATT&CK ID: -

Minimum Log Source Requirement: Windows Sysmon
Query:
event_id=22 query="*" status_code="0" query_result IN ["(::ffff:)?10.*", "(::ffff:)?192.168.*", "(::ffff:)?172.16.*", "(::ffff:)?172.17.*", "(::ffff:)?172.18.*", "(::ffff:)?172.19.*", "(::ffff:)?172.20.*", "(::ffff:)?172.21.*", "(::ffff:)?172.22.*", "(::ffff:)?172.23.*", "(::ffff:)?172.24.*", "(::ffff:)?172.25.*", "(::ffff:)?172.26.*", "(::ffff:)?172.27.*", "(::ffff:)?172.28.*", "(::ffff:)?172.29.*", "(::ffff:)?172.30.*", "(::ffff:)?172.31.*", "(::ffff:)?127.*"] -user IN EXCLUDED_USERS | chart count(QueryName) as val by host | search val > 3

LP_Possible DoS Attack¶

Trigger Condition: LogPoint detects DOS attack.

ATT&CK Category: Initial Access, Impact

ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service, Endpoint Denial of Service

ATT&CK ID: T1190, T1498, T1499

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
label=Dos label=Attack source_address=* destination_address=*

LP_Possible Empire Monkey Detected¶

Trigger Condition: LogPoint detects EmpireMonkey APT reported activity involving exploitation of scrobj.dll file using cutil or regsvr32.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="*/i:%APPDATA%\logs.txt scrobj.dll" (image IN ["*\cutil.exe"] OR message IN ["Microsoft(C) Registerserver"]) -user IN EXCLUDED_USERS

LP_Possible Executable Used by PlugX in Uncommon Location¶

Trigger Condition: The execution of an executable used by PlugX for DLL side loading initated from an exotic location.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading
ATT&CK ID: T1574, T1574.002
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 ((image="*\CamMute.exe" -image="*\Lenovo\Communication Utility\*") OR (image="*\chrome_frame_helper.exe" -image="*\Google\Chrome\application\*") OR (image="*\dvcemumanager.exe" -image="*\Microsoft Device Emulator\*") OR (image="*\Gadget.exe" -image="*\Windows Media Player\*") OR (image="*\hcc.exe" -image="*\HTML Help Workshop\*") OR (image="*\hkcmd.exe" -image IN ["*\System32\*", "*\SysNative\*", "*\SysWowo64\*"]) OR (image="*\Mc.exe" -image IN ["*\Microsoft Visual Studio*", "*\Microsoft SDK*", "*\Windows Kit*"]) OR (image="*\MsMpEng.exe" -image IN ["*\Microsoft Security Client\*", "*\Windows Defender\*", "*\AntiMalware\*"]) OR (image="*\msseces.exe" -image IN ["*\Microsoft Security Center\*", "*\Microsoft Security Client\*", "*\Microsoft Security Essentials\*"]) OR (image="*\OInfoP11.exe" -image="*\Common Files\Microsoft Shared\*") OR (image="*\OleView.exe" -image IN ["*\Microsoft Visual Studio*", "*\Microsoft SDK*", "*\Windows Kit*", "*\Windows Resource Kit\*"]) OR (image="*\rc.exe" -image IN ["*\Microsoft Visual Studio*", "*\Microsoft SDK*", "*\Windows Kit*", "*\Windows Resource Kit\*", "*\Microsoft.NET\*"])) -user IN EXCLUDED_USERS

LP_Possible Exploitation for CVE-2015-1641 Detected¶

Trigger Condition: Winword starting uncommon subprocess MicroScMgmt.exe used in exploits for CVE-2015-1641 is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image="*\MicroScMgmt.exe " -user IN EXCLUDED_USERS

LP_Possible Hijack of Legit RDP Session to Move Laterally¶

Trigger Condition: The use of tsclient share to place a backdoor on the RDP source machine’s startup folder is detected.

