MITRE ATT&CK Analytics

The MITRE ATT&CK alerts available in Alert Rules are:

Accessibility features - Process

  • Trigger condition: An adversary establishes persistence and/or elevate privileges by executing malicious content by process features.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Event Triggered Execution, Accessibility Features

  • ATT&CK ID: T1546,T1546.008

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*winlogon.exe" (image="*sethc.exe" or image="*utilman.exe" or image="*osk.exe" or image="*magnify.exe" or image="*displayswitch.exe" or image="*narrator.exe" or image="*atbroker.exe") -user IN EXCLUDED_USERS
    

LP_Accessibility Features-Registry

  • Trigger condition: An adversary establishes persistence and/or elevates privileges by executing malicious content, replacing accessibility feature binaries, pointers, or references to these binaries in the registry.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Event Triggered Execution, Accessibility Features

  • ATT&CK ID: T1546,T1546.008

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*" -user IN EXCLUDED_USERS
    

LP_Account Discovery Detected

  • Trigger condition: Adversaries attempt to get a listing of accounts on a system or within an environment that can help them determine which accounts exist to aid in follow-on behavior.

  • ATT&CK Category: -

  • ATT&CK Tag: Account Discovery, Local Account, Domain Account

  • ATT&CK ID: T1087,T1087.001,T1087.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*net.exe" or image="*powershell.exe") (command="*net* user*" or command="*net* group*" or command="*net* localgroup*" or command="*cmdkey*\/list*" or command="*get-localuser*" or command="*get-localgroupmembers*" or command="*get-aduser*" or command="*query*user*") -user IN EXCLUDED_USERS
    

LP_Active Directory DLLs Loaded By Office Applications

  • Trigger condition: Kerberos DLL or DSParse DLL loaded by the Office products like WinWord, Microsoft PowerPoint, Microsoft Excel, or Microsoft Outlook.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Phishing, Spearphishing Attachment

  • ATT&CK ID: T1566,T1566.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.exe*", "*\excel.exe*", "*\outlook.exe*"] image IN ["*\kerberos.dll*","*\dsparse.dll*"] -user IN EXCLUDED_USERS
    

LP_DCSync detected

  • Trigger condition: The abuse of Active Directory Replication Service (ADRS) detected from a non-machine account to request credentials or DC Sync by creating a new SPN.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: OS Credential Dumping, DCSync

  • ATT&CK ID: T1003,T1003.006

  • Minimum Log Source Requirement: Windows

  • Query:

    ((norm_id=WinServer event_id=4662 access_mask="0x100" properties IN ["*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*", "*Replicating Directory Changes All*"] -user="*$" -user="MSOL_*") or (norm_id=WinServer event_id=4742
    service="*GC/*"))-user IN EXCLUDED_USERS
    

LP_Active Directory Replication User Backdoor

  • Trigger condition: Modification of the security descriptor of a domain object for granting Active Directory replication permissions to a user.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: File and Directory Permissions Modification, Windows File and Directory Permissions Modification

  • ATT&CK ID: T1222,T1222.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=5136 ldap_display="ntsecuritydescriptor" attribute_value IN ["*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*"] -user IN EXCLUDED_USERS
    

LP_Active Directory Schema Change Detected

  • Trigger condition: The directory service object is changed, created, moved, deleted, or restored.

  • ATT&CK Category: Persistence, Privilege Escalation, Credential Access

  • ATT&CK Tag: Create or Modify System Process, Windows Service, Exploitation for Credential Access, Exploitation for Privilege Escalation

  • ATT&CK ID: T1212, T1068, T1543, T1543.003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer* label=Directory label=Service label=Object (label=Change or label=Create or label=Move or label=Delete or label=Undelete) -user IN EXCLUDED_USERS
    

LP_AD Object WriteDAC Access Detected

  • Trigger condition: WRITE_DAC, which can modify the discretionary access-control list (DACL) in the object security descriptor, is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: File and Directory Permissions Modification

  • ATT&CK ID: T1222

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4662 object_server="DS" access_mask=0x40000 object_type IN ["19195a5b-6da0-11d0-afd3-00c04fd930c9", "domainDNS"] -user IN EXCLUDED_USERS
    

LP_AD Privileged Users or Groups Reconnaissance Detected

  • Trigger condition: priv users or groups recon based on 4661 event ID and privileged users or groups SIDs are detected. The object names must be; domain admin, KDC service account, admin account, enterprise admin, group policy creators and owners, backup operator, or remote desktop users.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Account Discovery, Local Account, Domain Account

  • ATT&CK ID: T1087,T1087.001,T1087.002

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4661 object_type IN ["SAM_USER", "SAM_GROUP"] object_name IN ["*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551", "*-555", "*admin*"] -user IN EXCLUDED_USERS
    

LP_Addition of SID History to Active Directory Object

  • Trigger condition: Addition of SID History to Active Directory Object is detected. An attacker can use the SID history attribute to gain additional privileges.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Access Token Manipulation, SID-History Injection

  • ATT&CK ID: T1134,T1134.005

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer (event_id IN ["4765", "4766"] OR (norm_id=WinServer event_id=4738 -SidHistory IN ["-", "%%1793"])) -user IN EXCLUDED_USERS
    

LP_Admin User Remote Logon Detected

  • Trigger condition: Successful remote login by the administrator depending on the internal pattern is detected.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4624 logon_type="10" (authentication_package="Negotiate" OR package="Negotiate") user="Admin-*" -user IN EXCLUDED_USERS | rename package as authentication_package
    

LP_Adobe Flash Use-After-Free Vulnerability Detected

  • Trigger condition: The exploitation of use-after-free vulnerability (CVE-2018-4878) in Adobe Flash is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: User Execution

  • ATT&CK ID: T1204

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label=Image label=Load source_image IN ["*winword.exe", "*excel.exe"] image='*Flash32*.ocx' -user IN EXCLUDED_USERS
    

LP_Adwind RAT JRAT Detected

  • Trigger condition: The applications like javaw.exe, cscript in the AppData folder, or set values of Windows Run* register used by Adwind or JRAT are detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, Visual Basic, JavaScript/JScript, Windows Command Shell, PowerShell

  • ATT&CK ID: T1059, T1059.001, T1059.003, T1059.005, T1059.007

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (event_id=1 command IN ["*\AppData\Roaming\Oracle*\java*.exe *", "*cscript.exe *Retrive*.vbs *"]) OR (event_id=11 file IN ["*\AppData\Roaming\Oracle\bin\java*.exe", "*\Retrive*.vbs"]) OR (event_id=13 target_object="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*" detail="%AppData%\Roaming\Oracle\bin\*")
    

LP_Alternate PowerShell Hosts Detected

  • Trigger condition: Alert detects alternate Command and Scripting Interpreter or PowerShell hosts bypassing detections for the powershell.exe.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059,T1059.001

  • Minimum Log Source Requirement: Windows Sysmon, Windows

  • Query:

    (norm_id=WinServer event_id IN [4103, 400] event_source="Microsoft-Windows-PowerShell" -application="*powershell.exe") OR (norm_id=WindowsSysmon event_id=7 message="*system.management.automation*" image="*system.management.automation*" -source_image="*\powershell.exe") OR (norm_id=WindowsSysmon event_id=17 pipe="\PSHost*" -image="*\powershell.exe") -user IN EXCLUDED_USERS | rename image as "process", pipe as application
    

LP_Antivirus Exploitation Framework Detection

  • Trigger condition: Antivirus’s alert reports exploitation in a framework.

  • ATT&CK Category: Execution, Command and Control

  • ATT&CK Tag: Exploitation for Client Execution,Remote Access Tools

  • ATT&CK ID: T1203,T1219

  • Minimum Log Source Requirement: Antivirus

  • Query:

    signature IN ["*MeteTool*", "*MPreter*", "*Meterpreter*", "*Metasploit*", "*PowerSploit*", "*CobaltSrike*",  "*Swrort*", "*Rozena*", "*Backdoor.Cobalt*", "*Msfvenom*", "*armor*", "*Empire*" ,"*SilentTrinity*", "*Ntlmrelayx"]
    

LP_Antivirus Password Dumper Detected

  • Trigger condition: Antivirus’s alert reports a password dumper.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: OS Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    status IN ["*DumpCreds*", "*Mimikatz*", "*PWCrack*", "HTool/WCE", "*PSWtool*", "*PWDump*", "*SecurityTool*", "*PShlSpy*","*laZagne*"]
    

LP_Antivirus Web Shell Detected

  • Trigger condition: Antivirus’s alert reports a Web Shell.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Server Software Component, Web Shell

  • ATT&CK ID: T1505, T1505.003

  • Minimum Log Source Requirement: Antivirus

  • Query:

    signature IN ["PHP/Backdoor*", "JSP/Backdoor*", "ASP/Backdoor*", "Backdoor.PHP*", "Backdoor.JSP*", "Backdoor.ASP*", "*Webshell*"]
    

LP_Apache Struts 2 Remote Code Execution Detected

  • Trigger condition: A remote code execution vulnerability (CVE-2017-5638) in Apache Struts 2 is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Exploit Public-Facing Application

  • ATT&CK ID: T1190

  • Minimum Log Source Requirement: ApacheTomcat

  • Query:

    norm_id=ApacheTomcatServer label=Content label=Invalid label=Type | norm on content_type #cmd=<command:quoted>
    

LP_AppCert DLLs Detected

  • Trigger condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Event Triggered Execution, AppCert DLLs

  • ATT&CK ID: T1546, T1546.009

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*\System\CurrentControlSet\Control\Session Manager\AppCertDlls\*" -user IN EXCLUDED_USERS
    

LP_Application Shimming - File Access Detected

  • Trigger condition: Adversaries establish persistence and/or elevate privileges by executing malicious content initiated by application shims.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Event Triggered Execution, Application Shimming

  • ATT&CK ID: T1546,T1546.011

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon ((event_id=11 file="*C:\Windows\AppPatch\Custom\*") or (event_id=1 image="*sdbinst.exe") or ((event_id=12 or event_id=13 or event_id=14) target_object="*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*"))  -user IN EXCLUDED_USERS
    

LP_Application Whitelisting Bypass via Bginfo Detected

  • Trigger condition: Adversaries bypass the process and/or signature-based defenses by executing a VBscript code referenced within the .bgi file.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution

  • ATT&CK ID: T1218

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\bginfo.exe" command="*/popup*" command="*/nolicprompt*" -user IN EXCLUDED_USERS
    

LP_Application Whitelisting Bypass via DLL Loaded by odbcconf Detected

  • Trigger condition: Adversaries bypass the process and/or signature-based defenses via odbcconf.exe execution to load DLL.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Odbcconf

  • ATT&CK ID: T1218, T1218.008

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*\odbcconf.exe" command IN ["*-f*", "*regsvr*"]) OR (parent_image="*\odbcconf.exe" image="*\rundll32.exe")) -user IN EXCLUDED_USERS
    

LP_Application Whitelisting Bypass via Dnx Detected

  • Trigger condition: Adversaries bypass the process and/or signature-based defenses by execution of C# code located in the consoleapp folder.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution

  • ATT&CK ID: T1218

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\dnx.exe" -user IN EXCLUDED_USERS
    

LP_Audio Capture Detected

  • Trigger condition: The use of Powershell, sound recorder application, or command to get the audio device is detected. Adversaries attempt to leverage peripheral devices or applications to obtain audio recordings for sensitive conversations.

  • ATT&CK Category: Collection

  • ATT&CK Tag: Audio Capture

  • ATT&CK ID: T1123

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*SoundRecorder.exe" and command="*/FILE*") or command="*Get-AudioDevice*" or command="*WindowsAudioDevice-Powershell-Cmdlet*") -user IN EXCLUDED_USERS
    

LP_Authentication Package Detected

  • Trigger Condition: The LSA process is loaded by services other than lssac, svchos, msiexec, and services. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at the system start. Adversaries may abuse authentication packages to execute DLLs when the system boots.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Boot or Logon Autostart Execution, Authentication Package, Security Support Provider

  • ATT&CK ID: T1547, T1547.002, T1547.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\SYSTEM\CurrentControlSet\Control\Lsa\*") -image in ["*C:\WINDOWS\system32\lsass.exe","*C:\Windows\system32\svchost.exe","*C:\Windows\system32\services.exe","C:\Windows\system32\msiexec.exe","C:\Windows\system32\Msiexec.exe"]
    -user IN EXCLUDED_USERS
    

LP_Autorun Keys Modification Detected

  • Trigger Condition: Modification of Autostart Extensibility Point (ASEP) in the registry is detected. Adversaries achieve persistence by adding a program to a startup folder or referencing it with a registry run key.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder

  • ATT&CK ID: T1547, T1547.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=13 target_object IN ["*\software\Microsoft\Windows\CurrentVersion\Run*", "*\software\Microsoft\Windows\CurrentVersion\RunOnce*", "*\software\Microsoft\Windows\CurrentVersion\RunOnceEx*", "*\software\Microsoft\Windows\CurrentVersion\RunServices*", "*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*", "*\software\Microsoft\Windows NT\CurrentVersion\Windows*", "*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*"] -user IN EXCLUDED_USERS
    

LP_Batch Scripting Detected

  • Trigger Condition: Execution of commands, scripts, or binaries (.bat or .cmd) files.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter

  • ATT&CK ID: T1059

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 file in ["*.bat", "*.cmd"] -user IN EXCLUDED_USERS
    

LP_BITS Jobs - Network Detected

  • Trigger Condition: The BITS job network connection is detected. An adversary abuses BITS jobs to execute or clean up after executing malicious payload.

  • ATT&CK Category: Defense Evasion, Persistence

  • ATT&CK Tag: BITS Jobs

  • ATT&CK ID: T1197

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 image="*bitsadmin.exe" -user IN EXCLUDED_USERS
    

LP_BITS Jobs - Process Detected

  • Trigger Condition: Creation of the BITS job process. An adversary abuses BITS jobs to execute or clean up after executing the malicious payload.

  • ATT&CK Category: Defense Evasion, Persistence

  • ATT&CK Tag: BITS Jobs

  • ATT&CK ID: T1197

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*bitsamin.exe" or command="*Start-BitsTransfer*") -user IN EXCLUDED_USERS
    

LP_Bloodhound and Sharphound Hack Tool Detected

  • Trigger Condition: Command-line parameters used by Bloodhound and Sharphound hack tools are detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Account Discovery

  • ATT&CK ID: T1087

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image IN ["*\Bloodhound.exe*", "*\SharpHound.exe*"] OR command IN ["* -CollectionMethod All *", "*.exe -c All -d *", "*Invoke-Bloodhound*", "*Get-BloodHoundData*"] OR (command="* -JsonFolder *" command="* -ZipFileName *") OR (command="* DCOnly *" command="* --NoSaveCache *")) -user IN EXCLUDED_USERS
    

LP_BlueMashroom DLL Load Detected

  • Trigger Condition: DLL loading from AppData Local path described in BlueMashroom report is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

  • ATT&CK ID: T1218, T1218.010

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*\regsvr32*\AppData\Local\*", "*\AppData\Local\*, DllEntry*"] -user IN EXCLUDED_USERS
    

LP_Browser Bookmark Discovery

  • Trigger Condition: Adversaries search Mozilla Firefox’s places.sqlite file containing bookmark. They attempt to enumerate browser bookmarks to extract information on compromised hosts, users, and internal resources.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Browser Bookmark Discovery

  • ATT&CK ID: T1217

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*firefox*places.sqlite*") -user IN EXCLUDED_USERS
    

LP_Bypass UAC via CMSTP Detected

  • Trigger Condition: The child processes for automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe) is detected.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, CMSTP,Abuse Elevation Control Mechanism, Bypass User Account Control

  • ATT&CK ID: T1218, T1218.003, T1548

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\cmstp.exe" command IN ["*/s*", "*/au*"] -user IN EXCLUDED_USERS
    

LP_Bypass UAC via Fodhelper Detected

  • Trigger Condition: The use of Fodhelper.exe is detected. Adversaries use this technique to execute privileged processes.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control

  • ATT&CK ID: T1548

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\fodhelper.exe" -user IN EXCLUDED_USERS
    

LP_Bypassing Application Whitelisting with Regsvr32

  • Trigger Condition: Creation of a process using Regsvr32. Adversaries may abuse Regsvr32.exe to proxy the execution of malicious code.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

  • ATT&CK ID: T1218,T1218.010

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*regsvr32.exe" or image="*rundll32.exe" or image="*certutil.exe" or command="*scrobj.dll*") -user IN EXCLUDED_USERS
    

LP_CACTUSTORCH Remote Thread Creation Detected

  • Trigger Condition: Creation of a remote thread from CACTUSTORCH.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Process Injection, Command and Scripting Interpreter

  • ATT&CK ID: T1055, T1059

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=8 source_image IN ["*\System32\cscript.exe", "*\System32\wscript.exe", "*\System32\mshta.exe", "*\winword.exe", "*\excel.exe"] image="*\SysWOW64\*" -start_module=* -user IN EXCLUDED_USERS
    

LP_Call to a Privileged Service Failed

  • Trigger Condition: The privileged service call using LsaRegisterLogonProcess fails.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Valid Account

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4673 service="LsaRegisterLogonProcess()" event_type="*Failure*" -user IN EXCLUDED_USERS
    

LP_Capture a Network Trace with netsh

  • Trigger Condition: Network trace capture via netsh.exe trace functionality is detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Sniffing

  • ATT&CK ID: T1040

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*netsh*" command="*trace*" command="*start*" -user IN EXCLUDED_USERS
    

LP_CEO Fraud - Possible Fraudulent Email Behavior

  • Trigger Condition: An email received from a threat source in the internal network exhibits fraudulent behavior. For this alert to work, you must update the following:

    • HOME_DOMAIN, which is the list of selected domain names. For example, logpoint.com

    • MANAGERS, which is the list of selected managers and executives. For example, Alice

    • SERVER_ADDRESS, which is the list of trusted clients or servers from where the emails are received.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Phishing

  • ATT&CK ID: T1566, T1566.001

  • Minimum Log Source Requirement: Exchange MT

  • Query:

    norm_id=ExchangeMT event_id=receive sender=* receiver IN HOME_DOMAIN original_client_address=* -original_client_address IN SERVER_ADDRESS | norm on sender <target_manager:all>@<domain:string> |
    norm on message_id @<original_domain:'.*'><:'\>'> | search target_manager IN MANAGERS
    

LP_Certutil Encode Detected

  • Trigger Condition: The certutil command, sometimes used for data exfiltration, is used to encode files.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Obfuscated Files or Information

  • ATT&CK ID: T1027

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["certutil -f -encode *", "certutil.exe -f -encode *", "certutil -encode -f *", "certutil.exe -encode -f *"] -user IN EXCLUDED_USERS
    

LP_Chafer Activity Detected

  • Trigger Condition: The Chafer activity attributed to OilRig reported in Nyotron report in March 2018 is detected.