ATT&CK Category: Persistence, Lateral Movement, Privilege Escalation

ATT&CK Tag: Remote Service Session Hijacking, RDP Hijacking, Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder

ATT&CK ID: T1563, T1563.002, T1547, T1547.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=11 image="*\mstsc.exe" file="*\Microsoft\Windows\Start Menu\Programs\Startup\*" -user IN EXCLUDED_USERS

LP_Possible Impacket Lateralization Detected¶

Trigger Condition: wmiexec/dcomexec/atexec/smbexec from the Impacket framework is detected.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Windows Management Instrumentation, Inter-Process Communication, Inter-Process Communication, Component Object Model and Distributed COM

ATT&CK ID: T1047, T1021, T1021.003, T1559, T1559.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((parent_image IN ["*\wmiprvse.exe", "*\mmc.exe", "*\explorer.exe", "*\services.exe"] command IN ["*cmd.exe* /Q /c * \\127.0.0.1\*&1*"]) OR (parent_command IN ["*svchost.exe -k netsvcs", "taskeng.exe*"] command IN ["cmd.exe /C *Windows\Temp\*&1"])) -user IN EXCLUDED_USERS

LP_Possible Impacket SecretDump Remote Activity¶

Trigger Condition: LogPoint detects share_nameAD credential dumping using impacket secretdump HKTL.

ATT&CK Category: Credential Access

ATT&CK Tag: OS Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=5145 share_name="\*\ADMIN$" relative_target="SYSTEM32\*.tmp" -user IN EXCLUDED_USERS

LP_Possible Inbound Spamming Detected¶

Trigger Condition: LogPoint detects possible inbound spam.

ATT&CK Category: -

ATT&CK Tag: -

ATT&CK ID: -

Minimum Log Source Requirement: Mail Server
Query:
(sender=* receiver=* -sender in KNOWN_DOMAINS) | chart distinct_count(receiver) as spam_receiver by sender | search spam_receiver>100

LP_Possible Insider Threat¶

Trigger Condition: LogPoint detects alerts like privilege escalation, unauthorized access, and data breach for the same user.

ATT&CK Category: -

ATT&CK Tag: -

ATT&CK ID: -

Minimum Log Source Requirement: Logpoint
Query:
event_type="Possible Insider Threat" incident_user=* -incident_user in EXCLUDED_USERS| rename incident_user as user | chart distinct_count(incident_name) as AlertCount by user | search AlertCount>2

LP_Possible Land Attack¶

Trigger Condition: LogPoint detects a Cisco land-attack with event ID 106017.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service

ATT&CK ID: T1498

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
event_id=106017 label=Connection label=Attack label=Deny

LP_Possible Malicious Payload Download via Office Binaries Detected¶

Trigger Condition: A payload is downloaded from a remote server with HTTP command using Microsoft Office applications like PowerPoint, Word, and Excel in a compromised system.

ATT&CK Category: Command and Control

ATT&CK Tag: Ingress Tool Transfer

ATT&CK ID: T1105

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image IN ["*\powerpnt.exe", "*\winword.exe", "*\excel.exe"] command="*http*" -user IN EXCLUDED_USERS

LP_Possible Malware Detected¶

Trigger Condition: A file or software is detected as worm, virus, trojan, or malware.

ATT&CK Category: -

ATT&CK Tag: -

ATT&CK ID: -

Minimum Log Source Requirement: Antivirus
Query:
(label=Malware or label=Threat or label=Virus or label=Quarantine or label=Risk) (malware=* OR risk=* OR virus=*) (file=* or application=* or url=*)

LP_Possible Modification of Boot Configuration¶

Trigger Condition: When the use of the bcdedit command to delete or modify Boot Configuration Data is detected. Boot Configuration Data (BCD) files provide a store that describes boot applications and application settings. Boot configuration data edit (bcdedit) allows manipulating BCD. This tactic is used by malware or attackers as a destructive technique to prevent system recovery. Legitimate usage can trigger this alert. We recommend including the legitimate user in the EXCLUDED_USERS list.