  • ATT&CK Category: Execution, Persistence, Privilege Escalation

  • ATT&CK Tag: Scheduled Task/Job, Scheduled Task

  • ATT&CK ID: T1053, T1053.005

  • Minimum Log Source Requirement: Windows

  • Query:

    (norm_id=WinServer event_id=7045 service IN ["SC Scheduled Scan", "UpdatMachine"]) OR (norm_id=WinServer event_id=4698 task IN ["SC Scheduled Scan", "UpdatMachine"]) OR (event_id=13 event_type="SetValue" (target_object IN ["*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe", "*SOFTWARE\Microsoft\Windows\CurrentVersion\UT"] OR (target_object="*\Control\SecurityProviders\WDigest\UseLogonCredential" detail="DWORD (0x00000001)"))) OR (event_id=1 (command IN ["*\Service.exe i", "*\Service.exe u", "*\microsoft\Taskbar\autoit3.exe", "C:\wsc.exe*"] OR image="*\Windows\Temp\DB\*.exe" OR (command="*\nslookup.exe -q=TXT*" parent_image="*\Autoit*"))) -user IN EXCLUDED_USERS
    

LP_Change of Default File Association Detected

  • Trigger Condition: A registry value is set to change the file association. Adversaries establish persistence by executing malicious content triggered by a file type association.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Event Triggered Execution, Change Default File Association

  • ATT&CK ID: T1546, T1546.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label=Registry label=Set label=Value target_object="*HKEY_CLASSES_ROOT\mscfile*" detail in ["*powershell*", "*.exe*", "*.dat*"] -user IN EXCLUDED_USERS
    

LP_Citrix ADC VPN Directory Traversal Detected

  • Trigger Condition: The exploitation of directory traversal vulnerability (CVE-2019-19781) in Citrix ADC is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: External Remote Services

  • ATT&CK ID: T1133

  • Minimum Log Source Requirement: Webserver, Firewall

  • Query:

    norm_id=* (url="*/../vpns/*" OR resource="*/../vpns/*")
    

LP_Clear Command History

  • Trigger Condition: Deletion of command history is detected. Adversaries delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Indicator Removal on Host, Clear Command History

  • ATT&CK ID: T1070, T1070.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*rm (Get-PSReadlineOption).HistorySavePath*" or command="*del (Get-PSReadlineOption).HistorySavePath*" or command="*Set-PSReadlineOption -HistorySaveStyle SaveNothing*" or command="*Remove-Item (Get-PSReadlineOption).HistorySavePath*") -user IN EXCLUDED_USERS
    

LP_Clearing of PowerShell Logs Detected

  • Trigger Condition: Clearance of console history logs is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Indicator Removal on Host

  • ATT&CK ID: T1070

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4103 (command_name="Remove-Item" OR command="Remove-Item") payload="*consolehost*history*" -user IN EXCLUDED_USERS | rename command_name as command
    

LP_Clipboard Data Access Detected

  • Trigger Condition: Adversaries collect data stored in a clipboard from users copying information within or between applications.

  • ATT&CK Category: Collection

  • ATT&CK Tag: Clipboard Data

  • ATT&CK ID: T1115

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*clip.exe" or command="*Get-Clipboard*") -user IN EXCLUDED_USERS
    

LP_Clop Ransomware Emails Sent to Attacker

  • Trigger Condition: Email communication is established to or from Clop Ransomware listed emails.

  • ATT&CK Category: Exfiltration, Collection

  • ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

  • ATT&CK ID: T1041, T1114

  • Minimum Log Source Requirement: Exchange MT

  • Query:

    (receiver in CLOP_RANSOMWARE_EMAILS OR sender in CLOP_RANSOMWARE_EMAILS) sender=* receiver=* (host=* OR source_host=*) | rename source_host as host
    

LP_Clop Ransomware Infected Host Detected

  • Trigger Condition: Clop ransomware infected host is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Data Encrypted for Impact

  • ATT&CK ID: T1486

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    host=* hash=* hash IN CLOP_RANSOMWARE_HASHES
    

LP_Cmdkey Cached Credentials Recon Detected

  • Trigger Condition: The usage of cmdkey to detect cached credentials.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\cmdkey.exe" command="* /list *" -user IN EXCLUDED_USERS
    

LP_CMSTP Detected

  • Trigger Condition: Adversary abuses CMSTP for proxy execution of malicious code. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Also, the adversary supplies CMSTP.exe with INF files infected with malicious commands.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, CMSTP

  • ATT&CK ID: T1218, T1218.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*CMSTP.exe" -user IN EXCLUDED_USERS
    

LP_CMSTP Execution Detected

  • Trigger Condition: Loading and execution of local or remote payloads using CMSTP. Adversaries abuse CMSTP.exe to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. The execution bypasses AppLocker, and other whitelisting defenses since CMSTP.exe is a legitimate and signed Microsoft application.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, CMSTP

  • ATT&CK ID: T1218, T1218.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (event_id=12 target_object="*\cmmgr32.exe*") OR (event_id=13 target_object="*\cmmgr32.exe*") OR (event_id=10 call_trace="*cmlua.dll*") OR (event_id=1 parent_image="*\cmstp.exe")
    

LP_CMSTP UAC Bypass via COM Object Access

  • Trigger Condition: Loading and execution of local or remote payloads using CMSTP. Adversaries abuse CMSTP.exe to bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.

  • ATT&CK Category: Defense Evasion, Privilege Escalation, Execution

  • ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control, Signed Binary Proxy Execution, CMSTP

  • ATT&CK ID: T1548, T1218, T1218.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_command="*\DllHost.exe" parent_command IN ["*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "*{3E000D72-A845-4CD9-BD83-80C07C3B881F}"] -user IN EXCLUDED_USERS
    

LP_CobaltStrike Named Pipes Detected

  • Trigger Condition: Creation of CobaltStrike Named Pipes by default spawn-processes like runonce.exe, svchost.exe, regsvr32.exe, or WUAUCLT.exe.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Named Pipes, Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=17 source_image in ['*runonce*','*svchost*','*regsvr32*','*WUAUCLT*'] -user IN EXCLUDED_USERS
    

LP_CobaltStrike Process Injection Detected

  • Trigger Condition: Creation of remote threat with specific characteristics that are typical for Cobalt Strike beacons.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=8 start_address IN ["*0B80", "*0C7C", "*0C88"] -user IN EXCLUDED_USERS
    

LP_Windows Command Line Execution with Suspicious URL and AppData Strings

  • Trigger Condition: Execution of Windows command line with command line parameters URL and AppData string used by droppers.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=8 start_address IN ["*0B80", "*0C7C", "*0C88"] -user IN EXCLUDED_USERS
    

LP_Compiled HTML File Detected

  • Trigger Condition: Adversary abuses Compiled HTML files (.chm) to conceal malicious code.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Compiled HTML File

  • ATT&CK ID: T1218, T1218.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*hh.exe" -user IN EXCLUDED_USERS
    

LP_Component Object Model Hijacking Detected

  • Trigger Condition: Adversaries establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • ATT&CK Category: Defense Evasion, Persistence

  • ATT&CK Tag: Inter-Process Communication, Event Triggered Execution, Component Object Model Hijacking

  • ATT&CK ID: T1546, T1546.015

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*\Software\Classes\CLSID*" -user IN EXCLUDED_USERS
    

LP_Connection to Hidden Cobra Source

  • Trigger Condition: Hosts establish an outbound connection to Hidden Cobra sources.

  • ATT&CK Category: Command and Control, Defense Evasion

  • ATT&CK Tag: Command and Control, Defense Evasion

  • ATT&CK ID: T1090, T1211

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (source_address=* OR destination_address=*) destination_address in HIDDEN_COBRA_IPS | process dns(source_address) as host | process geoip(destination_address) as country
    

LP_Console History Discovery Detected

  • Trigger Condition: Adversaries attempt to get detailed information about the console history discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Information Discovery

  • ATT&CK ID: T1082

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*Get-History*" or command="*AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt*" or command="*(Get-PSReadlineOption).HistorySavePath*") -user IN EXCLUDED_USERS
    

LP_Control Panel Items - Process Detected

  • Trigger Condition: Adversary abuses control.exe for proxy execution of malicious payloads.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

  • ATT&CK ID: T1218, T1218.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*control \/name*" or command="*rundll32 shell32.dll, Control_RunDLL*") -user IN EXCLUDED_USERS
    

LP_Control Panel Items - Registry Detected

  • Trigger Condition: Adversary abuses control.exe for proxy execution of malicious payloads.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

  • ATT&CK ID: T1218, T1218.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace*" or target_object="*\Software\Microsoft\Windows\CurrentVersion\Controls Folder\*\Shellex\PropertySheetHandlers\*" or target_object="*\Software\Microsoft\Windows\CurrentVersion\Control Panel\*") -user IN EXCLUDED_USERS
    

LP_Control Panel Items Detected

  • Trigger Condition: Adversary attempts to use a control panel item (.cpl) outside the System32 folder.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

  • ATT&CK ID: T1218, T1218.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*.cpl" -command IN ["*\System32\*", "*%System%*"] -user IN EXCLUDED_USERS
    

LP_Copy from Admin Share Detected

  • Trigger Condition: A copy command from a remote CorADMIN share is detected.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services, Remote File Copy

  • ATT&CK ID: T1021, T1105

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*copy *\c∗", "∗copy∗\ADMIN*"]-user IN EXCLUDED_USERS
    

LP_Copying Sensitive Files with Credential Data

  • Trigger Condition: Copying of sensitive files with credential data is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*\esentutl.exe" command IN ["*vss*", "* /m *", "* /y *"]) OR command IN ["*\windows\ntds\ntds.dit*", "*\config\sam*", "*\config\security*", "*\config\system *", "*\repair\sam*", "*\repair\system*", "*\repair\security*", "*\config\RegBack\sam*", "*\config\RegBack\system*", "*\config\RegBack\security*"]) -user IN EXCLUDED_USERS
    

LP_CrackMapExecWin Detected

  • Trigger Condition: CrackMapExecWin activity as described by NCSC is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image IN ["*\crackmapexec.exe"] -user IN EXCLUDED_USERS
    

LP_CreateMiniDump Hacktool Detected

  • Trigger Condition: The use of the CreateMiniDump hack tool to dump the LSASS process memory for credential extraction on the attacker’s machine is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping, LSASS Memory

  • ATT&CK ID: T1003, T1003.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (event_id=1 (image="*\CreateMiniDump.exe*" OR hash="4a07f944a83e8a7c2525efa35dd30e2f")) OR (event_id=11 file="*\lsass.dmp*")
    

LP_CreateRemoteThread API and LoadLibrary

  • Trigger Condition: The use of CreateRemoteThread API and LoadLibrary function to inject DLL into a process is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=8 start_module="*\kernel32.dll" start_function="LoadLibraryA" -user IN EXCLUDED_USERS
    

LP_Command Obfuscation in Command Prompt

  • Trigger Condition: Adversaries abuse the Windows command shell for the execution of commands, scripts, or binaries.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell

  • ATT&CK ID: T1059, T1059.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command IN ['*^*^*^*^*', '*set*=*call*%*%*','*s^*e^*t*']
    

LP_Command Obfuscation via Character Insertion

  • Trigger Condition: Command obfuscation of command prompt by character insertion is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell

  • ATT&CK ID: T1059, T1059.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command='cmd*/c*' | norm on parent_command <command_match:'[^\w](s\^+e\^*t|s\^*e\^+t)[^\w]'>| search command_match=*
    

LP_Command Obfuscation via Environment Variable Concatenation Reassembly

  • Trigger Condition: Command obfuscation in command prompt by environment variable concatenation reassembly is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell

  • ATT&CK ID: T1059, T1059.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command='cmd*/c*' | norm on parent_command <command_match:'%[^%]+%{4}'> | search command_match=*
    

LP_Credential Access via Input Prompt Detected

  • Trigger Condition: Adversary captures user input to obtain credentials or collect information via Input Prompt.

  • ATT&CK Category: Credential Access, Collection

  • ATT&CK Tag: Input Capture, GUI Input Capture

  • ATT&CK ID: T1056, T1056.002

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4104 (scriptblocktext="*UI.prompt*credential*" OR script_block="*UI.prompt*credential*") -user IN EXCLUDED_USERS | rename scriptblocktext as script_block
    

LP_Credential Dump Tools Dropped Files Detected

  • Trigger Condition: Creation of files with a well-known filename (i.e., parts of credential dump software or files produced by them) is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 file IN ["*\pwdump*", "*\kirbi*", "*\pwhashes*", "*\wce_ccache*", "*\wce_krbtkts*", "*\fgdump-log*", "*\test.pwd", "*\lsremora64.dll", "*\lsremora.dll", "*\fgexec.exe", "*\wceaux.dll", "*\SAM.out", "*\SECURITY.out", "*\SYSTEM.out", "*\NTDS.out", "*\DumpExt.dll", "*\DumpSvc.exe", "*\cachedump64.exe", "*\cachedump.exe", "*\pstgdump.exe", "*\servpw.exe", "*\servpw64.exe", "*\pwdump.exe", "*\procdump64.exe"] -user IN EXCLUDED_USERS
    

LP_Credential Dumping - Process Creation

  • Trigger Condition: An adversary attempts to dump credentials for obtaining account login and credential material using different commands like ntdsutil, procdump, wce, or gsecdump, in the form of a hash or a clear text password from operating systems and software.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command in ["*Invoke-Mimikatz -DumpCreds*", "*gsecdump -a*", "*wce -o*", "*procdump -ma lsass.exe", "*ntdsutil*ac i ntds*ifm*create full*"]) -user IN EXCLUDED_USERS
    

LP_Credential Dumping - Process Access

  • Trigger Condition: An adversary attempts to dump credentials for obtaining account login and credential material using different commands like ntdsutil, procdump, wce, or gsecdump, in the form of a hash or a clear text password from operating systems and software.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=10 target_image="*C:\Windows\system32\lsass.exe" (access="*0x1010*" or access="*0x1410*" or access="*0x147a*" or access="*0x143a*") call_trace="*C:\Windows\SYSTEM32\ntdll.dll" or call_trace="*C:\Windows\system32\KERNELBASE.dll" or call_trace="*|UNKNOWN(*)" -user IN EXCLUDED_USERS
    

LP_Credential Dumping - Registry

  • Trigger Condition: Adversary attempts to dump credentials for obtaining account login and credential material exploiting registries, generally in the form of a hash or a clear text password from operating systems and software using different commands like ntdsutil, procdump, wce, or gsecdump.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) image!="*C:\WINDOWS\system32\lsass.exe" (target_object="*\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider\*" or target_object="*\SYSTEM\CurrentControlSet\Control\Lsa\*" or target_object="*\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders\*" or target_object="*\Control\SecurityProviders\WDigest\*") target_object!="*\Lsa\RestrictRemoteSamEventThrottlingWindow" -user IN EXCLUDED_USERS
    

LP_Credential Dumping - Registry Save

  • Trigger Condition: Adversary attempts to dump credentials for obtaining account login and credential material exploiting registries, generally in the form of a hash or a clear text password from operating systems and software using different commands like ntdsutil, procdump, wce, or gsecdump.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*reg.exe" (command="*save*HKLM\sam*" or command="*save*HKLM\system*") -user IN EXCLUDED_USERS
    

LP_Credential Dumping with ImageLoad Detected

  • Trigger Condition: Adversaries dump credentials to obtain account login and credential material using dll images.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003, T1003.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 (image="*C:\Windows\System32\samlib.dll*" or image="*C:\Windows\System32\WinSCard.dll*" or image="*C:\Windows\System32\cryptdll.dll*" or image="*C:\Windows\System32\hid.dll*" or image="*C:\Windows\System32\vaultcli.dll*") (image!="*\Sysmon.exe" or image!="*\svchost.exe" or image!="*\logonui.exe") -user IN EXCLUDED_USERS
    

LP_Credentials Access in Files Detected

  • Trigger Condition: Adversaries searching for files containing insecurely stored credentials in local file systems and remote file shares are detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Unsecured Credentials, Credentials in Files

  • ATT&CK ID: T1552, T1552.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*findstr* /si pass*" or command="*select-string -Pattern pass*" or command="*list vdir*/text:password*") -user IN EXCLUDED_USERS
    

LP_Credentials Dumping Tools Accessing LSASS Memory

  • Trigger Condition: A process accessing LSASS memory, which is typical for credentials dumping tools, is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping, LSASS Memory

  • ATT&CK ID: T1003, T1003.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=10 image="*\lsass.exe" access IN ["*0x40*", "*0x1000*", "*0x1400*", "*0x100000*", "*0x1410*", "*0x1010*", "*0x1438*", "*0x143a*", "*0x1418*", "*0x1f0fff*", "*0x1f1fff*", "*0x1f2fff*", "*0x1f3fff*"] -"process" IN ["*\wmiprvse.exe", "*\taskmgr.exe", "*\procexp64.exe", "*\procexp.exe", "*\lsm.exe", "*\csrss.exe", "*\wininit.exe", "*\vmtoolsd.exe"] -user IN EXCLUDED_USERS
    

LP_Credentials in Registry Detected

  • Trigger Condition: Adversaries search registry of compromised systems to obtain insecurely stored credentials.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Unsecured Credentials, Credentials in Registry

  • ATT&CK ID: T1552, T1552.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*reg query HKLM \/f password \/t REG_SZ \/s*" or command="*reg query HKCU \/f password \/t REG_SZ \/s*" or command="*Get-UnattendedInstallFile*" or command="*Get-Webconfig*" or command="*Get-ApplicationHost*" or command="*Get-SiteListPassword*" or command="*Get-CachedGPPPassword*" or command="*Get-RegistryAutoLogon*") -user IN EXCLUDED_USERS
    

LP_Curl Start Combination Detected

  • Trigger Condition: Adversaries attempt to use curl to download payloads remotely and execute them. Windows 10 build 17063 and later includes Curl by default.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution

  • ATT&CK ID: T1218

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*curl* start *" -user IN EXCLUDED_USERS
    

LP_CVE-2019-0708 RDP RCE Vulnerability Detected

  • Trigger Condition: The use of a scanner by zerosum 0x0 discovers targets vulnerable to CVE-2019-0708 RDP RCE known as BlueKeep.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Exploitation of Remote Services

  • ATT&CK ID: T1210

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4625 user="AAAAAAA" -user IN EXCLUDED_USERS
    

LP_Data Compression Detected in Windows

  • Trigger Condition: Adversary compresses and/or encrypt data that is collected before exfiltration is detected using PowerShell or RAR.

  • ATT&CK Category: Collection

  • ATT&CK Tag: Archive Collected Data

  • ATT&CK ID: T1560

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*powershell.exe" command="*-Recurse Compress-Archive*") or (image="*rar.exe" command="*rar*a*") -user IN EXCLUDED_USERS
    

LP_Data Staging Process Detected in Windows

  • Trigger Condition: Adversaries attempt to stage collected data in a central location or directory before exfiltration is detected.