ATT&CK Category: Impact, Defense Evasion, Persistence

ATT&CK Tag: Inhibit System Recovery, Pre-OS Boot, Bootkit

ATT&CK ID: T1490, T1542, T1542.003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((image="*\bcdedit.exe" command IN ["*delete*", "*import*","set"]) OR ((command="*bootstatuspolicy*" command="*ignoreallfailures*") OR (command="*recoveryenabled*" command="*no*"))) -user IN EXCLUDED_USERS

LP_Possible Outbound Spamming Detected¶

Trigger Condition: An outbound spamming is detected.

ATT&CK Category: -

ATT&CK Tag: -

ATT&CK ID: -

Minimum Log Source Requirement: Mail Server
Query:
(sender=* receiver=* -receiver in KNOWN_DOMAINS sender in KNOWN_DOMAINS) | chart distinct_count(receiver) as spam_receiver by sender | search spam_receiver>100

LP_Possible Pass the Hash Activity Detected¶

Trigger Condition: When the attack technique passes the hash, which is used to move laterally inside the network. Pass the hash is a method of authenticating to a system using a password hash rather than the actual password. Adversaries may use this technique to gain unauthorized access to a system, bypassing normal authentication controls. Pass the hash attacks can be challenging to detect and prevent, as they do not involve using a clear-text password.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Use Alternate Authentication Material, Pass the Hash

ATT&CK ID: T1550, T1550.002

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4624 ((caller_id="S-1-0-0" logon_type="3" logon_process="NtLmSsp" key_length="0") OR (logon_type="9" logon_process="seclogo")) -user="ANONYMOUS LOGON" -user IN EXCLUDED_USERS

LP_Possible Privilege Escalation via Service Permissions Weakness¶

Trigger Condition: Modification of services configuration (ImagePath, FailureCommand, and ServiceDLL) in the registry by processes with medium integrity level.

ATT&CK Category: Privilege Escalation

ATT&CK Tag: Hijack Execution Flow, Service Registry Permissions Weakness

ATT&CK ID: T1574, T1574.011

Minimum Log Source Requirement: Windows Sysmon
Query:
event_id=13 integrity_level="Medium" target_object="*\services\\*" target_object IN ["*\path", "*\FailureCommand", "*\Parameters\ServiceDll"] -user IN EXCLUDED_USERS

LP_Possible Privilege Escalation via Weak Service Permissions¶

Trigger Condition: The sc.exe utility spawning by a user with medium integrity level to change the service ImagePath or FailureCommand is detected.

ATT&CK Category: Privilege Escalation

ATT&CK Tag: Access Token Manipulation

ATT&CK ID: T1134

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\sc.exe" integrity_level="Medium" command IN ["*config*", "*binPath*", "*failure*", "*command*"] -user IN EXCLUDED_USERS

LP_Possible Process Hollowing Image Loading¶

Trigger Condition: Loading of samlib.dll or WinSCard.dll from untypical process is detected. For example, through process hollowing by Mimikatz.

ATT&CK Category: Defense Evasion, Privilege Escalation

ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, Process Injection, Process Hollowing

ATT&CK ID: T1574, T1574.002, T1055, T1055.012

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=7 source_image IN ["*\notepad.exe"] image IN ["*\samlib.dll", "*\WinSCard.dll"] -user IN EXCLUDED_USERS

LP_Possible SPN Enumeration Detected¶

Trigger Condition: Service Principal Name Enumeration used for Steal or Forge Kerberos Tickets and Kerberoasting is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

ATT&CK ID: T1558, T1558.003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="*-q*" (image="*\setspn.exe" OR message="*Query or reset the computer* SPN attribute*") -user IN EXCLUDED_USERS

LP_Possible SquiblyTwo Detected¶

Trigger Condition: WMI SquiblyTwo Attack with possible renamed WMI seeking for imphash is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Windows Management Instrumentation

ATT&CK ID: T1047

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((image="*\wmic.exe" command="wmic *format:*http*") OR (hash_imphash IN ["1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206"] command="*format:*http*")) -user IN EXCLUDED_USERS

LP_Possible Taskmgr run as LOCAL_SYSTEM Detected¶

Trigger Condition: Creation of a taskmgr.exe process in context of LOCAL_SYSTEM.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 user="NT AUTHORITY\SYSTEM" image="*\taskmgr.exe" -user IN EXCLUDED_USERS

LP_Possible WebApp Attack¶

Trigger Condition: A web application based attack is detected.