  • ATT&CK Category: Collection

  • ATT&CK Tag: Data Staged

  • ATT&CK ID: T1074

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((command="*DownloadString" command="*Net.WebClient*") or (command="*New-Object" command="*IEX*")) -user IN EXCLUDED_USERS
    

LP_Default Accepted Traffic From Bad IP

  • Trigger Condition: A connection is allowed from known bad IP. For this alert to work, you must update the list ALERT_BAD_IP.

  • ATT&CK Category: Command and Control, Initial Access

  • ATT&CK Tag: Proxy, External Remote Services

  • ATT&CK ID: T1090, T1133

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection label=Allow source_address IN ALERT_BAD_IP
    

LP_Default Account Created but Password Not Changed

  • Trigger Condition: Creation of a new account with a default password and the password is not changed within 24 hours, is detected.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts, Account Manipulation, Create Account

  • ATT&CK ID: T1078, T1098, T1136

  • Minimum Log Source Requirement: Windows

  • Query:

    [label=User label=Create label=Account] as s1 left join [label=User label=Password (label=Change OR label=Reset)] as s2 on s1.target_user=s2.user | search -s2.user=* | rename s1.target_user as User, s1.log_ts as UserCreated_ts | process current_time(a) as time_ts | chart max((time_ts - UserCreated_ts)/60/60) as Duration by User, UserCreated_ts | search Duration>24
    

LP_Default Account privilege elevation followed by restoration of previous account state

  • Trigger Condition: A user is added to a group or assigned privilege followed by restoration or removal from those rights.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Account Manipulation, Exploitation for Privilege Escalation

  • ATT&CK ID: T1098, T1068

  • Minimum Log Source Requirement: Windows

  • Query:

    [label=User label=Group label=Management label=Add | rename target_user as account]as s1 followed by [ label=User label=Group (label=Remove or label=Delete) -target_user=*$ | rename target_user as account] as s2 on s1.account=s2.account | rename s1.log_ts as ElevationTime_ts, s2.log_ts as RestorationTime_ts, s1.user as UserElevation, s2.user as UserRestoration, s1.account as Account, s1.message as PrivilegeElevation, s2.message as PrivilegeRestoration
    

LP_Default Audit Policy Changed

  • Trigger Condition: An audit policy is changed in the system.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Domain Policy Modification, Group Policy Modification

  • ATT&CK ID: T1484, T1484.001

  • Minimum Log Source Requirement: Windows

  • Query:

    label=Audit label=Policy label=Change
    

LP_Default Blocked Inbound Traffic followed by Allowed Event

  • Trigger Condition: Blocked inbound traffic followed by allowed traffic is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    [norm_id=*firewall or norm_id=*IDS label=Block or label=Deny label=Connection -source_address IN HOMENET destination_address IN HOMENET] as s1 followed by [norm_id=*firewall label=Allow label=Connection -source_address IN HOMENET destination_address IN HOMENET] as s2 on s1.source_address=s2.source_address | rename s1.source_address as source
    

LP_Default Blocked Outbound Traffic followed by Allowed Event

  • Trigger Condition: Blocked outbound traffic followed by allowed traffic is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    [norm_id=*firewall or norm_id=*IDS label=Block or label=Deny label=Connection source_address IN HOMENET -destination_address IN HOMENET] as s1 followed by [norm_id=*firewall label=Allow label=Connection source_address IN HOMENET -destination_address IN HOMENET]
    as s2 on s1.source_address=s2.source_address | rename s1.source_address as source
    

LP_Default Brute Force Attack Attempt - Multiple Unique Sources

  • Trigger Condition: Failed login attempts from the same user using multiple sources. The default value for multiple unique sources is five.

  • ATT&CK Category: Credential Access, Privilege Escalation, Defense Evasion

  • ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts

  • ATT&CK ID: T1110, T1187, T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    label=User label=Login label=Fail | rename target_user as user | chart distinct_count(source_address) as DC by user | search DC>5
    

LP_Default Brute Force Attack Attempt - Multiple Unique Users

  • Trigger Condition: Multiple user authentication fails from the same source within ten minutes. The default value for unique multiple users is five.

  • ATT&CK Category: Credential Access, Initial Access, Persistence, Privilege Escalation, Defense Evasion

  • ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts

  • ATT&CK ID: T1110, T1187, T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    label=User label=Login label=Fail source_address=* -target_user=*$| rename target_user as user | chart distinct_count(user) as DC by source_address | search DC>5
    

LP_Default Brute Force Attack Successful

  • Trigger Condition: Five failed users login attempts followed by a successful login from the same user within five minutes is detected.

  • ATT&CK Category: Credential Access, Initial Access, Persistence, Privilege Escalation, Defense Evasion

  • ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts

  • ATT&CK ID: T1110, T1187, T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    [label=User label=Login label=Fail -target_user=*$ | rename target_user as user | chart count() as cnt by user | search cnt > 5 ] as s1 followed by [label=User label=Login label=Successful | rename target_user as user] as s2 on s1.user = s2.user | rename s2.user as User
    

LP_Default Configuration Change on Security Device

  • Trigger Condition: A user other than admins makes specific changes in a core security event source. For this alert to work, you must update the following list:

    • ADMINS, the list for admin users.

    • SECURITY_DEVICES, the list for IDS, IPS, Firewall, and VPN device name.

  • ATT&CK Category: Persistence, Credential Access, Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Domain Policy Modification, Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Access Control

  • ATT&CK ID: T1484, T1098, T1548

  • Minimum Log Source Requirement: Windows

  • Query:

    -user IN ADMINS (label=Policy OR label=Configuration) AND (label=Change OR label=Remove OR label=Reset OR label=Modify OR label=Add OR label=Delete OR label=Set) device_name IN SECURITY_DEVICES
    

LP_Default Connection Attempts on Closed Port

  • Trigger Condition: A connection is established on closed ports. For the alert to work, you must update the list ALERT_OPEN_PORTS, which includes a list of open ports.

  • ATT&CK Category: Command And Control, Persistence, Privilege Escalation

  • ATT&CK Tag: Traffic Signaling, Port Knocking

  • ATT&CK ID: T1205, T1205.001

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection -destination_port IN ALERT_OPEN_PORTS source_address=* destination_port=*
    

LP_Default CPU Usage Status

  • Trigger Condition: The use of CPU exceeds 90%.

  • ATT&CK Category: N/A

  • ATT&CK Tag: N/A

  • ATT&CK ID: N/A

  • Minimum Log Source Requirement: LogPoint

  • Query:

    label=Metrics label=CPU label=Usage use>90
    

LP_Default Device Stopped Sending Logs for Half an Hour

  • Trigger Condition: A device has not sent logs for more than half an hour. You can customize the time according to your need.

  • ATT&CK Category: Impact, Defense Evasion

  • ATT&CK Tag: Service Stop, Data Destruction, Indicator Removal on Host

  • ATT&CK ID: T1489, T1485, T1070

  • Minimum Log Source Requirement: All the log sources

  • Query:

    | chart max(col_ts) as max_time_ts by device_ip | process current_time(a) as time | chart max(time-max_time_ts) as elapsed_time by max_time_ts, device_ip | search elapsed_time>1800
    

LP_Default DNS Tunneling Detection - Data Transfer Size

  • Trigger Condition: The size of data transmitted using the Application Layer Protocol and DNS port is greater than 10MB in five minutes.

  • ATT&CK Category: Command and Control, Exfiltration

  • ATT&CK Tag: Application Layer Protocol, DNS, Data Transfer Size Limits

  • ATT&CK ID: T1071, T1071.004, T1030

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    destination_port=53 source_address IN HOMENET -destination_address IN HOMENET | chart sum(datasize) as DNSBYTES by source_address | search DNSBYTES > 10000000
    

LP_Default DNS Tunneling Detection - Multiple domains

  • Trigger Condition: A source address with queries for more than 50 domains are detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain Generation Algorithms, Proxy, Domain Fronting

  • ATT&CK ID: T1071, T1071.004, T1568, T1568.002, T1090, T1090.004

  • Minimum Log Source Requirement: Webserver, Firewall

  • Query:

    norm_id=* (url=* OR domain=*) | process domain(url) as domain | chart distinct_count(domain) as DomainCount by source_address | search DomainCount > 50
    

LP_Default DNS Tunneling Detection - Multiple Subdomains

  • Trigger Condition: Domains with more than ten subdomains from a single source address are detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain Generation Algorithms, Proxy, Domain Fronting

  • ATT&CK ID: T1071, T1071.004, T1568, T1568.002, T1090, T1090.004

  • Minimum Log Source Requirement: Webserver, Firewall

  • Query:

    norm_id=* (url=* OR domain=*) | process domain(url) as domain | norm on domain <subdomain:.*><:'\.'><main_domain:'[a-z0-9]+.\w{3}'> | search subdomain=* | chart distinct_count(subdomain) as uniqueSubdomain by main_domain, source_address |search uniqueSubdomain>10
    

LP_Default DNS Tunneling Detection - Query Size

  • Trigger Condition: Traffic with more than 64 characters in Application Layer Protocol and DNS is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain Generation Algorithms

  • ATT&CK ID: T1071,T1071.004,T1568,T1568.002

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver, DNS Server

  • Query:

    norm_id=* "DNS" qname=* | process count_char(qname) as charCount | search charCount>64
    

LP_Default Excessive Authentication Failures

  • Trigger Condition: More than 100 authentication failures of a user within ten minutes is detected.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access

  • ATT&CK Tag: Valid Accounts, Brute Force

  • ATT&CK ID: T1078, T1110

  • Minimum Log Source Requirement: Windows

  • Query:

    label=Fail label=Authentication -user=*$| chart count() as cnt by user | search cnt>100
    

LP_Default Excessive Blocked Connections

  • Trigger Condition: 50 blocked or denied connections are observed from the same source within a minute.

  • ATT&CK Category: Impact, Command and Control

  • ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service, Proxy

  • ATT&CK ID: T1498, T1499, T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    [50 label=Connection (label=Deny OR label=Block) source_address=* having same source_address within 1 minute]
    

LP_Default Excessive HTTP Errors

  • Trigger Condition: 20 or more unique HTTP errors are detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Network Denial of Service

  • ATT&CK ID: T1498

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* status_code IN HTTP_ERROR | chart distinct_count(status_code) as cnt by host, source_address, norm_id | search cnt>20
    

LP_Default File Association Changed

  • Trigger Condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by a file type association.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Event Triggered Execution, Change Default File Association

  • ATT&CK ID: T1546, T1546.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\SOFTWARE\Classes\*" or target_object="*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\GlobalAssocChangedCounter*") -user IN EXCLUDED_USERS
    

LP_Default Guest Account Added to Administrative Group

  • Trigger Condition: A guest account is added to security group management.

  • ATT&CK Category: Credential Access, Persistence, Privilege Escalation, Defense Evasion, Initial Access

  • ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Access Control, Valid Accounts

  • ATT&CK ID: T1098, T1548, T1548.002, T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    label=Security label=Group label=Management label=Add (member_sid="S-1-5-21-*-501" OR target_id="S-1-5-21-*-501") | rename target_user as member, group as group_name
    

LP_Default High Unique DNS Traffic

  • Trigger Condition: Application Layer Protocol and DNS traffic event greater than 50 is detected.

  • ATT&CK Category: Command And Control

  • ATT&CK Tag: Application Layer Protocol, DNS

  • ATT&CK ID: T1071, T1071.004

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    destination_port=53 source_address=* | chart count() as Event by source_address | search Event>50
    

LP_Default High Unique SMTP Traffic

  • Trigger Condition: More than 50 SMTP traffics from the same source within a minute is detected.

  • ATT&CK Category: Command And Control

  • ATT&CK Tag: Application Layer Protocol, Mail Protocols

  • ATT&CK ID: T1071, T1071.003

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    source_address=* destination_port=25 | chart count() as Event by source_address | search Event>50
    

LP_Default High Unique Web-Server traffic

  • Trigger Condition: More than 50 web server traffics from the same source within a minute is detected.

  • ATT&CK Category: Command And Control

  • ATT&CK Tag: Application Layer Protocol, Web Protocols

  • ATT&CK ID: T1071, T1071.001

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    source_address=* destination_port=80 | chart count() as Event by source_address | search Event>50
    

LP_Default Inbound Connection with Non-Whitelist Country

  • Trigger Condition: An inbound connection established with a non-whitelisted country is detected. For this alert to work, you must update the list WHITELIST_COUNTRY.

  • ATT&CK Category: Command And Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    -source_address IN HOMENET destination_address IN HOMENET | process geoip(source_address) as country | search -country IN WHITELIST_COUNTRY
    

LP_Default Inbound Queries Denied by Firewalls

  • Trigger Condition: A firewall denies more than 100 inbound connections within five minutes.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Network Denial of Service

  • ATT&CK ID: T1498

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection label=Deny -source_address IN HOMENET destination_address in HOMENET | chart count() as Event by source_address, destination_address | search Event>100
    

LP_Default Inbound RDP Connection

  • Trigger Condition: Inbound RDP traffic events on destination port 3389 is detected.

  • ATT&CK Category: Lateral Movement, Command And Control

  • ATT&CK Tag: Remote Services, Application Layer Protocol

  • ATT&CK ID: T1021, T1071

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection -source_address IN HOMENET destination_address in HOMENET destination_port=3389
    

LP_Default Inbound SMB Connection

  • Trigger Condition: Inbound SMB traffic events on destination port 445 is detected.

  • ATT&CK Category: Lateral Movement, Command And Control

  • ATT&CK Tag: Application Layer Protocol

  • ATT&CK ID: T1071

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection -source_address IN HOMENET destination_address in HOMENET destination_port=445
    

LP_Default Inbound SMTP Connection

  • Trigger Condition: Inbound SMTP traffic event on destination ports 25, 456, 587, 2525, and 2526 is detected.

  • ATT&CK Category: Command And Control

  • ATT&CK Tag: Application Layer Protocol

  • ATT&CK ID: T1071

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection -source_address IN HOMENET destination_address in HOMENET destination_port in [25,465,587,2525,2526]
    

LP_Default Inbound SSH Connection

  • Trigger Condition: Inbound Remote Services SSH traffic event on destination port 22 is detected.

  • ATT&CK Category: Lateral Movement, Command and Control

  • ATT&CK Tag: Remote Services, Application Layer Protocol

  • ATT&CK ID: T1021, T1071

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection -source_address IN HOMENET destination_address in HOMENET destination_port=22
    

LP_Default Internal Attack

  • Trigger Condition: More than ten attack patterns from a home network are detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

  • ATT&CK ID: T1498, T1499

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Attack -label=Deny source_address IN HOMENET | chart count() as Event by source_address, destination_address | search Event>10
    

LP_Default Internal Virus Worm Outburst

  • Trigger Condition: Ten or more viruses in a host is detected within an hour.

  • ATT&CK Category: Impact, Defense Evasion

  • ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

  • ATT&CK ID: T1021, T1071

  • Minimum Log Source Requirement: Antivirus

  • Query:

    (label=Worm OR label=Virus OR label=Malware) source_address IN HOMENET malware=* | chart distinct_count(malware) as Virus by source_address | search Virus>10
    

LP_Default IRC connection

  • Trigger Condition: The IRC connection is detected. For this alert to work, you must update ALERT_IRC_PORT list with possible IRC ports.

  • ATT&CK Category: Command and Control, Discovery

  • ATT&CK Tag: Proxy, Network Service Scanning

  • ATT&CK ID: T1090, T1046

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    (destination_port IN ALERT_IRC_PORT OR destination_port=6667)
    

LP_Default Malware Detected

  • Trigger Condition: A malware or a virus is detected in the system.

  • ATT&CK Category: Resource Development

  • ATT&CK Tag: Develop Capabilities, Malware

  • ATT&CK ID: T1587, T1587.001

  • Minimum Log Source Requirement: Antivirus

  • Query:

    (label=Virus OR label=Malware ) (label=Detect OR label=Find) (virus=* OR malware=* OR file=* OR path=*) | rename malware as virus
    

LP_Default Malware Detected in Various Machines

  • Trigger Condition: The same malware or virus is detected on multiple hosts.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery, Impair Defenses,Impair Defenses, Disable or Modify Tools

  • ATT&CK ID: T1046, T1211, T1518, T1518.001, T1562, T1562.001

  • Minimum Log Source Requirement: Antivirus

  • Query:

    (label=Virus OR label=Malware ) (label=Detect OR label=Find) source_address=* malware=* | chart distinct_count(source_address) as Event by malware | search Event>1
    

LP_Default Malware not Cleaned

  • Trigger Condition: A malware clean events including deletion, removal, and quarantine, is followed by detecting the same malware in the same host.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning,Exploitation for Defense Evasion,Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1211, T1518, T1518.001

  • Minimum Log Source Requirement: Antivirus

  • Query:

    norm_id=* malware=* action IN ["*delete*", "*remove*", "*quarantine*"] ] as s1 followed by [norm_id=* malware=* source_address=*] as s2 on s1.malware=s2.malware | process compare(s1.source_address, s2.source_address) as match | search match=true | rename s1.source_address as source_address, s1.malware as malware
    

LP_Default Malware Removed

  • Trigger Condition: Removal of malware or a virus from the system is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Indicator Removal on Host, Obfuscated Files or Information, Indicator Removal from Tools

  • ATT&CK ID: T1070, T1027, T1027.005

  • Minimum Log Source Requirement: Antivirus

  • Query:

    (label=Virus OR label=Malware ) (label=Remove OR label=Clean OR label=Delete) -label="Not" -label=Error | rename malware as virus | search virus=*
    

LP_Default Memory Usage Status

  • Trigger Condition: The memory usage exceeds 90% of the total memory available.

  • ATT&CK Category: Collection

  • ATT&CK Tag: Automated Collection

  • ATT&CK ID: T1119

  • Minimum Log Source Requirement: LogPoint

  • Query:

    label=Metrics label=Memory label=Usage use>90
    

LP_Default Network Configuration Change on Network Device

  • Trigger Condition: A change in the core network event source, such as a router or switch, is detected.

  • ATT&CK Category: Persistence, Credential Access, Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Modify Existing Service, Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Access Control, Impair Defenses, Indicator Blocking, Modify Registry, Exploitation for Privilege Escalation

  • ATT&CK ID: T1098, T1548, T1562, T1562.006, T1112, T1068

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Network label=Configuration (label=Change OR label=Modify OR label=Reset OR label=Enable OR label=Disable OR label=Add or label=Delete or label=Undelete)
    

LP_Default Outbound Connection with Non-Whitelist Country

  • Trigger Condition: Outbound connections with non-whitelisted countries are detected. For this alert to work, you must update the list WHITELIST_COUNTRY.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    source_address IN HOMENET -destination_address IN HOMENET | process geoip(destination_address) as country | search -country IN WHITELIST_COUNTRY
    

LP_Default Outbound Traffic from Unusual Source

  • Trigger Condition: Outbound traffic is detected from an unusual source. For this alert to work, you must update the list ALERT_UNUSUAL_SOURCE with source addresses from which outbound connections are not established.