ATT&CK Category: Initial Access, Impact

ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service, Endpoint Denial of Service

ATT&CK ID: T1190, T1498, T1499

Minimum Log Source Requirement: WAF
Query:
norm_id=*WebAppFirewall ((label=Buffer label=Overflow) or (label=Attack label=Alert) or (label=Web label=Attack) or (label=Violation) or (label=Deny label=Rule) OR (label=SQL label=Injection))

LP_Potential RDP Exploit CVE-2019-0708 Detected¶

Trigger Condition: An error on protocol RDP potential CVE-2019-0708 is detected.

ATT&CK Category: Initial Access, Lateral Movement

ATT&CK Tag: Exploitation of Remote Services, Exploit Public-Facing Application

ATT&CK ID: T1210, T1190

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id IN ["56", "50"] event_source="TermDD" -user IN EXCLUDED_USERS

LP_Powershell AMSI Bypass via dotNET Reflection¶

Trigger Condition: Request to amsiInitFailed used to disable AMSI Scanning is detected.

ATT&CK Category: Execution, Defense Evasion

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*System.Management.Automation.AmsiUtils*"] command IN ["*amsiInitFailed*"] -user IN EXCLUDED_USERS

LP_PowerShell Base64 Encoded Shellcode Detected¶

Trigger Condition: Base64 encoded shellcode is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command="*AAAAYInlM*" command IN ["*OiCAAAAYInlM*", "*OiJAAAAYInlM*"] -user IN EXCLUDED_USERS

LP_PowerShell Execution Policy Modification Detected¶

Trigger Condition: The execution policy of Command and Scripting Interpreter and PowerShell is changed to unrestricted.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Modify Registry

ATT&CK ID: T1112

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon label=Registry label=Set label=Value detail=Unrestricted target_object="*ExecutionPolicy" -user IN EXCLUDED_USERS

LP_PowerShell Network Connections Detected¶

Trigger Condition: LogPoint detects a Command and Scripting Interpreter and PowerShell process that opens network connections. We recommend you check suspicious target ports and systems, and adjust them according to your environment. For example, extend filters with the company’s IP range.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=3 image="*\powershell.exe" initiated="true" -destination_address IN HOMENET -user="NT AUTHORITY\SYSTEM" -user IN EXCLUDED_USERS

LP_PowerShell Profile Modification¶

Trigger Condition: Modification of Command and Scripting Interpreter and PowerShell profile is detected.

ATT&CK Category: Persistence, Privilege Escalation, Execution

ATT&CK Tag: Command and Scripting Interpreter, Event Triggered Execution, PowerShell Profile, Powershell

ATT&CK ID: T1546, T1546.013, T1059, T1059.001

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4103 command in ["Write-Output", "Add-Content"] payload= "*powershell_profile*" -user IN EXCLUDED_USERS

LP_PowerShell PSAttack Detected¶

Trigger Condition: The use of a PSAttack command via PowerShell hack tool is detected.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows
Query:
event_id=4103 command="PS ATTACK!!!" -user IN EXCLUDED_USERS

LP_PowerShell Rundll32 Remote Thread Creation Detected¶

Trigger Condition: Command and Scripting Interpreter and PowerShell remote thread creation in Signed Binary Proxy Execution and Rundll32.exe is detected.

ATT&CK Category: Defense Evasion, Execution

ATT&CK Tag: Signed Binary Proxy Execution, Rundll32, Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1218, T1218.011, T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=8 source_image="*\powershell.exe" image="*\rundll32.exe" -user IN EXCLUDED_USERS

LP_PowerShell Script Run in AppData Detected¶

Trigger Condition: A suspicious command line execution that invokes Command and Scripting Interpreter and PowerShell concerning an AppData folder is detected.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["* /c powershell*\AppData\Local\*", "* /c powershell*\AppData\Roaming\*"] -user IN EXCLUDED_USERS

LP_PowerShell Version Downgrade Detected¶

Trigger Condition: The execution of Command and Scripting Interpreter and PowerShell v2 is detected. We recommend you avoid Powershell v2 as it offers zero-logging. PowerShell v5.x or higher offers better login.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, PowerShell

ATT&CK ID: T1059, T1059.001

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=400 host_version="2.0" -user IN EXCLUDED_USERS

LP_Process Dump via Comsvcs DLL Detected¶

Trigger Condition: Process memory dump via comsvcs.dll and rundll32 is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: OS Credential Dumping

ATT&CK ID: T1003

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (image="*\rundll32.exe" OR file="RUNDLL32.EXE") command IN ["*comsvcs*MiniDump*full*", "*comsvcs*MiniDumpW*full*"] -user IN EXCLUDED_USERS

LP_Process Dump via Rundll32 and Comsvcs Detected¶

Trigger Condition: Process memory dump performed via ordinal function 24 in comsvcs.dll is detected.

ATT&CK Category: Defense Evasion, Credential Access

ATT&CK Tag: Masquerading, OS Credential Dumping, LSASS Memory

ATT&CK ID: T1036, T1003, T1003.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN ["*comsvcs.dll, #24*", "*comsvcs.dll, MiniDump*"] -user IN EXCLUDED_USERS

LP_Process Hollowing Detected¶

Trigger Condition: Adversaries attempt to inject malicious code into suspended and hollowed processes to evade process-based defenses.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Process Injection, Process Hollowing
ATT&CK ID: T1055, T1055.012
Minimum Log Source Requirement: Windows Sysmon

Query:

norm_id=WindowsSysmon event_id=1 (image="*smss.exe" parent_command!="*smss.exe") or (image="*csrss.exe" (parent_command!="*smss.exe" and parent_command!="*svchost.exe")) or (image="*wininit.exe" parent_command!="*smss.exe") or (image="*winlogon.exe" parent_command!="*smss.exe") or (image="*lsass.exe" parent_command!="*wininit.exe") or (image="*LogonUI.exe" (parent_command!="*winlogon.exe" and parent_command!="*wininit.exe")) or (image="*services.exe" parent_command!="*wininit.exe") or (image="*spoolsv.exe" parent_command!="*services.exe") or (image="*taskhost.exe" (parent_command!="*services.exe" and parent_command!="*svchost.exe")) or (image="*taskhostw.exe" (parent_command!="*services.exe" and parent_command!="*svchost.exe")) or (image="*userinit.exe" (parent_command!="*dwm.exe" and parent_command!="*winlogon.exe")) -user IN EXCLUDED_USERS

LP_Process Injection Detected¶

Trigger Condition: Adversaries inject code into processes to evade process-based defenses and possibly elevate privileges using commands like Invoke-DllInjection.

ATT&CK Category: Defense Evasion, Privilege Escalation

ATT&CK Tag: Process Injection

ATT&CK ID: T1055

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 (command="*Invoke-DllInjection*" or command="*C:\windows\sysnative\*") -user IN EXCLUDED_USERS

LP_Protected Storage Service Access Detected¶

Trigger Condition: An access to a protected_storage service over the network is detected. The potential abuse of DPAPI to extract domain backup keys from Domain Controllers.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Remote Services

ATT&CK ID: T1021

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=5145 share_name="*IPC*" relative_target="protected_storage" -user IN EXCLUDED_USERS

LP_Prowli Malware Affected Host¶

Trigger Condition: Widows Server is affected by Prowli malware.

ATT&CK Category: -

ATT&CK Tag: -

ATT&CK ID: -

Minimum Log Source Requirement: Windows
Query:
norm_id=Winserver* hash in PROWLI_FILE host=*

LP_Prowli Malware Connection to Malicious Destination¶

Trigger Condition: An outbound connection to Prowli Malware sources is established by hosts.