  • ATT&CK Category: Command and Control, Exfiltration

  • ATT&CK Tag: Proxy, Automated Exfiltration, Exfiltration Over C2 Channel

  • ATT&CK ID: T1090, T1020, T1041

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    source_address IN ALERT_UNUSUAL_SOURCE source_address IN HOMENET (label=Traffic OR label=Connection) -destination_address IN HOMENET
    

LP_Default Port Scan Detected

  • Trigger Condition: A source hits a destination on 50 different ports in five minutes.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning

  • ATT&CK ID: T1046

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    destination_port=* | chart distinct_count(destination_port) as CNT by source_address, destination_address | search CNT>50
    

LP_Default Possible Cross Site Scripting Attack Detected

  • Trigger Condition: The script tag indicating the XSS attack is detected in the URL.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Exploiting Public-Facing Application

  • ATT&CK ID: T1190

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* url IN ["*<script>*", "*%3c%73%63%72%69%70%74%3e*", "*%3cscript%3e*"] or resource IN ["*<script>*", "*%3c%73%63%72%69%70%74%3e*", "*%3cscript%3e*"] | rename resource as url
    

LP_Default Possible Network Performance Degradation Detected

  • Trigger Condition: 100 or more network-related errors are detected in security devices within five minutes.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Network Denial of Service

  • ATT&CK ID: T1498

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    norm_id=* ((label=Connection (label=Error or label=Fail or label=Deny or label=Drop)) or (label="Limit" label=Exceed) or (label=Packet label=Drop) or (label=Protocol label=Deny)) | chart count() as Event by device_ip, norm_id | search Event>1000
    

LP_Default Possible Non-PCI Compliant Inbound Network Traffic Detected

  • Trigger Condition: An inbound connection is detected in secure devices over non-compliant ports as specified by PCI compliance practices. For this alert to work, you must update the list NON_PCI_COMPLIANT_PORT.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Inbound label=Connection destination_port IN NON_PCI_COMPLIANT_PORT -source_address IN HOMENET
    

LP_Default Possible Spamming Zombie

  • Trigger Condition: Systems other than mail servers attempt to establish an outbound SMTP connection is detected. For this alert to work, you must update the list MAIL_SERVERS with possible mail servers to remove false positives. For example, exchange, postfix, and so on.

  • ATT&CK Category: Command and Control, Impact

  • ATT&CK Tag: Proxy, Application Layer Protocol, Network Denial of Service

  • ATT&CK ID: T1090, T1071, T1498

  • Minimum Log Source Requirement: All except Mail Server

  • Query:

    -norm_id IN MAIL_SERVERS destination_port IN ["25", "587"]
    

LP_Default Possible SQL Injection Attack

  • Trigger Condition: SQL character injection in the input field of a web application is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Exploit Public-Facing Application

  • ATT&CK ID: T1190

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* url IN SQL_INJECTION_CHARACTER or resource IN SQL_INJECTION_CHARACTER | rename resource as url
    

LP_Default Possible System Instability State Detected

  • Trigger Condition: The instability of a system is detected. For example, a system shut down or restarts more than five times within ten minutes. A correlation rule is designed to detect if a system has become unstable.

  • ATT&CK Category: Impact

  • ATT&CK Tag: System Shutdown/Reboot

  • ATT&CK ID: T1529

  • Minimum Log Source Requirement: OS

  • Query:

    [5 (-label=Require -label=Request -label=Reply) (label=Restart OR label=Shutdown OR label=Boot) having same device_ip within 10 minutes]
    

LP_Default PowerSploit and Empire Schtasks Persistence

  • Trigger Condition: Creation of a schtask via PowerSploit or Empire Default Configuration is detected.

  • ATT&CK Category: Execution, Persistence, Privilege Escalation

  • ATT&CK Tag: Scheduled Task/Job, Scheduled Task,Command and Scripting Interpreter, PowerShell + ATT&CK ID: T1053, T1053.005, T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image IN ["*\powershell.exe"] command IN ["*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*"] -user IN EXCLUDED_USERS
    

LP_Default Rate of Successful User Account Logins

  • Trigger Condition: The alert notifies the rate of successful user login.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts, Account Manipulation

  • ATT&CK ID: T1078, T1098

  • Minimum Log Source Requirement: Windows

  • Query:

    label=Login label=Successful -target_user=*$ source_address=* log_ts=* | rename target_user as user | chart count() as CNT, min(log_ts) as ST, max(log_ts) as ET by user, source_address | search CNT>10 | chart max((ET-ST)/CNT/60) as RateOfLogin by user, source_address, CNT order by RateOfLogin Asc
    

LP_Default Successful Login outside Normal Hour

  • Trigger Condition: Successful user login beyond regular office hour is detected. You can adjust the regular work hour according to your company.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    label=Login label=Successful target_user=* ((day_of_week(log_ts)=2 OR day_of_week(log_ts)=3 OR day_of_week(log_ts)=4 OR day_of_week(log_ts)=5 OR day_of_week(log_ts)=6) (hour(log_ts)>0 hour(log_ts)<9) OR hour(log_ts)>17) OR (day_of_week(log_ts) IN [1, 7]) | rename target_user as user
    

LP_Default Successful Login Using a Default Account

  • Trigger Condition: Successful login attempts using a vendor default account is detected. The alert is essential for those organizations employing Payment Card Industry (PCI) Compliance.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts, Default Accounts

  • ATT&CK ID: T1078, T1078.001

  • Minimum Log Source Requirement: Windows

  • Query:

    label=User label=Login label=Successful (target_user=* OR user=*) (target_user IN DEFAULT_USERS OR user IN DEFAULT_USERS) | rename target_user as user
    

LP_Default Suspicious DNS Queries with Higher Data Size

  • Trigger Condition: DNS queries having data size greater than 2K signaling exfiltration of data via DNS.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Exfiltration Over Alternative Protocol, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

  • ATT&CK ID: T1048, T1048.003

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    datasize=* destination_port=53 datasize>2000
    

LP_Default System Time Change

  • Trigger Condition: The system time is changed or when LogPoint command /opt/immune/installed/system/root_actions/*_ntp.sh is executed.

  • ATT&CK Category: Persistence, Impact

  • ATT&CK Tag: Modify Existing Service, Data Destruction

  • ATT&CK ID: T1485

  • Minimum Log Source Requirement: Windows

  • Query:

    (label=System label=Time label=Change) OR (label=Execute label=Command command="/opt/immune/installed/system/root_actions/*_ntp.sh")
    

LP_Default TCP Port Scan

  • Trigger Condition: 100 or more different TCP port sweep events are detected within five minutes from external sources.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning

  • ATT&CK ID: T1046

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection label=Traffic -source_address IN HOMENET destination_address IN HOMENET protocol=TCP | chart distinct_count(destination_port) as DistinctPort by source_address, destination_address order by DistinctPort desc | search DistinctPort>100
    

LP_Default TCP Probable SynFlood Attack

  • Trigger Condition: Security devices detect ten TCP Syn flood events within a minute.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Endpoint Denial of Service

  • ATT&CK ID: T1499

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    [10 TCP SYN having same source_address within 1 minute]
    

LP_Default UDP Port Scan

  • Trigger Condition: 100 or more different UDP port sweep events are detected within five minutes from an external source.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning

  • ATT&CK ID: T1046

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection label=Traffic -source_address IN HOMENET destination_address IN HOMENET protocol=UDP |
    chart distinct_count(destination_port) as DistinctPort by source_address, destination_address order by
    DistinctPort desc | search DistinctPort>100
    

LP_Default Unapproved Port Activity Detected

  • Trigger Condition: A user uses unapproved ports.

  • ATT&CK Category: Defense Evasion, Persistence, Command And Control

  • ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors, Traffic Signaling, Port Knocking

  • ATT&CK ID: T1547, T1547.01, T1205, T1205.001

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* source_port IN UNAPPROVED_PORT or destination_port IN UNAPPROVED_PORT or port IN UNAPPROVED_PORT | rename source_port as port, destination_port as port
    

LP_Default Unusual Number of Failed Vendor User Login

  • Trigger Condition: Failed user logins using default credentials for more than ten times are detected. For this alert to work, you must update the list DEFAULT_USERS with default vendor user names.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts, Default Accounts

  • ATT&CK ID: T1078, T1078.001

  • Minimum Log Source Requirement: Windows

  • Query:

    label=User label=Login label=Fail (target_user=* OR user=*) (target_user IN DEFAULT_USERS OR user IN DEFAULT_USERS) |rename target_user as user | chart count() as Event by user, source_address | search Event>10
    

LP_Detection of PowerShell Execution via DLL

  • Trigger Condition: Command and Scripting Interpreter, PowerShell strings applied to rundllas observed in PowerShdll.dll is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*\rundll32.exe" OR message="*Windows-Hostprozess (Rundll32)*") command IN ["*Default.GetString*", "*FromBase64String*"] -user IN EXCLUDED_USERS
    

LP_Devtoolslauncher Executes Specified Binary

  • Trigger Condition: Adversaries bypass the process and/or signature-based defenses by proxying execution of malicious content with signed binaries using devtoolslauncher, which is a part of VS or VScode installation, and LaunchForDeploy command.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution

  • ATT&CK ID: T1218

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\devtoolslauncher.exe" command="*LaunchForDeploy*" -user IN EXCLUDED_USERS
    

LP_DHCP Callout DLL Installation Detected

  • Trigger Condition: Installation of a Callout DLL via CalloutDlls and CalloutEnabled parameters in the registry, used to execute code in the context of the DHCP server is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, Modify Registry

  • ATT&CK ID: T1574, T1574.002, T1112

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=13 target_object IN ["*\Services\DHCPServer\Parameters\CalloutDlls", "*\Services\DHCPServer\Parameters\CalloutEnabled"] -user IN EXCLUDED_USERS
    

LP_DHCP Server Error Failed Loading the CallOut DLL

  • Trigger Condition: DHCP server error in which a specified Callout DLL in registry cannot be loaded.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

  • ATT&CK ID: T1574, T1574.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WinServer event_id IN ["1031", "1032", "1034"] event_source="Microsoft-Windows-DHCP-Server" -user IN EXCLUDED_USERS
    

LP_DHCP Server Loaded the CallOut DLL

  • Trigger Condition: A DHCP server loads callout DLL in the registry. The alert has been translated from its corresponding sigma rule. For more information, you can check the sigma rule.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

  • ATT&CK ID: T1574, T1574.002

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=1033 -user IN EXCLUDED_USERS
    

LP_Direct Autorun Keys Modification Detected

  • Trigger Condition: Direct modification of autostart extensibility point (ASEP) in the registry using reg.exe is detected. Adversaries achieve persistence by adding a program to a startup folder or referencing it with a registry run key.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/tartup Folder

  • ATT&CK ID: T1547, T1547.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\reg.exe" command="*add*" command IN ["*\software\Microsoft\Windows\CurrentVersion\Run*", "*\software\Microsoft\Windows\CurrentVersion\RunOnce*", "*\software\Microsoft\Windows\CurrentVersion\RunOnceEx*", "*\software\Microsoft\Windows\CurrentVersion\RunServices*", "*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*", "*\software\Microsoft\Windows NT\CurrentVersion\Windows*", "*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*", "*\system\CurrentControlSet\Control\SafeBoot\AlternateShell*"] -user IN EXCLUDED_USERS
    

LP_Disable of ETW Trace Detected

  • Trigger Condition: A command that clears or disables the ETW trace log, indicating a logging evasion attempt by adversaries. Adversaries can cease the flow of logging temporarily or permanently without generating any additional event clear log entries from this method.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Indicator Blocking

  • ATT&CK ID: T1562.006

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((command="* cl */Trace*") OR (command="* clear-log */Trace*") OR (command="* sl* /e:false*") OR (command="* set-log* /e:false*") OR (command="*Remove-EtwTraceProvider*" command="*EventLog-Microsoft-Windows-WMI-Activity-Trace*" command="*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*") OR (command="*Set-EtwTraceProvider*" command="*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*" command="*EventLog-Microsoft-Windows-WMI-Activity-Trace*" command="*0x11*") OR (command="*logman update trace*" command="* --p *" command="* -ets *")) -user IN EXCLUDED_USERS
    

LP_MiniNt Registry Key Addition

  • Trigger Condition: The addition of a key MiniNt to the registry is detected. Windows Event Log service will stop the write events after reboot.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Disable or Modify Tools

  • ATT&CK ID: T1562, T1562.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label=Registry label=Set label=Value target_object="HKLM\SYSTEM\CurrentControlSet\Control\MiniNt" -user IN EXCLUDED_USERS
    

LP_Discovery of a System Time Detected

  • Trigger Condition: The use of various commands to query a system’s time is identified. The technique is used before executing a scheduled task or discovering the time zone of a target system.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Time Discovery

  • ATT&CK ID: T1124

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image IN ["*\net.exe", "*\net1.exe"] command="*time*") OR (image="*\w32tm.exe" command="*tz*") OR (image="*\powershell.exe" command="*Get-Date*")) -user IN EXCLUDED_USERS
    

LP_Discovery using Bloodhound Detected

  • Trigger Condition: Enumeration attempt by a user using the IPC$ share.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Owner/User Discovery

  • ATT&CK ID: T1033

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 service=ldap image IN ['*cmd.exe', '*powershell.exe', '*sharphound.exe'] -user IN EXCLUDED_USERS | chart count() as eventCount by host, service, image | search eventCount > 10
    

LP_Discovery via File and Directory Discovery Using Command Prompt

  • Trigger Condition: A file and directory enumerated, or searching of a specific location of a host or network share within a file system using command prompt is detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: File and Directory Discovery

  • ATT&CK ID: T1083

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4688 (commandline = "tree*" OR command = "tree*") -user IN EXCLUDED_USERS | rename commandline as command
    

LP_Discovery via Discovery via PowerSploit Recon Module Detected

  • Trigger Condition: Adversaries abuse Command and Script Interpreters to execute scripts via the PowerSploitReconnaissance module. For this alert to work, you must update the list POWERSPLOIT_RECON_MODULES.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4104 (scriptblocktext in POWERSPLOIT_RECON_MODULES OR script_block in POWERSPLOIT_RECON_MODULES) -user IN EXCLUDED_USERS | rename scriptblocktext as script_block
    

LP_DLL Load via LSASS Detected

  • Trigger Condition: A method to load DLL via the LSASS process using an undocumented registry key is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Boot or Logon Autostart Execution, LSASS Driver

  • ATT&CK ID: T1547, T1547.008

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id IN ["12", "13"] target_object IN ["*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*", "*\CurrentControlSet\Services\NTDS\LsaDbExtPt*"]
    

LP_DNS Exfiltration Tools Execution Detected

  • Trigger Condition: Execution of tools for Application Layer Protocol and DNS Exfiltration.

  • ATT&CK Category: Exfiltration

  • ATT&CK Tag: Exfiltration Over Alternative Protocol

  • ATT&CK ID: T1048

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*\iodine.exe" OR image="*\dnscat2*") -user IN EXCLUDED_USERS
    

LP_DNS Server Error Failed Loading the ServerLevelPluginDLL

  • Trigger Condition: Application Layer Protocol and DNS server error where a specified plugin DLL in the registry connot be loaded.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

  • ATT&CK ID: T1574, T1574.002

  • Minimum Log Source Requirement: DNS Server

  • Query:

    event_source="DNS Server" event_id IN ["150", "770"]
    

LP_DNS ServerLevelPluginDll Install

  • Trigger Condition: Installation of a plugin DLL via the ServerLevelPluginDll parameter in the registry used to execute code in Application Layer Protocol and DNS server.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

  • ATT&CK ID: T1574, T1574.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=13 target_object="*\services\DNS\Parameters\ServerLevelPluginDll") OR (event_id=1 command="dnscmd.exe /config /serverlevelplugindll *") -user IN EXCLUDED_USERS
    

LP_Domain Trust Discovery Detected

  • Trigger Condition: Adversaries gather information on domain trust relationships to identify lateral movement opportunities in Windows multi-domain or forest environments.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Domain Trust Discovery

  • ATT&CK ID: T1482

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*\dsquery.exe" command="*-filter*" command="*trustedDomain*") OR (image="*\nltest.exe" command="*domain_trusts*")) -user IN EXCLUDED_USERS
    

LP_DoppelPaymer Ransomware Connection to Malicious Domains

  • Trigger Condition: Any connection to DoppelPaymer Double Extortion ransomware related domains is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* (url IN DOPPELPAYMENR_RANSOMWARE_DOMAINS OR domain IN DOPPELPAYMENR_RANSOMWARE_DOMAINS)
    

LP_DoppelPaymer Ransomware Exploitable Vulnerabilities Detected

  • Trigger Condition: Vulnerability management detects the presence of vulnerability linked to DoppelPaymer ransomware.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    norm_id=VulnerabilityManagement cve_id="*CVE-2019-19781*"
    

LP_DoppelPaymer Ransomware Infected Host Detected

  • Trigger Condition: DoppelPaymer Double Extortion ransomware-infected host is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Data Encrypted for Impact

  • ATT&CK ID: T1486

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

  • Query:

    host=* hash=* hash IN DOPPELPAYMER_RANSOMWARE_HASHES
    

LP_dotNET DLL Loaded Via Office Applications

  • Trigger Condition: Assembly of DLL loaded by the Office Product is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Phishing, Spearphishing Attachment

  • ATT&CK ID: T1566, T1566.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.exe*", "*\excel.exe*", "*\outlook.exe*"] image="*C:\Windows\assembly\\*" -user IN EXCLUDED_USERS
    

LP_DPAPI Domain Backup Key Extraction Detected

  • Trigger Condition: Tools extracting the LSA secret DPAPI domain backup key from Domain Controllers are detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows

  • Query:

    (norm_id=WinServer event_id=4662 object_type="SecretObject" access_mask="0x2" object_name="*BCKUPKEY") -user IN EXCLUDED_USERS
    

LP_DPAPI Domain Master Key Backup Attempt

  • Trigger Condition: An attempt to backup DPAPI master key is detected. The event is generated on the source and not on the Domain Controller.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4692 -user IN EXCLUDED_USERS
    

LP_DragonFly - File Upload with Trojan Karagany

  • Trigger Condition: Updation of a file with the use of Trojan Karagany is detected.