ATT&CK Category: Command and Control

ATT&CK Tag: Proxy

ATT&CK ID: T1090

Minimum Log Source Requirement: Windows
Query:
(source_address=* OR destination_address=*) destination_address in PROWLI_IP | process dns(source_address) as host | process geoip(destination_address) as country

LP_Prowli Malware Emails Sent to Attacker¶

Trigger Condition: An email is sent to Prowli Malware listed emails.

ATT&CK Category: Exfiltration, Collection

ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

ATT&CK ID: T1041, T1114

Minimum Log Source Requirement: Mail Server
Query:
sender=* receiver=* receiver in PROWLI_EMAIL (host=* OR source_host=*) | rename source_host as host

LP_PsExec Tool Execution Detected¶

Trigger Condition: PsExec service installation and execution event (Service and Sysmon) is detected.

ATT&CK Category: Execution

ATT&CK Tag: System Services, Service Execution

ATT&CK ID: T1569, T1569.002

Minimum Log Source Requirement: Windows
Query:
(norm_id=WinServer service="PSEXESVC" ((event_id=7045 service="*\PSEXESVC.exe") OR event_id="7036")) OR (event_id=1 image="*\PSEXESVC.exe" user="NT AUTHORITY\SYSTEM") -user IN EXCLUDED_USERS

LP_Psr Capture Screenshots Detected¶

Trigger Condition: The psr.exe captures desktop screenshots and saves them in a local machine.

ATT&CK Category: Collection

ATT&CK Tag: Screen Capture

ATT&CK ID: T1113

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\Psr.exe" command="*/start*" -user IN EXCLUDED_USERS

LP_Pulse Secure Arbitrary File Reading Detected¶

Trigger Condition: The exploitation of arbitrary file reading vulnerability (CVE-2019-11510) in Pulse Secure is detected.

ATT&CK Category: Initial Access

ATT&CK Tag: External Remote Services

ATT&CK ID: T1113

Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
norm_id=* url IN ['*dana*guacamole*', '*lmdb*data.mdb*', '*data*mtmp/system*']

LP_QBot Process Creation Detected¶

Trigger Condition: LogPoint detects QBot like process execution of wscript or use of commands to manipulate program data or ping local host.

ATT&CK Category: Execution

ATT&CK Tag: Command and Scripting Interpreter, Visual Basic

ATT&CK ID: T1059, T1059.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 ((parent_image="*\WinRAR.exe" image="*\wscript.exe") OR command="* /c ping.exe -n 6 127.0.0.1 & type *" OR (command="*regsvr32.exe*" command="*C:\ProgramData*" command="*.tmp*")) -user IN EXCLUDED_USERS

LP_QuarksPwDump Clearing Access History Detected¶

Trigger Condition: QuarksPwDump clearing access history in hive is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: OS Credential Dumping, NTDS, Valid Accounts, Local Accounts

ATT&CK ID: T1003, T1003.003, T1078, T1078.003

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=16 hive="*\AppData\Local\Temp\SAM*" hive="*.dmp" -user IN EXCLUDED_USERS

LP_QuarksPwDump Dump File Detected¶

Trigger Condition: A dump file written by QuarksPwDump password dumper is detected.

ATT&CK Category: Credential Access

ATT&CK Tag: OS Credential Dumping, Security Account Manager

ATT&CK ID: T1003, T1003.002

Minimum Log Source Requirement: Windows Sysmon
Query:
event_id=11 file="*\AppData\Local\Temp\SAM-*.dmp*" -user IN EXCLUDED_USERS

LP_Query Registry Network¶

Trigger Condition: Adversaries use reg.exe component for network connection and interact with the Windows Registry to gather information about the system, configuration, and installed software.

ATT&CK Category: Discovery

ATT&CK Tag: Query Registry

ATT&CK ID: T1012

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=3 image="*reg.exe" command="*reg query*" -user IN EXCLUDED_USERS

LP_Query Registry Detected¶

Trigger Condition: A registry query is detected. Adversaries interact with the Windows Registry to gather information about the system, configuration, and installed software.

ATT&CK Category: Discovery

ATT&CK Tag: Query Registry, System Service Discovery

ATT&CK ID: T1012, T1007

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 image="*\reg.exe" command IN ["*query*", "*save*", "*export*"] command IN ["*currentVersion\windows*", "*currentVersion\runServicesOnce*", "*currentVersion\runServices*", "*winlogon\\*", "*currentVersion\shellServiceObjectDelayLoad*", "*currentVersion\runOnce*", "*currentVersion\runOnceEx*", "*currentVersion\run*", "*currentVersion\policies\explorer\run*", "*currentcontrolset\services*"] -user IN EXCLUDED_USERS

LP_Rare Scheduled Task Creations Detected¶

Trigger Condition: Rare scheduled task creations are detected. A software gets installed on multiple systems. The aggregation and count function selects tasks with rare names.

ATT&CK Category: Persistence

ATT&CK Tag: Scheduled Task/Job, Scheduled Task

ATT&CK ID: T1053, T1053.005

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id="106" | chart count() as val by task | search val < 5

LP_RDP Login from Localhost Detected¶

Trigger Condition: RDP login with a localhost source address that may be a tunneled login is detected.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Remote Services, Remote Desktop Protocol

ATT&CK ID: T1021, T1021.001

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=4624 logon_type="10" source_address IN ["::1", "127.0.0.1"] -user IN EXCLUDED_USERS

LP_RDP Over Reverse SSH Tunnel Detected¶

Trigger Condition: svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 is detected.

ATT&CK Category: Lateral Movement

ATT&CK Tag: Remote Services, Remote Desktop Protocol

ATT&CK ID: T1021, T1021.001

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=3 image="*\svchost.exe" initiated="true" source_port="3389" destination_address IN ["127.*", "::1"] -user IN EXCLUDED_USERS

LP_RDP over Reverse SSH Tunnel WFP¶

Trigger Condition: svchost hosting RDP termsvcs communicating with the loopback address is detected.

ATT&CK Category: Command and Control, Lateral Movement

ATT&CK Tag: Remote Services, Remote Desktop Protocol, Proxy

ATT&CK ID: T1021, T1021.001, T1090

Minimum Log Source Requirement: Windows
Query:
norm_id=WinServer event_id=5156 ((source_port="3389" destination_address IN ["127.*", "::1"]) OR (destination_port="3389" source_address IN ["127.*", "::1"])) -user IN EXCLUDED_USERS

LP_RDP Registry Modification¶

Trigger Condition: Potential malicious modification of the property value of fDenyTS Connections and UserAuthentication to enable remote desktop connections is detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Modify Registry

ATT&CK ID: T1112

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=13 target_object IN ["*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication", "*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"] details="DWORD (0x00000000)" -user IN EXCLUDED_USERS

LP_RDP Sensitive Settings Changed¶

Trigger Condition: Changes to RDP terminal service sensitive settings are detected.

ATT&CK Category: Defense Evasion

ATT&CK Tag: Masquerading

ATT&CK ID: T1036

Minimum Log Source Requirement: Windows Sysmon
Query:
event_id=13 target_object IN ["*\services\TermService\Parameters\ServiceDll*", "*\Control\Terminal Server\fSingleSessionPerUser*", "*\Control\Terminal Server\fDenyTSConnections*"] -user IN EXCLUDED_USERS

LP_Reconnaissance Activity with Net Command¶

Trigger Condition: A set of commands often used in recon stages by different attack groups to discover the victim’s information, systems, or network are detected.