  • ATT&CK Category: Defense Evasion, Credential Access, Privilege Escalation

  • ATT&CK Tag: Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation for Privilege Escalation, Exploitation for Defense Evasion

  • ATT&CK ID: T1211, T1212, T1068, T1211

  • Minimum Log Source Requirement: -

  • Query:

    filename "identifiant"| norm on filename=<file:all>&identifiant | search file=*
    

LP_DragonFly - Malicious File Creation

  • Trigger Condition: Creation of a malicious file.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter

  • ATT&CK ID: T1059

  • Minimum Log Source Requirement: Integrity Scanner

  • Query:

    ("*TMPprovider*" OR "*sysmain*" OR "*sydmain*") OR (norm_id=IntegrityScanner file_path IN DRAGONFLY_MALICIOUS_FILES OR file_path IN DRAGONFLY_MALICIOUS_FOLDER OR registry IN DRAGONFLY_MALICIOUS_FILES) | rename registry as file_path | norm on file_path <path:.*>\<file:string> | process regex("(?P<file>(TMPprovider[0-9]{3}\.dll|sy[ds]main\.dll))", msg) | search file=*
    

LP_DragonFly - Watering Hole Sources

  • Trigger Condition: Dragonfly watering hole sources are detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Drive by Compromise

  • ATT&CK ID: T1189

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* url IN ["*script*iframe*", "*dwd", "*dwe", "*fnd", "*fne"] source_address=*
    

LP_Dridex Process Pattern Detected

  • Trigger Condition: A typical dridex process patterns are detected.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*\svchost.exe C:\Users\*\Desktop\*" OR (parent_image="*\svchost.exe*" command IN ["*whoami.exe /all", "*net.exe view"])) -user IN EXCLUDED_USERS
    

LP_Droppers Exploiting CVE-2017-11882 Detected

  • Trigger Condition: The exploitation using CVE-2017-11882 to start EQNEDT32.EXE and other sub-processes like mshta.exe are detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Exploitation for Defense Evasion

  • ATT&CK ID: T1211

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\EQNEDT32.EXE" -user IN EXCLUDED_USERS
    

LP_Drupal Arbitrary Code Execution Detected

  • Trigger Condition: The exploitation of arbitrary code execution vulnerability (CVE-2018-7600) in Drupal, is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Exploit Public-Facing Application

  • ATT&CK ID: T1190

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* label=Access request_method=POST resource='*ajax_form*drupal*ajax*'
    

LP_DTRACK Process Creation Detected

  • Trigger Condition: Specific process parameters, as seen in DTRACK infections are detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="* echo EEEE > *" -user IN EXCLUDED_USERS
    

LP_Elevated Command Prompt Activity by Non-Admin User Detected

  • Trigger Condition: The execution of an elevated command prompt by a non-admin user.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command-Line Interface

  • ATT&CK ID: T1059

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4688 -user IN ADMINS "process"="*cmd.exe" token_elevation_type="*(2)*" -user IN EXCLUDED_USERS
    

LP_Elise Backdoor Detected

  • Trigger Condition: Elise backdoor activity used by APT32 is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control + ATT&CK ID: T1548

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="C:\Windows\SysWOW64\cmd.exe" command="*\Windows\Caches\NavShExt.dll *") OR command="*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll, Setting") -user IN EXCLUDED_USERS
    

LP_EMC Possible Ransomware Detection

  • Trigger Condition: Suspicious data activity affecting more than 200 files or in-house baseline is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Data Encrypted for Impact, Data Destruction, Proxy

  • ATT&CK ID: T1486, T1485, T1090

  • Minimum Log Source Requirement: EMC

  • Query:

    label=EMC -"bytesWritten"="0" -"bytesWritten"="0x0" event="0x80" flag=0x2 userSid=*| chart count() as handle by userSid, clientIP | search handle>200
    

LP_Emissary Panda Malware SLLauncher Detected

  • Trigger Condition: The execution of DLL side-loading malware used by threat group Emissary Panda, also known as APT27 is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Exploitation for Defense Evasion

  • ATT&CK ID: T1211

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\sllauncher.exe" image="*\svchost.exe" -user IN EXCLUDED_USERS
    

LP_Emotet Process Creation Detected

  • Trigger Condition: Emotet like process executions that are not covered by the more generic rules are detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["* -e* PAA*", "*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*", "*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*", "*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*", "*IgAoACcAKgAnACkAOwAkA*",
    "*IAKAAnACoAJwApADsAJA*", "*iACgAJwAqACcAKQA7ACQA*", "*JABGAGwAeAByAGgAYwBmAGQ*"] -user IN EXCLUDED_USERS
    

LP_Empire PowerShell Launch Parameters

  • Trigger Condition: Suspicious PowerShell command line parameters used in Empire are detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["* -NoP -sta -NonI -W Hidden -Enc *", "* -noP -sta -w 1 -enc *", "* -NoP -NonI -W Hidden -enc *"] -user IN EXCLUDED_USERS
    

LP_Empire PowerShell UAC Bypass Detected

  • Trigger Condition: Empire Command and Scripting Interpreter and PowerShell UAC bypass methods are detected.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control

  • ATT&CK ID: T1548

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["* -NoP -NonI -w Hidden -c x =((gp HKCU:Software\Microsoft\Windows Update).Update)*", "* -NoP -NonI -c x =((gp HKCU:Software\Microsoft\Windows Update).Update)*"] -user IN EXCLUDED_USERS
    

LP_Enabled User Right in AD to Control User Objects

  • Trigger Condition: LogPoint detects a scenario where if a user is assigned the SeEnableDelegation Privilege right in Active Directory, thay will be allowed to control other Active Directory user’s objects.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Valid Accounts

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4704 message="*SeEnableDelegationPrivilege*" -user IN EXCLUDED_USERS
    

LP_Encoded FromBase64String Detected

  • Trigger Condition: base64 encoded from the Base64String keyword in a process command line is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Deobfuscate/Decode Files or Information

  • ATT&CK ID: T1059, T1059.001, T1140

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*OjpGcm9tQmFzZTY0U3RyaW5n*", "*o6RnJvbUJhc2U2NFN0cmluZ*", "*6OkZyb21CYXNlNjRTdHJpbm*"] -user IN EXCLUDED_USERS
    

LP_Encoded IEX Detected

  • Trigger Condition: base64 encoded IEX command string in a process command line is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Deobfuscate/Decode Files or Information

  • ATT&CK ID: T1059, T1059.001, T1140

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*SUVYIChb*", "*lFWCAoW*", "*JRVggKF*", "*aWV4IChb*", "*lleCAoW*", "*pZXggKF*", "*aWV4IChOZX*", "*lleCAoTmV3*", "*pZXggKE5ld*", "*SUVYIChOZX*", "*lFWCAoTmV3*", "*JRVggKE5ld*"] -user IN EXCLUDED_USERS
    

LP_Encoded PowerShell Command Detected

  • Trigger Condition: Execution of encoded Command and Scripting Interpreter and PowerShell commands are detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*powershell.exe" command IN ["*-enc*", "*-ec*"] -user IN EXCLUDED_USERS
    

LP_Endpoint Protect Multiple Failed Login Attempt

  • Trigger Condition: A user fails to log in even after multiple attempts.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Exploitation for Credential Access, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Brute Force

  • ATT&CK ID: T1212, T1068, T1211, T1110

  • Minimum Log Source Requirement: EndPoint Protector

  • Query:

    norm_id=EndPointProtector label=User (label=Login OR label=Authentication) label= Fail user=* caller_user=* | chart count() as CNT by user, caller_user order by CNT desc | search "CNT">5
    

LP_Equation Group DLL_U Load Detected

  • Trigger Condition: A specific tool and export used by the EquationGroup is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Command-Line Interface, Signed Binary Proxy Execution, Rundll32

  • ATT&CK ID: T1059, T1218, T1218.011

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*\rundll32.exe" command="*, dll_u") OR command="* -export dll_u *") -user IN EXCLUDED_USERS
    

LP_Eventlog Cleared Detected

  • Trigger Condition: One of the Windows Event logs has been cleared.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Indicator Removal on Host

  • ATT&CK ID: T1070

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=104 event_source="Microsoft-Windows-Eventlog" -user IN EXCLUDED_USERS
    

LP_ExchangeMT Possible Data Theft - Email with Attachment Outside Organization

  • Trigger Condition: An email with attachment is sent to the receiver outside the organization domain.

  • ATT&CK Category: Exfiltration, Collection

  • ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

  • ATT&CK ID: T1041, T1114

  • Minimum Log Source Requirement: ExchangeMT

  • Query:

    norm_id=ExchangeMT -receiver IN HOME_DOMAIN datasize=* |chart sum(datasize/1000000) as "Emailsize(MB)" by sender |search "Emailsize(MB)">50
    

LP_ExchangeMT Unusual Outbound Email

  • Trigger Condition: 60 or more emails are sent from the same sender within an hour.

  • ATT&CK Category: Command and Control, Exfiltration, Collection

  • ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email Collection

  • ATT&CK ID: T1090, T1041, T1020, T1114

  • Minimum Log Source Requirement: ExchangeMT

  • Query:

    norm_id=ExchangeMT sender=* receiver=* -receiver in HOME_DOMAIN| chart count(receiver=*) as MailSent by sender | search MailSent>60
    

LP_Executables Stored in OneDrive

  • Trigger Condition: A user stores files that are executable in OneDrive.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Office365

  • Query:

    event_source=OneDrive source_file_extension IN EXECUTABLES | chart count() by user_id, source_address, source_file, source_file_extension, source_relative_url
    

LP_Execution in Non-Executable Folder Detected

  • Trigger Condition: Execution of a suspicious program from a different folder is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Office365

  • Query:

    norm_id=WindowsSysmon event_id=1 image IN ["*\$Recycle.bin", "*\Users\All Users\*", "*\Users\Default\*", "*\Users\Public\*", "C:\Perflogs\*", "*\config\systemprofile\*", "*\Windows\Fonts\*", "*\Windows\IME\*", "*\Windows\addins\*"] -user IN EXCLUDED_USERS
    

LP_Execution in Outlook Temp Folder Detected

  • Trigger Condition: Execution of a suspicious program in the Outlook’s temp folder is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Phishing, Spearphishing Attachment

  • ATT&CK ID: T1566, T1566.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\Temporary Internet Files\Content.Outlook\*" -user IN EXCLUDED_USERS
    

LP_Execution in Webserver Root Folder Detected

  • Trigger Condition: Execution of a suspicious program in the Outlook’s temp folder is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Phishing, Spearphishing Attachment

  • ATT&CK ID: T1566, T1566.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\Temporary Internet Files\Content.Outlook\*" -user IN EXCLUDED_USERS
    

LP_Execution of Renamed PaExec Detected

  • Trigger Condition: Execution of renamed paexec via imphash and executable product string is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 product IN ["*PAExec*"] hash_imphash IN ["11D40A7B7876288F919AB819CC2D9802", "6444f8a34e99b8f7d9647de66aabe516", "dfd6aa3f7b2b1035b76b718f1ddc689f", "1a6cca4d5460b1710a12dea39e4a592c"] -image="*paexec*" -user IN EXCLUDED_USERS
    

LP_Execution via Control Panel Items

  • Trigger Condition: Execution of binary via Signed Binary Proxy Execution, Control Panel items are detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

  • ATT&CK ID: T1218

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*control.exe" command="*control*cpl*" -user IN EXCLUDED_USERS
    

LP_Execution via HTA using IE JavaScript Engine Detected

  • Trigger Condition: HTA using Internet Explorer’s JavaScript engine is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 source_image="*mshta.exe" image="*jscript9.dll" -user IN EXCLUDED_USERS
    

LP_Execution via Squiblydoo Technique Detected

  • Trigger Condition: Execution of the Squiblydoo technique is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

  • ATT&CK ID: T1218, T1218.01

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 image="*scrobj.dll" -user IN EXCLUDED_USERS
    

LP_Execution via Windows Scripting Host Component Detected

  • Trigger Condition: Execution via Windows scripting host component is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter

  • ATT&CK ID: T1059

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 image in ["*wshom.ocs", "*scrrun.dll", "*vbscript.dll"] -user IN EXCLUDED_USERS
    

LP_Exfiltration and Tunneling Tools Execution

  • Trigger Condition: Execution of tools for data exfiltration and tunneling are detected.

  • ATT&CK Category: Exfiltration

  • ATT&CK Tag: Automated Exfiltration

  • ATT&CK ID: T1020

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 new_process IN ["*\plink.exe", "*\socat.exe", "*\stunnel.exe", "*\httptunnel.exe"] -user IN EXCLUDED_USERS
    

LP_Exim MTA Remote Code Execution Vulnerability Detected

  • Trigger Condition: Remote code execution vulnerability in Exim MTA is detected. The U.S. National Security Agency (NSA) reported that Russian military cyber actors, also known as Sandworm Team, have been actively exploiting a critical vulnerability in Exim MTA since August 2019.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    norm_id=VulnerabilityManagement cve_id="*CVE-2019-10149*"
    

LP_Exim Remote Command Execution Detected

  • Trigger Condition: Remote command execution in Exim is detected (CVE-2019-10149 is detected).

  • ATT&CK Category: Execution

  • ATT&CK Tag: Exploitation for Client Execution

  • ATT&CK ID: T1203

  • Minimum Log Source Requirement: Mail Server

  • Query:

    norm_id=* receiver="*${run*"
    

LP_Existing Service Modification Detected

  • Trigger Condition: A modification of an existing service via sc.exe system utility is detected. Adversaries abuse the Windows Service Control Manager to execute malicious commands or payloads without creating new services.

  • ATT&CK Category: Persistence,Privilege Escalation

  • ATT&CK Tag: Create or Modify System Process, Windows Service

  • ATT&CK ID: T1543, T1543.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*sc.exe" or image="*powershell.exe" or image="*cmd.exe") command="*sc*config*binpath*" -user IN EXCLUDED_USERS
    

LP_Exploit for CVE-2017-0261 Detected

  • Trigger Condition: Winword initiating an uncommon subprocess FLTLDR.exe used for exploitation of CVE-2017-0261 and CVE-2017-0262 is detected.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image="*\FLTLDR.exe*" -user IN EXCLUDED_USERS
    

LP_Exploit for CVE-2017-8759 Detected

  • Trigger Condition: Winword starting unfamiliar subprocess csc.exe used in exploits for CVE-2017-8759 is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Exploitation for Client Execution

  • ATT&CK ID: T1203

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image="*\csc.exe" -user IN EXCLUDED_USERS
    

LP_Exploiting SetupComplete CVE-2019-1378 Detected

  • Trigger Condition: The exploitation attempt of privilege escalation vulnerability via Setup Complete.cmd and PartnerSetup Complete.cmd described in CVE-2019-1378 is detected.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_command IN ["*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd", "*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd"] -image IN ["C:\Windows\System32\*", "C:\Windows\SysWOW64\*", "C:\Windows\WinSxS\*", "C:\Windows\Setup\*"] -user IN EXCLUDED_USERS
    

LP_External Disk Drive or USB Storage Device Detected

  • Trigger Condition: External disk drives or plugged in USB devices are detected.

  • ATT&CK Category: Lateral Movement, Initial Access

  • ATT&CK Tag: Replication Through Removable Media, Hardware Additions

  • ATT&CK ID: T1091, T1200

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer ((event_id IN ["6416"] class="DiskDrive") OR message="USB Mass Storage Device") -user IN EXCLUDED_USERS
    

LP_Fail2ban IP Banned

  • Trigger Condition: A client’s IP address is banned after exceeding the limit for failed authentications.

  • ATT&CK Category: Credential Access, Persistence

  • ATT&CK Tag: Brute Force, Valid Accounts, Account Manipulation

  • ATT&CK ID: T1110, T1078, T1098

  • Minimum Log Source Requirement: Fail2ban

  • Query:

    norm_id=Fail2ban label=IP label=Block | process geoip(source_address) as country
    

LP_File and Directory Discovery Using PowerShell Detected

  • Trigger Condition: Enumeration of files and directories via Command and Scripting Interpreter and PowerShell is detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: File and Directory Discovery

  • ATT&CK ID: T1083

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4103 (command_name="get-childitem*" OR command="get-childitem*") -user IN EXCLUDED_USERS | rename command_name as command
    

LP_File Creation by Command Prompt

  • Trigger Condition: Creation of file by CMD.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command-Line Interface

  • ATT&CK ID: T1059

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 file=* source_image="*cmd.exe" -user IN EXCLUDED_USERS
    

LP_File Creation by PowerShell Detected

  • Trigger Condition: Creation of a file by Command and Scripting Interpreter and PowerShell is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 file=* source_image="*powershell.exe" -file IN ["__PSScriptPolicyTest_*", "PowerShell_transcript.*", "powershell.exe.log", "StartupProfileData*", "ModuleAnalysisCache"] -user IN EXCLUDED_USERS -file IN ["*.mui"]
    

LP_File Deletion Detected

  • Trigger Condition: Adversaries delete files to erase the traces of the intrusion.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Indicator Removal on Host, File Deletion

  • ATT&CK ID: T1070, T1070.004

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*remove-item*" or command="*vssadmin*Delete Shadows /All /Q*" or command="*wmic*shadowcopy delete*" or command="*wbdadmin* delete catalog -q*" or command="*bcdedit*bootstatuspolicy ignoreallfailures*" or command="*bcdedit*recoveryenabled no*") -user IN EXCLUDED_USERS
    

LP_File or Folder Permissions Modifications

  • Trigger Condition: Permission requested to modify a file or folder is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: File and Directory Permissions Modification

  • ATT&CK ID: T1222

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image IN ["*\takeown.exe", "*\cacls.exe", "*\icacls.exe"] command="*/grant*") OR (image="*\attrib.exe" command="*-r*")) -user IN EXCLUDED_USERS
    

LP_File System Permissions Weakness

  • Trigger Condition: Adversaries execute their malicious payloads by hijacking the way operating systems run programs.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Hijack Execution Flow, Services File Permissions Weakness

  • ATT&CK ID: T1574,T1574.010

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 (image="*\Temp\*" or image="*C:\Users\*" or status!="*Valid*") -user IN EXCLUDED_USERS
    

LP_Fireball Archer Installation Detected

  • Trigger Condition: Invocation of an Archer malware via rundll32 is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Command-Line Interface,Signed Binary Proxy Execution, Rundll32

  • ATT&CK ID: T1059, T1218, T1218.011

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*\rundll32.exe *, InstallArcherSvc" -user IN EXCLUDED_USERS
    

LP_Firewall Configuration Modification Detected

  • Trigger Condition: Modification in firewall configuration is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Non-Standard Port

  • ATT&CK ID: T1571

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4946 rule=* -user IN EXCLUDED_USERS
    

LP_Firewall Disabled via Netsh Detected

  • Trigger Condition: netsh command turns off the Windows firewall.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["netsh firewall set opmode mode=disable", "netsh advfirewall set * state off"] -user IN EXCLUDED_USERS
    

LP_First Time Seen Remote Named Pipe

  • Trigger Condition: The alert rule excludes the named pipes accessible remotely and notifies on new cases. Also, it helps to detect lateral movement and remote execution using named pipes.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services

  • ATT&CK ID: T1021

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=5145 share_name="IPC$" -relative_target IN ["atsvc", "samr", "lsarpc", "winreg", "netlogon", "srvsvc", "protected_storage", "wkssvc", "browser", "netdfs", "svcctl", "spoolss", "ntsvcs", "LSM_API_service", "HydraLsPipe", "TermSrv_API_service", "MsFteWds"] -user IN EXCLUDED_USERS
    

LP_FirstClass Failed Login Attempt

  • Trigger Condition: A user or a gateway attempts to log in with an incorrect password.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Exploitation for Credential Access, Exploitation for Privilege Escalation, Brute Force

  • ATT&CK ID: T1212, T1068, T1110

  • Minimum Log Source Requirement: Firstclass

  • Query:

    norm_id=FirstClass label=Login label=Fail
    

LP_FirstClass Failed Password Change Attempt

  • Trigger Condition: A user fails to change their password.

  • ATT&CK Category: Credential Access, Persistence

  • ATT&CK Tag: Account Manipulation, Exploitation for Credential Access, Exploitation for Privilege Escalation

  • ATT&CK ID: T1098, T1212, T1068

  • Minimum Log Source Requirement: Firstclass

  • Query:

    norm_id=FirstClass label=Password label=Change label=Fail
    

LP_Formbook Process Creation Detected

  • Trigger Condition: Formbook like process executions injecting code into a set of files in the System32 folder, which executes a unique command line to delete the dropper from the AppData Temp folder is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_command IN ["C:\Windows\System32\*.exe", "C:\Windows\SysWOW64\*.exe"] command IN ["* /c del *C:\Users\*\AppData\Local\Temp\*.exe", "* /c del *C:\Users\*\Desktop\*.exe", "* /C type nul > *C:\Users\*\Desktop\*.exe"] -user IN EXCLUDED_USERS
    

LP_FortiGate Admin Login Disable

  • Trigger Condition: The administrator login is disabled in the system.

  • ATT&CK Category: Impact, Credential Access, Persistence

  • ATT&CK Tag: Account Access Removal, Account Manipulation

  • ATT&CK ID: T1531, T1098

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=event sub_category=system message_id=32021 user=*
    

LP_FortiGate Anomaly

  • Trigger Condition: An anomaly in the system is detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning

  • ATT&CK ID: T1046

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=anomaly sub_category=anomaly log_level=alert attack=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
    

LP_FortiGate Antivirus Botnet Warning

  • Trigger Condition: A botnet warning from antivirus is detected.

  • ATT&CK Category: Command and Control, Impact

  • ATT&CK Tag: Proxy, Network Denial of Service

  • ATT&CK ID: T1090, T1498

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* (event_category=av OR event_category=antivirus) sub_category=botnet message_id=9248 | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
    

LP_FortiGate Antivirus Scan Engine Load Failed

  • Trigger Condition: Antivirus Scan Engine Load Failure is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

  • ATT&CK ID: T1562, T1562.001

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=av sub_category=scanerror message_id=8974 | process geoip(source_address) as source_location | process geoip(destination_address) as destination_location
    

LP_FortiGate Attack

  • Trigger Condition: An attack in the system is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Network Denial of Service

  • ATT&CK ID: T1498

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* attack=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
    

LP_FortiGate Critical Events

  • Trigger Condition: Critical events in the system are detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning

  • ATT&CK ID: T1046

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=event sub_category=system log_level=critical
    

LP_FortiGate Data Leak Protection

  • Trigger Condition: An attempt to data leak is detected.

  • ATT&CK Category: Exfiltration

  • ATT&CK Tag: Automated Exfiltration

  • ATT&CK ID: T1020

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=utm sub_category=dlp file=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
    

LP_FortiGate IPS Events

  • Trigger Condition: An intrusion attempt is detected in the system.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

  • ATT&CK ID: T1046, T1211

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=utm sub_category=ips user=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
    

LP_FortiGate Malicious URL Attack

  • Trigger Condition: A malicious attack in a system is detected. This alert rule is valid only for FortiOS V6.0.4.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Phishing, Spearphishing Link

  • ATT&CK ID: T1566, T1566.002

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=ips sub_category="malicious-url" message_id=16399 | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
    

LP_FortiGate Virus

  • Trigger Condition: A virus attack is detected.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

  • ATT&CK ID: T1046, T1211

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=utm sub_category=virus | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
    

LP_FortiGate VPN SSL User Login Failed

  • Trigger Condition: A VPN SSL login failure is detected.

  • ATT&CK Category: Initial Access, Credential Access

  • ATT&CK Tag: Valid Accounts, Brute Force

  • ATT&CK ID: T1078, T1110

  • Minimum Log Source Requirement: Fortigate

  • Query:

    norm_id=Forti* event_category=event sub_category=vpn message_id=39426 user=*
    

LP_FromBase64String Command Line Detected

  • Trigger Condition: Suspicious FromBase64String expression in the command-line argument is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Obfuscated Files or Information

  • ATT&CK ID: T1027

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*::FromBase64String(*" -user IN EXCLUDED_USERS
    

LP_FSecure File Infection

  • Trigger Condition: An infected file is detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, File and Directory Discovery

  • ATT&CK ID: T1046, T1083

  • Minimum Log Source Requirement: Fsecure Gatekeeper

  • Query:

    norm_id=FSecureGatekeeper label=Infection label=File label=Attack
    

LP_FSecure Virus Detection

  • Trigger Condition: Virus alert is detected while scanning.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

  • ATT&CK ID: T1046, T1211

  • Minimum Log Source Requirement: Fsecure

  • Query:

    norm_id=FSecure* label=Detect label=Malware malware=*
    

LP_Fsutil Suspicious Invocation Detected

  • Trigger Condition: Suspicious parameters of fsutil used by ransomware during the attack (observed by NotPetya and others) is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Indicator Removal on Host

  • ATT&CK ID: T1070

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*\fsutil.exe" OR file="fsutil.exe") command IN ["*deletejournal*", "*createjournal*"] -user IN EXCLUDED_USERS
    

LP_GAC DLL Loaded Via Office Applications Detected

  • Trigger Condition: GAC DLL loaded by an Office Product is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Phishing, Spearphishing Attachment

  • ATT&CK ID: T1566, T1566.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.exe*", "*\excel.exe*", "*\outlook.exe*"] image IN ["*C:\Windows\Microsoft.NET\assembly\GAC_MSIL*"] -user IN EXCLUDED_USERS
    

LP_GALLIUM Artifacts Detected

  • Trigger Condition: Artifacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019 are detected.

  • ATT&CK Category: Credential Access, Command and Control

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (norm_id=WindowsSysmon event_id=1 hash_sha1 IN ["53a44c2396d15c3a03723fa5e5db54cafd527635", "9c5e496921e3bc882dc40694f1dcc3746a75db19", "aeb573accfd95758550cf30bf04f389a92922844", "79ef78a797403a4ed1a616c68e07fff868a8650a", "4f6f38b4cec35e895d91c052b1f5a83d665c2196", "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d", "e841a63e47361a572db9a7334af459ddca11347a", "c28f606df28a9bc8df75a4d5e5837fc5522dd34d", "2e94b305d6812a9f96e6781c888e48c7fb157b6b", "dd44133716b8a241957b912fa6a02efde3ce3025", "8793bf166cb89eb55f0593404e4e933ab605e803", "a39b57032dbb2335499a51e13470a7cd5d86b138", "41cc2b15c662bc001c0eb92f6cc222934f0beeea", "d209430d6af54792371174e70e27dd11d3def7a7", "1c6452026c56efd2c94cea7e0f671eb55515edb0", "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a", "4923d460e22fbbf165bbbaba168e5a46b8157d9f", "f201504bd96e81d0d350c3a8332593ee1c9e09de", "ddd2db1127632a2a52943a2fe516a2e7d05d70d2"]) OR (event_source="DNS Server" event_id=257 domain IN ["asyspy256.ddns.net", "hotkillmail9sddcc.ddns.net", "rosaf112.ddns.net", "cvdfhjh1231.myftp.biz", "sz2016rose.ddns.net", "dffwescwer4325.myftp.biz", "cvdfhjh1231.ddns.net"]) OR (event_id=1 hash_sha1="e570585edc69f9074cb5e8a790708336bd45ca0f" -image IN ["*:\Program Files(x86)\\*", "*:\Program Files\\*"])
    

LP_Generic Password Dumper Activity on LSASS Detected

  • Trigger Condition: Process handle on LSASS process with access mask is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer (event_id=4656 OR event_id="4663") object_name="*\lsass.exe" access_mask IN ["*0x40*", "*0x1400*", "*0x1000*", "*0x100000*", "*0x1410*", "*0x1010*", "*0x1438*", "*0x143a*", "*0x1418*", "*0x1f0fff*", "*0x1f1fff*", "*0x1f2fff*", "*0x1f3fff*"] -user IN EXCLUDED_USERS
    

LP_Grabbing Sensitive Hives via Reg Utility

  • Trigger Condition: Grabbing of Sensitive Hives via Reg Utility.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\reg.exe" command IN ["*save*", "*export*"] command IN ["*hklm*", "*hkey_local_machine*"] command IN ["*\system", "*\sam", "*\security"] -user IN EXCLUDED_USERS
    

LP_Hacktool Ruler Detected

  • Trigger Condition: Sensepost uses a Hacktool ruler.

  • ATT&CK Category: Discovery, Execution

  • ATT&CK Tag: Account Discovery, Use Alternate Authentication Material, Pass the Hash, Email Collection, Command-Line Interface + ATT&CK ID: T1087, T1550, T1550.002, T1114, T1059

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id IN ["4776", "4624", "4625"] workstation="RULER" -user IN EXCLUDED_USERS
    

LP_HH Execution Detected

  • Trigger Condition: The use of hh.exe executing recently modified .chm files is detected.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Compiled HTML File

  • ATT&CK ID: T1218, T1218.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\hh.exe" command="*.chm*" -user IN EXCLUDED_USERS
    

LP_Hidden Cobra Affected Host

  • Trigger Condition: Windows Server is affected by Hidden Cobra.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1211, T1518, T1518.001

  • Minimum Log Source Requirement: Windows

  • Query:

    (object IN HIDDEN_COBRA_FILES OR file in HIDDEN_COBRA_FILES OR hash in HIDDEN_COBRA_FILES) host=* | rename object as file
    

LP_Hidden Cobra Emails Sent to Attacker

  • Trigger Condition: LogPoint detects an email sent to Hidden Cobra listed emails.

  • ATT&CK Category: Exfiltration, Collection

  • ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

  • ATT&CK ID: T1041, T1114

  • Minimum Log Source Requirement: Mail Server

  • Query:

    sender=* receiver=* receiver in HIDDEN_COBRA_EMAIL (host=* OR source_host=*) | rename source_host as host
    

LP_Hidden Cobra Vulnerable Sources

  • Trigger Condition: Vulnerability Scanning Tools detect Hidden Cobra’s vulnerable hosts.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1211, T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    cve_id in HIDDEN_COBRA_CVE source_address=* | rename title as vulnerability, domain as host
    

LP_Hidden Files and Directories - VSS Detected

  • Trigger Condition: Adversaries hide files and directories to evade detection.

  • ATT&CK Category: Defense Evasion, Persistence

  • ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

  • ATT&CK ID: T1564, T1564.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*\VolumeShadowCopy*\*" or command="*\VolumeShadowCopy*\*") -user IN EXCLUDED_USERS
    

LP_Hidden Files and Directories Detected

  • Trigger Condition: Adversaries hide files and directories to evade detection.

  • ATT&CK Category: Defense Evasion, Persistence

  • ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

  • ATT&CK ID: T1564, T1564.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*attrib.exe" (command="*+h*" or command="*+s*") -user IN EXCLUDED_USERS
    

LP_Hidden PowerShell Window Detected

  • Trigger Condition: LogPoint detects the use of hidden Command and Scripting Interpreter and PowerShell Window.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Hide Artifacts, Hidden Window

  • ATT&CK ID: T1564, T1564.003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4688 "process"="*powershell.exe" (commandline="*-w*hid*" OR command="*-w*hid*") -user IN EXCLUDED_USERS
    

LP_Hiding Files with Attrib Detected

  • Trigger Condition: The use of attrib.exe to hide files from users is detected.

  • ATT&CK Category: Defense Evasion, Persistence

  • ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

  • ATT&CK ID: T1564, T1564.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\attrib.exe" command="* +h *" -(command="*\desktop.ini *" OR (parent_image="*\cmd.exe" command="+R +H +S +A \*.cui" parent_command="C:\WINDOWS\system32\*.bat")) -user IN EXCLUDED_USERS
    

LP_Highly Relevant Renamed Binary Detected

  • Trigger Condition: LogPoint detects the execution of a renamed binary used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 file IN ["powershell.exe", "powershell_ise.exe", "psexec.exe", "psexec.c", "cscript.exe", "wscript.exe", "mshta.exe", "regsvr32.exe", "wmic.exe", "certutil.exe", "rundll32.exe", "cmstp.exe", "msiexec.exe"] -image IN ["*\powershell.exe", "*\powershell_ise.exe", "*\psexec.exe", "*\psexec64.exe", "*\cscript.exe", "*\wscript.exe", "*\mshta.exe", "*\regsvr32.exe", "*\wmic.exe", "*\certutil.exe", "*\rundll32.exe", "*\cmstp.exe", "*\msiexec.exe"] -user IN EXCLUDED_USERS
    

LP_Hooking Activities Detected

  • Trigger Condition: Adversaries capture user input to obtain a credential or collect information.

  • ATT&CK Category: Collection, Credential Access

  • ATT&CK Tag: Input Capture, Credential API Hooking

  • ATT&CK ID: T1056, T1056.004

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*mavinject.exe" or command="*/INJECTRUNNING*") -user IN EXCLUDED_USERS
    

LP_Hurricane Panda Activity Detected

  • Trigger Condition: LogPoint detects Hurricane Panda activity.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Exploitation for Privilege Escalation

  • ATT&CK ID: T1068

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["* localgroup administrators admin /add", "*\Win64.exe*"] -user IN EXCLUDED_USERS
    

LP_IIS Native-Code Module Command Line Installation

  • Trigger Condition: LogPoint detects suspicious IIS native-code module installations via the command line.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Server Software Component, Web Shell

  • ATT&CK ID: T1505, T1505.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*\APPCMD.EXE install module /name:*"] -user IN EXCLUDED_USERS
    

LP_Image File Execution Options Injection

  • Trigger Condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.

  • ATT&CK Category: Privilege Escalation, Persistence, Defense Evasion

  • ATT&CK Tag: Event Triggered Execution, Image File Execution Options Injection

  • ATT&CK ID: T1546, T1546.012

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*" or target_object="*\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*") -user IN EXCLUDED_USERS
    

LP_Impair Defenses - Disable or Modify Tools - Service Stopped

  • Trigger Condition: Adversaries maliciously modify components of a victim environment to hinder or disable defensive mechanisms.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

  • ATT&CK ID: T1562, T1562.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*net.exe" or image="*sc.exe") command="*stop*" -user IN EXCLUDED_USERS
    

LP_In-memory PowerShell Detected

  • Trigger Condition: Loading of essential DLL used by PowerShell, but not by the process powershell.exe is detected. In addition, it detects the Meterpreter’s Load PowerShell extension.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 image IN ["*\System.Management.Automation.Dll", "*\System.Management.Automation.ni.Dll"] -source_image IN ["*\powershell.exe", "*\powershell_ise.exe", "*\WINDOWS\System32\sdiagnhost.exe", "*\mscorsvw.exe", "*\WINDOWS\System32\RemoteFXvGPUDisablement.exe"] -user="NT AUTHORITY\SYSTEM" -user IN EXCLUDED_USERS
    

LP_Indicator Blocking - Driver Unloaded

  • Trigger Condition: Adversary blocks indicators or events captured by sensors from being gathered and analyzed.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Indicator Blocking

  • ATT&CK ID: T1562, T1562.006

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*fltmc.exe" or command="*fltmc*unload*") -user IN EXCLUDED_USERS
    

LP_Indicator Blocking - Sysmon Registry Edited

  • Trigger Condition: Adversary blocks indicators or events captured by sensors from being gathered and analyzed.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Indicator Blocking

  • ATT&CK ID: T1562, T1562.006

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*HKLM\System\CurrentControlSet\Services\SysmonDrv\*" or target_object="*HKLM\System\CurrentControlSet\Services\Sysmon\*" or target_object="*HKLM\System\CurrentControlSet\Services\Sysmon64\*") (image!="*Sysmon64.exe" or image!="*Sysmon.exe") -user IN EXCLUDED_USERS
    

LP_Indirect Command Execution Detected

  • Trigger Condition: LogPoint detects indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Indirect Command Execution

  • ATT&CK ID: T1202

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image IN ["*\pcalua.exe", "*\forfiles.exe"] -user IN EXCLUDED_USERS
    

LP_Install Root Certificate

  • Trigger Condition: Adversaries undermine security controls that will either warn users of the untrusted activity or prevent the execution of untrusted programs.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Subvert Trust Controls, Install Root Certificate

  • ATT&CK ID: T1553, T1553.004

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) image!="*svchost.exe" (target_object="*\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*" or target_object="*\Microsoft\SystemCertificates\Root\Certificates\*") -user IN EXCLUDED_USERS
    

LP_Suspicious InstallUtil Execution

  • Trigger Condition: Adversaries use InstallUtil for proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows installation and uninstallation of resources by executing specific installer components specified in .NET binaries.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, InstallUtil

  • ATT&CK ID: T1218, T1218.004

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 (image="*InstallUtil.exe" or command="*\/logfile= \/LogToConsole=false \/U*") -user IN EXCLUDED_USERS
    

LP_InvisiMole Malware Connection to Malicious Domains

  • Trigger Condition: A connection with domain related to the InvisiMole Malware is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in INVISIMOLE_MALWARE_DOMAINS
    

LP_InvisiMole Malware Connection to Malicious Sources

  • Trigger Condition: A host makes an outbound connection to InvisiMole malware sources.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (destination_address IN INVISIMOLE_MALWARE_IPS OR source_address IN INVISIMOLE_MALWARE_IPS) | process geoip(destination_address) as country
    

LP_InvisiMole Malware Exploitable Vulnerabilities Detected

  • Trigger Condition: Vulnerability Management detects the presence of vulnerabilities linked to InvisiMole malware that targets high-profile military and diplomatic entities.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    norm_id=VulnerabilityManagement (cve_id="*CVE-2017-0144*" OR cve_id="*CVE-2019-0708*")
    

LP_InvisiMole Malware Infected Host Detected

  • Trigger Condition: InvisiMole malware-infected host is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Data Destruction, Proxy

  • ATT&CK ID: T1485, T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

  • Query:

    host=* hash=* hash IN INVISIMOLE_MALWARE_HASHES
    

LP_Invocation of Active Directory Diagnostic Tool Detected

  • Trigger Condition: Execution of ntdsutil.exe used for various attacks against the OS Credential Dumping, NTDS database (OS Credential Dumping, NTDS.DIT) is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*\ntdsutil*" -user IN EXCLUDED_USERS
    

LP_Java Running with Remote Debugging

  • Trigger Condition: LogPoint detects a JAVA process running with remote debugging, allowing the local host to connect.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning

  • ATT&CK ID: T1046

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*transport=dt_socket, address=*" -command="*address=127.0.0.1*" -command="*address=localhost*" -user IN EXCLUDED_USERS
    

LP_Judgement Panda Exfil Activity

  • Trigger Condition: Judgement Panda activity described in Global Threat Report 2019 by Crowdstrike is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credentials in Files, Credential Dumping

  • ATT&CK ID: T1552, T1552.001, T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*\xcopy.exe" command="* /S /E /C /Q /H *") OR (image="*\adexplorer.exe" command="* -snapshot * c:\users\*")) -user IN EXCLUDED_USERS
    

LP_Judgement Panda Exfil Activity Detected

  • Trigger Condition: Judgement Panda activity described in Global Threat Report 2019 by Crowdstrike is detected.