ATT&CK Category: Discovery, Reconnaissance

ATT&CK Tag: Account Discovery, System Information Discovery, Gather Victim Host Information, Gather Victim Identity Information

ATT&CK ID: T1087, T1082, T1589, T1592

Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=1 command IN [

Page Contents

MITRE ATT&CK Analytics¶

LP_Bypass User Account Control using Registry¶

LP_Mimikatz Detection LSASS Access Detected¶

LP_UAC Bypass via Sdclt Detected¶

LP_Unsigned Image Loaded Into LSASS Process¶

LP_Usage of Sysinternals Tools Detected¶

LP_Microsoft SharePoint Remote Code Execution Detected¶

LP_DenyAllWAF SQL Injection Attack¶

LP_Mitre - Initial Access - Valid Account - Unauthorized IP Access¶

LP_Windows CryptoAPI Spoofing Vulnerability Detected¶

LP_Malicious use of Scriptrunner Detected¶

LP_Suspicious process related to Rundll32 Detected¶

LP_Javascript conversion to executable Detected¶

LP_Suspicious Execution of Gpscript Detected¶

LP_Proxy Execution via Desktop Setting Control Panel¶

LP_ScreenSaver Registry Key Set Detected¶

LP_Xwizard DLL Side Loading Detected¶

LP_DLL Side Loading Via Microsoft Defender¶

LP_ZIP File Creation or Extraction via Printer Migration CLI Tool¶

LP_Credentials Capture via Rpcping Detected¶

LP_Suspicious ConfigSecurityPolicy Execution Detected¶

LP_C-Sharp Code Compilation Using Ilasm Detected¶

LP_Process Dump via Resource Leak Diagnostic Tool¶

LP_Suspicious DLL execution via Register-Cimprovider¶

Accessibility features - Process¶

LP_Accessibility Features-Registry¶

LP_Account Discovery Detected¶

LP_Active Directory DLLs Loaded By Office Applications¶

LP_DCSync detected¶

LP_Active Directory Replication User Backdoor¶

LP_Active Directory Schema Change Detected¶

LP_Activity Related to NTDS Domain Hash Retrieval¶

LP_AD Object WriteDAC Access Detected¶

LP_AD Privileged Users or Groups Reconnaissance Detected¶

LP_Addition of SID History to Active Directory Object¶

LP_Admin User Remote Logon Detected¶

LP_Adobe Flash Use-After-Free Vulnerability Detected¶

LP_Adwind RAT JRAT Detected¶

LP_Alternate PowerShell Hosts Detected¶

LP_Antivirus Exploitation Framework Detection¶

LP_Antivirus Password Dumper Detected¶

LP_Antivirus Web Shell Detected¶

LP_Apache Struts 2 Remote Code Execution Detected¶

LP_AppCert DLLs Detected¶

LP_Application Shimming - File Access Detected¶

LP_Application Whitelisting Bypass via Bginfo Detected¶

LP_Application Whitelisting Bypass via DLL Loaded by odbcconf Detected¶

LP_Application Whitelisting Bypass via Dnx Detected¶

LP_Audio Capture Detected¶

LP_Authentication Package Detected¶

LP_Autorun Keys Modification Detected¶

LP_Batch Scripting Detected¶

LP_BITS Jobs - Network Detected¶

LP_BITS Jobs - Process Detected¶

LP_Bloodhound and Sharphound Hack Tool Detected¶

LP_BlueMashroom DLL Load Detected¶

LP_Browser Bookmark Discovery¶

LP_CACTUSTORCH Remote Thread Creation Detected¶

LP_Call to a Privileged Service Failed¶

LP_Capture a Network Trace with netsh¶

LP_CEO Fraud - Possible Fraudulent Email Behavior¶

LP_Certutil Encode Detected¶

LP_Chafer Activity Detected¶

LP_Change of Default File Association Detected¶

LP_Citrix ADC VPN Directory Traversal Detected¶

LP_Clear Command History¶

LP_Clearing of PowerShell Logs Detected¶

LP_Clipboard Data Access Detected¶

LP_Clop Ransomware Emails Sent to Attacker¶

LP_Clop Ransomware Infected Host Detected¶

LP_Cmdkey Cached Credentials Recon Detected¶

LP_CMSTP Detected¶

LP_CMSTP Execution Detected¶

LP_CMSTP UAC Bypass via COM Object Access¶

LP_CobaltStrike Process Injection Detected¶

LP_Windows Command Line Execution with Suspicious URL and AppData Strings¶

LP_Compiled HTML File Detected¶

LP_Component Object Model Hijacking Detected¶

LP_Connection to Hidden Cobra Source¶