  • ATT&CK Category: Lateral Movement, Credential Access, Exfiltration, Collection

  • ATT&CK Tag: Account Manipulation, Data Compressed, Archive Collected Data

  • ATT&CK ID: T1098, T1056

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command IN ["*\ldifde.exe -f -n *", "*\7za.exe a 1.7z *", "* eprod.ldf", "*\aaaa\procdump64.exe*", "*\aaaa\netsess.exe*", "*\aaaa\7za.exe*", "*copy .\1.7z \*", "*copy \client\c$\aaaa\*"] OR image="C:\Users\Public\7za.exe") -user IN EXCLUDED_USERS
    

LP_JunOS Attack

  • Trigger Condition: LogPoint detects an attack pattern.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

  • ATT&CK ID: T1498, T1499

  • Minimum Log Source Requirement: JunOS

  • Query:

    norm_id=JunOS (label=Application OR label=appddos OR threat=*dos*) label=Attack (label=Warning OR label=Successful)
    

LP_JunOS Authentication Failed

  • Trigger Condition: Failure of an authentication.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts, Brute Force

  • ATT&CK ID: T1078, T1110

  • Minimum Log Source Requirement: JunOS

  • Query:

    norm_id=JunOS label=User (label=Authentication OR Login) label=Fail
    

LP_JunOS Policy Violation

  • Trigger Condition: A policy violation is detected.

  • ATT&CK Category: Defense Evasion, Privilege Escalation, Credential Access

  • ATT&CK Tag: Bypass User Access Control, Exploitation for Credential Access, Exploitation for Privilege Escalation

  • ATT&CK ID: T1548, T1212, T1068

  • Minimum Log Source Requirement: JunOS

  • Query:

    norm_id=JunOS label=Policy (label=Violation OR label=Error)
    

LP_JunOS Security Log Clear

  • Trigger Condition: An administrator has cleared one or more audit logs.

  • ATT&CK Category: Defense Evasion, Impact

  • ATT&CK Tag: Indicator Removal on Host, Data Destruction, Indicator Removal on Host, File Deletion

  • ATT&CK ID: T1070, T1485, T1070, T1070.004

  • Minimum Log Source Requirement: JunOS

  • Query:

    norm_id=JunOS label=Log label=Clear
    

LP_Kaspersky Antivirus - Outbreak Detection

  • Trigger Condition: This alert rule is triggered whenever a threat is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Software Discovery, Security Software Discovery

  • ATT&CK ID: T1518, T1518.001

  • Minimum Log Source Requirement: Kaspersky

  • Query:

    norm_id=KasperskyAntivirus event_type="*threat*detected" | rename wstrPar5 as virus | chart distinct_count(win_name) as CNT by virus, event_type
    

LP_Kaspersky Antivirus - Update Fail

  • Trigger Condition: Automatic updates are disabled, not all the components are updated, or there is a network error.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

  • ATT&CK ID: T1562, T1562.001

  • Minimum Log Source Requirement: Kaspersky

  • Query:

    norm_id=KasperskyAntivirus (event_type="Automatic updates are disabled" OR event_type="Not all components were updated" OR event_type="Network update error" OR event_type="Error updating component"
    OR description="Error downloading update files" OR description="Update files are corrupted") | rename event_type as reason, description as reason
    

LP_Kaspersky Antivirus Extremely Out of Date Event

  • Trigger Condition: Outdated events are detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Indicator Blocking

  • ATT&CK ID: T1562, T1562.006

  • Minimum Log Source Requirement: Kaspersky

  • Query:

    norm_id=KasperskyAntivirus event_type="*extremely out of date*"
    

LP_Kaspersky Antivirus Outbreak Detection by Source

  • Trigger Condition: More than one source is affected by the same virus.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Software Discovery, Security Software Discovery

  • ATT&CK ID: T1518, T1518.001

  • Minimum Log Source Requirement: Kaspersky

  • Query:

    norm_id=KasperskyAntivirus "event_type"="Threats have been detected" | chart distinct_count(win_name) as DC | search DC>1
    

LP_Kaspersky Antivirus Outbreak Detection by Virus

  • Trigger Condition: More than ten viruses are detected in the system.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Software Discovery, Security Software Discovery

  • ATT&CK ID: T1518, T1518.001

  • Minimum Log Source Requirement: Kaspersky

  • Query:

    norm_id=KasperskyAntivirus "event_type"="Threats have been detected" | chart distinct_count(wstrPar5) as DC | search DC>10
    

LP_Kaspersky Antivirus Threat Affecting Multiple Host

  • Trigger Condition: The same threat is detected in multiple hosts.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Indicator Blocking

  • ATT&CK ID: T1562, T1562.006

  • Minimum Log Source Requirement: Kaspersky

  • Query:

    norm_id=KasperskyAntivirus event_type="*threat*detected" | chart distinct_count(win_name) as HostCount by event_type | process quantile(HostCount) | chart count() by event_type, quantile, HostCount
    

LP_Kerberoasting via PowerShell Detected

  • Trigger Condition: Steal or forge Kerberos tickets, Kerberoasting via Command and Scripting Interpreter, and PowerShell is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

  • ATT&CK ID: T1558, T1558.003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4103 (command_name="Invoke-Kerberoast" OR command="Invoke-Kerberoast") -user IN EXCLUDED_USERS | rename command_name as command
    

LP_Kernel Firewall Connection Denied

  • Trigger Condition: Ten firewall connections are denied from the same source to the same destination in a minute.

  • ATT&CK Category: Impact, Command and Control

  • ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service, Proxy

  • ATT&CK ID: T1498, T1499, T1090

  • Minimum Log Source Requirement: Kernel

  • Query:

    [10 norm_id=Kernel label=Firewall label=Connection label=Deny having same source_address, destination_address within 1 minute]
    

LP_Koadic Execution Detected

  • Trigger Condition: Command line parameters used by the Koadic hack tool is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*cmd.exe* /q /c chcp *"] -user IN EXCLUDED_USERS
    

LP_KRACK Vulnerable Source Detected

  • Trigger Condition: Sources vulnerable to KRACK are detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1211, T1518, T1518.001

  • Minimum Log Source Requirement: Qualys, Vulnerability Management

  • Query:

    qualys_id=* qualys_id IN [176179, 91411, 196947, 170424, 170428, 196947] source_address=*
    

LP_Large ICMP Traffic

  • Trigger Condition: ICMP datagrams with a size greater than 1024 bytes are received.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning

  • ATT&CK ID: T1046

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    ((label=Receive label=Packet) or label=Illegal label=Receive label=Packet) (packet_length>1024 or fragment_length>1024)
    

LP_Local Account Creation on Workstation Detected

  • Trigger Condition: Creation of a local account on a domain workstation that is not Windows Domain Controller (DC).

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Create Account

  • ATT&CK ID: T1136

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label=User label=Account label=Create -target_user="*$" target_user=* -host in WINDOWS_DC -user IN EXCLUDED_USERS
    

LP_Local Accounts Discovery Detected

  • Trigger Condition: Valid Accounts, Account Discovery, or Local Accounts Discovery is detected.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Owner/User Discovery, Account Discovery

  • ATT&CK ID: T1033, T1087

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (norm_id=WindowsSysmon event_id=1 (((image="*\whoami.exe" OR (image="*\wmic.exe" command="*useraccount*" command="*get*") OR image IN ["*\quser.exe", "*\qwinsta.exe"] OR (image="*\cmdkey.exe" command="*/list*") OR (image="*\cmd.exe" command="*/c*" command="*dir *" command="*\Users\\*")) -(command IN ["* rmdir *"])) OR ((image IN ["*\net.exe", "*\net1.exe"] command="*user*") -(command IN ["*/domain*", "*/add*", "*/delete*", "*/active*", "*/expires*", "*/passwordreq*", "*/scriptpath*", "*/times*", "*/workstations*"])))) -user IN EXCLUDED_USERS
    

LP_Local Port Monitor

  • Trigger Condition: Adversaries configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors

  • ATT&CK ID: T1547, T1547.01

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*\SYSTEM\CurrentControlSet\Control\Print\Monitors\*" -user IN EXCLUDED_USERS
    

LP_LockCrypt Ransomware

  • Trigger Condition: LockCrypt ransomware encrypts a file.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Disk Wipe, Disk Content Wipe, Data Encrypted for Impact, Data Destruction

  • ATT&CK ID: T1561, T1561.001, T1486, T1485

  • Minimum Log Source Requirement: Integrity Scanner

  • Query:

    norm_id=IntegrityScanner label = File label="Rename" new_file=*.lock | norm on new_file <path:.*><:'\\'><EncryptedFileName:.*> | norm on file_path <:.*><:'\\'><OriginalFileName:.*> | rename hostname as host | chart count() by log_ts, host, path, OriginalFileName, EncryptedFileName order by count() desc limit 10
    

LP_LockerGoga Malware Affected Host

  • Trigger Condition: LockerGoga malware infects a host.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1211, T1518, T1518.001

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

  • Query:

    host=* (hash IN LOCKERGOGA_HASHES OR hash_sha1 IN LOCKERGOGA_HASHES OR hash_sha256 IN LOCKERGOGA_HASHES OR file IN LOCKERGOGA_FILES OR object IN LOCKERGOGA_FILES) | rename hash_sha1 as hash, hash_sha256 as hash, object as file
    

LP_LockerGoga Malware Emails Sent to Attacker

  • Trigger Condition: An email is sent to or from LockerGoga malware listed emails.

  • ATT&CK Category: Command and Control, Exfiltration

  • ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email Collection

  • ATT&CK ID: T1090, T1041, T1020, T1114

  • Minimum Log Source Requirement: Mail Server

  • Query:

    (receiver in LOCKERGOGA_EMAILS OR sender in LOCKERGOGA_EMAILS) sender=* receiver=* (host=* OR source_host=*) | rename source_host as host
    

LP_Log Files Creation of Dot-Net-to-JS Detected

  • Trigger Condition: Creation of log files of Dot-Net-to-JavaScript.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter

  • ATT&CK ID: T1059

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 path="*UsageLogs*" file in ["*cscript.exe.log", "*wscript.exe.log", "*wmic.exe.log", "*mshta.exe.log", "*svchost.exe.log", "*regsvr32.exe.log", "*rundll32.exe.log"] -user IN EXCLUDED_USERS
    

LP_Login with WMI Detected

  • Trigger Condition: Logins performed with WMI are detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Windows Management Instrumentation

  • ATT&CK ID: T1047

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4624 "process"="*\WmiPrvSE.exe" -user IN EXCLUDED_USERS
    

LP_Logon Scripts Detected

  • Trigger Condition: Creation or execution of UserInitMprLogon Script persistence method.

  • ATT&CK Category: Persistence, Lateral Movement

  • ATT&CK Tag: Logon Scripts

  • ATT&CK ID: T1037

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=1 ((parent_image="*\userinit.exe" -image="*\explorer.exe" -command IN ["*\netlogon.bat", "*\UsrLogon.cmd"]) OR (command="*UserInitMprLogonScript*"))) OR (event_id IN ["11", "12", "13", "14"] target_object="*UserInitMprLogonScript*") -user IN EXCLUDED_USERS
    

LP_LSASS Access from Non System Account Detected

  • Trigger Condition: Potential mimikatz-like tools accessing LSASS from non system account is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id IN ["4663", "4656"] object_type="Process" object_name="*\lsass.exe" -user="*$" -user IN EXCLUDED_USERS
    

LP_LSASS Memory Dump Detected

  • Trigger Condition: Process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for Winodws10 is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=10 image="C:\windows\system32\lsass.exe" access="0x1fffff" call_trace IN ["*dbghelp.dll*", "*dbgcore.dll*"] -user IN EXCLUDED_USERS
    

LP_LSASS Memory Dump File Creation

  • Trigger Condition: LSASS memory dump creation using operating systems utilities is detected. Procdump uses process name in the output file if no name is specified.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 file="*lsass*dmp" -user IN EXCLUDED_USERS
    

LP_LSSAS Memory Dump with MiniDumpWriteDump API Detected

  • Trigger Condition: The use of MiniDumpWrite Dump API for dumping lsass.exe memory in a stealth way is detected.Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. For example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker’s machine.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (norm_id=WindowsSysmon event_id=7 source_image IN ["*\dbghelp.dll", "*\dbgcore.dll"] image IN ["*\msbuild.exe", "*\cmd.exe", "*\svchost.exe", "*\rundll32.exe", "*\powershell.exe", "*\word.exe", "*\excel.exe", "*\powerpnt.exe", "*\outlook.exe", "*\monitoringhost.exe", "*\wmic.exe", "*\msiexec.exe", "*\bash.exe", "*\wscript.exe", "*\cscript.exe", "*\mshta.exe", "*\regsvr32.exe", "*\schtasks.exe", "*\dnx.exe", "*\regsvcs.exe", "*\sc.exe", "*\scriptrunner.exe"] -image="*Visual Studio*") OR (event_id=7 source_image IN ["*\dbghelp.dll", "*\dbgcore.dll"] Signed="FALSE" -image="*Visual Studio*") -user IN EXCLUDED_USERS
    

LP_LSASS Memory Dumping Detected

  • Trigger Condition: Creation of dump files containing the memory space of lsass.exe, containing sensitive credentials is detected. It identifies the use of Sysinternals procdump.exe to export the memory space of lsass.exe containing sensitive credentials.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((command="*lsass*" command="*.dmp*" -image="*\werfault.exe") OR (image="*\procdump*" image="*.exe" command="*lsass*")) -user IN EXCLUDED_USERS
    

LP_Macro file Creation Detected

  • Trigger Condition: Creation of a macro file is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Command and Scripting Interpreter

  • ATT&CK ID: T1059

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 file in ["*.docm", "*.pptm", "*.xlsm", "*.xlm", "*.dotm", "*.xltm", "*.potm", "*.ppsm", "*.sldm", "*.xlam", "*.xla"] -user IN EXCLUDED_USERS
    

LP_Magecart Exploitable Vulnerabilities Detected

  • Trigger Condition: Vulnerability Management detects the presence of Magento vulnerability linked to Magecart Card Skimming attack on E-Commerce Business.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    norm_id=VulnerabilityManagement cve_id="*CVE-2016-4010*"
    

LP_Magecart Threat Connection to Malicious Domains

  • Trigger Condition: Any connection to Magecart related domains is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in MAGECART_DOMAINS
    

LP_Magecart Threat Connection to Malicious Sources

  • Trigger Condition: Hosts make an outbound connection to Magecart sources.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (destination_address IN MAGECART_IPS OR source_address IN MAGECART_IPS) | process geoip(destination_address) as country
    

LP_Malicious Base64 Encoded PowerShell Keywords in Command Lines Detected

  • Trigger Condition: LogPoint detects base64 encoded strings used in hidden malicious Command and Scripting Interpreter and PowerShell command lines.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" command IN ["* hidden *", "*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*", "*aXRzYWRtaW4gL3RyYW5zZmVy*",
    "*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*", "*JpdHNhZG1pbiAvdHJhbnNmZX*","*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*", "*Yml0c2FkbWluIC90cmFuc2Zlc*",
    "*AGMAaAB1AG4AawBfAHMAaQB6AGUA*", "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*", "*JGNodW5rX3Npem*","*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*", "*RjaHVua19zaXpl*", "*Y2h1bmtfc2l6Z*",
    "*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*", "*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", "*lPLkNvbXByZXNzaW9u*",
    "*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", "*SU8uQ29tcHJlc3Npb2*", "*Ty5Db21wcmVzc2lvb*", "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*", "*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*",
    "*lPLk1lbW9yeVN0cmVhb*","*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*", "*SU8uTWVtb3J5U3RyZWFt*", "*Ty5NZW1vcnlTdHJlYW*", "*4ARwBlAHQAQwBoAHUAbgBrA*", "*5HZXRDaHVua*","*AEcAZQB0AEMAaAB1AG4Aaw*",
    "*LgBHAGUAdABDAGgAdQBuAGsA*", "*LkdldENodW5r*","*R2V0Q2h1bm*", "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*", "*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", "*RIUkVBRF9JTkZPNj*",
    "*SFJFQURfSU5GTzY0*", "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*", "*VEhSRUFEX0lORk82N*",
    "*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*", "*cmVhdGVSZW1vdGVUaHJlYW*", "*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*", "*NyZWF0ZVJlbW90ZVRocmVhZ*", "*Q3JlYXRlUmVtb3RlVGhyZWFk*",
    "*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*", "*0AZQBtAG0AbwB2AGUA*", "*1lbW1vdm*", "*AGUAbQBtAG8AdgBlA*", "*bQBlAG0AbQBvAHYAZQ*", "*bWVtbW92Z*", "*ZW1tb3Zl*"] -user IN EXCLUDED_USERS
    

LP_Malicious File Execution Detected

  • Trigger Condition: Execution of a suspicious file by wscript and cscript.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter

  • ATT&CK ID: T1059

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image IN ["*\wscript.exe", "*\cscript.exe"] command IN ["*.jse", "*.vbe", "*.js", "*.vba"] -user IN EXCLUDED_USERS
    

LP_Malicious PowerShell Commandlet Names Detected

  • Trigger Condition: LogPoint detects Commandlet names from well-known Command and Scripting Interpreter, and PowerShell exploitation frameworks.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (norm_id=WindowsSysmon event_id=11 file IN MALICIOUS_POWERSHELL_COMMANDLET_NAMES) or (norm_id=WinServer command IN MALICIOUS_POWERSHELL_COMMANDS) -user IN EXCLUDED_USERS
    

LP_Malicious Service Installations Detected

  • Trigger Condition: Malicious service installs appearing in lateral movement, credential dumping, and other suspicious activity are detected.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Credential Dumping, System Services, Service Execution, New Service

  • ATT&CK ID: T1003, T1569, T1569.002, T1543

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=7045 service in ["*\PAExec*", "mssecsvc2.0", "*net user*", "WCESERVICE", "WCE SERVICE", "winexesvc.exe*", "*\DumpSvc.exe", "pwdump*", "gsecdump*", "cachedump*"]
    -user IN EXCLUDED_USERS
    

LP_Malware Shellcode in Verclsid Target Process

  • Trigger Condition: A process accessing verclsid.exe that injects shellcode from a Microsoft Office application or VBA macro is detected.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Process Injection, Signed Binary Proxy Execution, Verclsid

  • ATT&CK ID: T1055, T1218, T1218.012

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=10 image="*\verclsid.exe" access="0x1FFFFF" (call_trace="*|UNKNOWN(*VBE7.DLL*" OR (source_image="*\Microsoft Office\*" call_trace="*|UNKNOWN*")) -user IN EXCLUDED_USERS
    

LP_Malware Threat Affected Host

  • Trigger Condition: A malware infects a host.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1211, T1518, T1518.001

  • Minimum Log Source Requirement: Windows

  • Query:

    (object IN MALWARE_FILES OR file in MALWARE_FILES OR hash in MALWARE_HASHES) host=* | rename object as file
    

LP_Malware Threat Connection from Malicious Source

  • Trigger Condition: Inbound connection from malicious sources is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (source_address=* OR destination_address=*) source_address in MALWARE_IP destination_address IN HOMENET | process geoip(source_address) as country
    

LP_Malware Threat Connection to Malicious Destination

  • Trigger Condition: Hosts make an outbound connection to malicious sources.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (source_address=* OR destination_address=*) destination_address in MALWARE_IP source_address IN HOMENET |process geoip(destination_address) as country
    

LP_Malware Threat Connection to Malicious URLs

  • Trigger Condition: A connection to a malicious URL is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    url=* source_address=* | process domain(url) as domain| search domain in MALWARE_URL
    

LP_Malware Threat Emails Sent to Attacker

  • Trigger Condition: Email is sent to malware listed emails.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email Collection

  • ATT&CK ID: T1090, T1041, T1020, T1114

  • Minimum Log Source Requirement: Mail Server

  • Query:

    (receiver in MALWARE_EMAILS OR sender in MALWARE_EMAILS) sender=* receiver=* (host=* OR source_host=*) | rename source_host as host
    

LP_Masquerading Extension Detected

  • Trigger Condition: Masquerading of file extension is detected. Adversaries manipulate features of their artifacts to evade defenses and observation.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*.doc.*" or image="*.docx.*" or image="*.xls.*" or image="*.xlsx.*" or image="*.pdf.*" or image="*.rtf.*" or image="*.jpg.*" or image="*.png.*" or image="*.jpeg.*" or image="*.zip.*" or image="*.rar.*" or image="*.ppt.*" or image="*.pptx.*") -user IN EXCLUDED_USERS
    

LP_Masquerading File Location Detected

  • Trigger Condition: Masquerading of file location is detected. Adversaries manipulate features of their artifacts to evade defenses and observation.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 (source_image="*SysWOW64*" or source_image="*System32*" or source_image="*AppData*" or image="*Temp*") (file="*.exe" or file="*.dll*" or file="*.bat*" or file="*.com*" or file="*.ps1*" or file="*.py*" or file="*.js*" or file="*.vbs*" or file="*.hta*") -user IN EXCLUDED_USERS
    

LP_Matrix Encrypted Files

  • Trigger Condition: Matrix malware encrypted files are detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Data Encrypted for Impact, Data Encrypted, Data Destruction

  • ATT&CK ID: T1486, T1022, T1485

  • Minimum Log Source Requirement: Integrity Scanner

  • Query:

    norm_id=IntegrityScanner label="Rename" label=File new_file IN MATRIX_FILE | norm on new_file <path:.*><:'\\'><EncryptedFileName:string> | norm on file_path <:.*><:'\\'><OriginalFileName:string>
    

LP_Matrix Vulnerable Sources

  • Trigger Condition: Vulnerability scanner detects vulnerability related to Internet Explorer and Flash Player that relates to the Matrix Ransomware.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1211, T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    cve_id="*CVE-2016-0189*" or cve_id="*CVE-2015-8651*" source_address=*
    

LP_MavInject Process Injection Detected

  • Trigger Condition: Process injection using the signed Windows tool Mavinject32.exe is detected.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Process Injection, Signed Binary Proxy Execution

  • ATT&CK ID: T1055, T1218

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="* /INJECTRUNNING *" -user IN EXCLUDED_USERS
    

LP_Maze Ransomware Connection to Malicious Domains

  • Trigger Condition: Maze Double Extortion ransomware-related domains is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in MAZE_RANSOMWARE_DOMAINS
    

LP_Maze Ransomware Connection to Malicious Sources

  • Trigger Condition: Hosts make an outbound connection to Maze Double Extortion ransomware sources.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (destination_address IN MAZE_RANSOMWARE_IPS OR source_address IN MAZE_RANSOMWARE_IPS) | process geoip(destination_address) as country
    

LP_Maze Ransomware Exploitable Vulnerabilities Detected

  • Trigger Condition: Vulnerability management detects presence of vulnerability linked to Maze Double Extortion Ransomware.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    norm_id=VulnerabilityManagement cve_id IN MAZE_RANSOMWARE_CVE
    

LP_Maze Ransomware Infected Host Detected

  • Trigger Condition: MAZE Double Extortion ransomware-infected host is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Data Encrypted for Impact

  • ATT&CK ID: T1486

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

  • Query:

    host=* hash=* hash IN MAZE_RANSOMWARE_HASHES
    

LP_Meltdown and Spectre Vulnerabilities

  • Trigger Condition: Meltdown and Spectre vulnerabilities are detected in the system.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Software Discovery, Security Software Discovery

  • ATT&CK ID: T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    title=*spectre* or title=*meltdown* source_address=* | rename host as source_address | chart count() by source_address, severity, cve_id, solution order by count() desc
    

LP_Meterpreter or Cobalt Strike Getsystem Service Start Detected

  • Trigger Condition: The use of getsystem Meterpreter or Cobalt Strike command to obtain SYSTEM privileges by detecting a specific service starting.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Access Token Manipulation

  • ATT&CK ID: T1134

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\services.exe" command IN ['*cmd* /c * echo *\pipe\*', '*%COMPSEC%* /c * echo *\pipe\*', '*rundll32*.dll,a*/p:*'] -command="*MpCmdRun*" -user IN EXCLUDED_USERS
    

LP_Microsoft ActiveX Control Code Execution Vulnerability Detected

  • Trigger Condition: Remote code execution in Microsoft ActiveX Control (CVE-2012-0158) is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Exploitation for Client Execution

  • ATT&CK ID: T1203

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label=Key label="Map" label=Registry target_object='*Software\Microsoft\Office*Resiliency' -user IN EXCLUDED_USERS
    

LP_Microsoft Binary Github Communication Detected

  • Trigger Condition: Executable accessing GitHub in the Windows folder is detected.

  • ATT&CK Category: Microsoft Build Engine Loading Credential Libraries

  • ATT&CK Tag: Ingress Tool Transfer

  • ATT&CK ID: T1105

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 initiated="true" destination_host IN ["*.github.com", "*.githubusercontent.com"] image="C:\Windows\*" -user IN EXCLUDED_USERS
    

LP_Microsoft DotNET Framework Remote Code Execution Detected

  • Trigger Condition: Remote code execution vulnerability (CVE-2017-8759) in Microsoft .NET Framework is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: User Execution, Malicious File

  • ATT&CK ID: T1204, T1204.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label="Process" label=Create parent_image='*WINWORD.exe' parent_command='*.rtf*' image='*csc.exe' -user IN EXCLUDED_USERS
    

LP_Microsoft Office Memory Corruption Vulnerability CVE-2015-1641 Detected

  • Trigger Condition: The exploitation of memory corruption vulnerability (CVE-2015-1641) in Microsoft Office is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: User Execution

  • ATT&CK ID: T1204

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label=Image label=Load source_image IN ['*WINWORD.exe', '*EXCEL.exe'] image='*MSVCR71.DLL' -user IN EXCLUDED_USERS
    

LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-0199 Detected

  • Trigger Condition: The exploitation of memory corruption vulnerability (CVE-2017-0199) in Microsoft Office is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: User Execution

  • ATT&CK ID: T1204

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label=Network label=Connection image='*WINWORD.exe' destination_address IN MOST_EXPLOITABLE_IPS -user IN EXCLUDED_USERS
    

LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-11882 Detected

  • Trigger Condition: The exploitation of memory corruption vulnerability (CVE-2017-11882) in Microsoft Office is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: User Execution

  • ATT&CK ID: T1204

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label="Process" label=Create parent_image='*EQNEDT32.EXE' parent_command='*EQNEDT32.EXE*-Embedding' image='*.exe' -user IN EXCLUDED_USERS
    

LP_Microsoft Office Product Spawning Windows Shell

  • Trigger Condition: Windows command line executable initiated from Microsoft Word, Excel, Powerpoint, Publisher, and Visio is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Command and Scripting Interpreter, Indirect Command Execution

  • ATT&CK ID: T1059, T1202

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\OUTLOOK.EXE"]
    image IN ["*\cmd.exe", "*\powershell.exe", "*\wscript.exe",
    "*\cscript.exe", "*\sh.exe", "*\bash.exe","*\scrcons.exe",
    "*\schtasks.exe", "*\regsvr32.exe", "*\hh.exe", "*\wmic.exe", "*\mshta.exe", "*\rundll32.exe",
    "*\msiexec.exe", "*\forfiles.exe", "*\scriptrunner.exe", "*\mftrace.exe", "*\AppVLP.exe", "*\svchost.exe"]
    -user IN EXCLUDED_USERS
    

LP_Microsoft Workflow Compiler Detected

  • Trigger Condition: Invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Trusted Developer Utilities Proxy Execution

  • ATT&CK ID: T1127

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\Microsoft.Workflow.Compiler.exe" -user IN EXCLUDED_USERS
    

LP_Mimikatz Command Line Detected

  • Trigger Condition: mimikatz command line argument is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*DumpCreds*", "*Invoke-Mimikatz*", "*rpc::*", "*token::*", "*crypto::*", "*dpapi::*", "*sekurlsa::*", "*kerberos::*", "*lsadump::*", "*privilege::*", "*process::*", "*misc::aadcookie*", "*misc::detours*", "*misc::memssp*", "*misc::mflt*", "*misc::ncroutemon*", "*misc::ngcsign*", "*misc::printnightmare*", "*misc::skeleton*", "*service::preshutdown*", "*ts::mstsc*", "*ts::multirdp*"] -user IN EXCLUDED_USERS
    

LP_Mitre - Initial Access - Hardware Addition - Removable Storage Connected

  • Trigger Condition: Removable storage is connected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Hardware Additions

  • ATT&CK ID: T1200

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer* event_id=2003 event_source="Microsoft-Windows-DriverFrameworks-UserMode/Operational" -user IN EXCLUDED_USERS
    

LP_Mitre - Initial Access - Valid Accounts - Impossible Travel

  • Trigger Condition: A user logs in from more than one GeoIP location.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Valid Accounts

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    label=User label=Login source_address=* | process geoip(source_address) as country | chart distinct_count(country) as DC, distinct_list(country) as countries by user | search countries>1
    

LP_Mitre - Initial Access - Valid Accounts - Inactive User Accounts

  • Trigger Condition: User accounts are inactive for more than 30 days.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    table AD_Users -lastLogon=0 lastLogon=* | process current_time(a) as time| chart max((time- (lastLogon/10000000 - 11644473600))/60/60/24) as number_of_days by sAMAccountName | search number_of_days>29
    

LP_Mitre Command and Control Using Uncommonly used Port Detected

  • Trigger Condition: Command and Control activity using uncommonly used ports is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Non-Standard Port

  • ATT&CK ID: T1571

  • Minimum Log Source Requirement: Proxy Server

  • Query:

    norm_id=*Proxy* source_address=* destination_address=* destination_port IN COMMON_PORTS | process ti(destination_address)| rename et_category as ti_category | process eval("attack_class='Command and Control'")| process eval("technique='Commonly Used Port'") | search ti_category="*Command and Control*"
    

LP_Mitre Credential Access Using Credentials from Web Browsers Detected

  • Trigger Condition: Credential Access is detected using credentials from password stores and credentials from web browsers.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credentials from Password Stores, Credentials from Web Browsers

  • ATT&CK ID: T1555, T1555.003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label=Object label=Access label=File "process"="*wsus.exe" (path="*firefox*" OR path="*chrome*") -user IN EXCLUDED_USERS | process eval("attack_class='Credential Access'")| process eval("technique='Credentials from Web Browsers'") | chart count() by user, domain, host, log_ts, path, file, attack_class, technique order by count() desc limit 10
    

LP_Mitre Credential Access Using Credentials in File Detected

  • Trigger Condition: Credential Access using attack technique Credentials in File is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credentials in Files

  • ATT&CK ID: T1552, T1552.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*laZagne*.exe*" OR command="*laZagne*.exe*") -user IN EXCLUDED_USERS | process eval("attack_class='Credential Access'")| process eval("technique='Credentials in File'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Credential Access Using Input Capture Detected

  • Trigger Condition: Credential Access using attack technique Input Capture is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Input Capture

  • ATT&CK ID: T1056

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label=Set label=Registry image="*keylogger_directx.exe" -user IN EXCLUDED_USERS| process eval("attack_class='Credential Access'")| process eval("technique='Input Capture'") | rename commandline as command | chart count() by user, host, domain, log_ts, image, attack_class, technique order by count() desc limit 10
    

LP_Mitre Defense Evasion Using Decode Files or Information Detected

  • Trigger Condition: Defense evasion uses decode files or information.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Deobfuscate/Decode Files or Information

  • ATT&CK ID: T1140

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WinServer label="Process" label=Create (command="*certutil.exe*" OR commandline="*certutil.exe*") -user IN EXCLUDED_USERS| process eval("attack_class='Defense Evasion'")| process eval("technique='Deobfuscate/Decode Files or Information'")| rename commandline as command
    

LP_Mitre Defense Evasion Using File Deletion Detected

  • Trigger Condition: Defense evasion uses file deletion technique.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Data Destruction, Indicator Removal on Host, File Deletion

  • ATT&CK ID: T1485, T1070, T1070.004

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label=Object label=Access access="*delete*" (relative_target="*.exe" OR relative_target="*.bat") -user IN EXCLUDED_USERS | process eval("attack_class='Defense Evasion'")| process eval("technique='File Deletion'") | rename relative_target as file
    

LP_Mitre Discovery Using Account Discovery Detected

  • Trigger Condition: An attack Discovery uses an attack technique Account Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Account Discovery

  • ATT&CK ID: T1087

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*dsquery*" OR command="*dsquery*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Account Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using File and Directory Discovery Detected

  • Trigger Condition: Discovery uses an attack technique File and Directory Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: File and Directory Discovery

  • ATT&CK ID: T1083

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create -commandline="*findstr*" (commandline="*cmd.exe*dir *" OR commandline="*tree.com*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='File and Directory Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using Network Service Scanning Detected

  • Trigger Condition: Discovery uses an attack technique Network Service Scanning.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning

  • ATT&CK ID: T1046

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*nmap*" OR commandline="*RpcPing.exe*" OR commandline="*telnet.exe*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Network Service Scanning'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using Network Sniffing Detected

  • Trigger Condition: Discovery uses an attack technique Network Sniffing.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Network Sniffing

  • ATT&CK ID: T1040

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create commandline="*tshark.exe*" -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Network Sniffing'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using Password Policy Discovery Detected

  • Trigger Condition: Discovery uses an attack technique Password Policy Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Password Policy Discovery

  • ATT&CK ID: T1201

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create commandline="*net.exe* accounts*" -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Password Policy Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using Permission Groups Discovery Detected

  • Trigger Condition: Discovery uses an attack technique Permission Groups Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Permission Groups Discovery

  • ATT&CK ID: T1069

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (command="*net*localgroup*" OR command="*net*group*" OR command="*get*localgroup*" OR commandline="*net*localgroup*" OR commandline="*net*group*" OR commandline="*get*localgroup*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Permission Groups Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using Query Registry Detected

  • Trigger Condition: Discovery uses an attack technique Query Registry.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Query Registry

  • ATT&CK ID: T1012

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create commandline="*reg query*" -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Query Registry'")| rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using Remote System Discovery Detected

  • Trigger Condition: Discovery uses an attack technique Remote System Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Remote System Discovery

  • ATT&CK ID: T1018

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*net.exe*view /domain" OR commandline="*nltest.exe*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Remote System Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using Security Software Discovery Detected

  • Trigger Condition: Discovery uses an attack techniques Software Discovery and Security Software Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Software Discovery, Security Software Discovery

  • ATT&CK ID: T1518, T1518.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*findstr.exe*virus" OR commandline="*findstr.exe*cylance" OR commandline="*findstr.exe*defender" OR commandline="*findstr.exe*cb") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='Security Software Discovery'") | rename commandline as command |
    chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using System Information Discovery Detected

  • Trigger Condition: Discovery uses an attack technique System Information Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Information Discovery

  • ATT&CK ID: T1082

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create commandline="*net.exe*config*" -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Information Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using System Network Configuration Discovery Detected

  • Trigger Condition: Discovery uses an attack technique System Network Configuration Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Network Configuration Discovery

  • ATT&CK ID: T1016

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*ipconfig.exe*" OR commandline="*route.exe*" OR commandline="*netsh advfirewall*" OR commandline="*arp.exe*" OR commandline="*nbtstat.exe*" OR commandline="*netsh.exe*interface show" OR commandline="*net*config") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Network Configuration Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using System Network Connections Discovery Detected

  • Trigger Condition: Discovery uses an attack technique System Network Connections Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Network Connections Discovery

  • ATT&CK ID: T1049

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*netstat*" OR commandline="*net.exe*use" OR commandline="*net.exe*sessions*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Network Connections Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using System Owner or User Discovery Detected

  • Trigger Condition: Discovery uses an attack technique System Owner or User Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Owner/User Discovery

  • ATT&CK ID: T1033

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*whoami*" OR commandline="*quser*" OR commandline="*wmic.exe*useraccount get*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Owner/User Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Discovery Using System Service Discovery Detected

  • Trigger Condition: Discovery uses an attack technique System Service Discovery.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: System Service Discovery

  • ATT&CK ID: T1007

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create (commandline="*net.exe*start*" OR commandline="*tasklist.exe*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique='System Service Discovery'") | rename commandline as command | chart count() by user, host, domain, log_ts, command, attack_class, technique order by count() desc limit 10
    

LP_Mitre Exfiltration Over Alternative Protocol Detected

  • Trigger Condition: LogPoint detects exfiltration of data over alternative protocol.

  • ATT&CK Category: Exfiltration

  • ATT&CK Tag: Exfiltration Over Alternative Protocol Detected

  • ATT&CK ID: T1048

  • Minimum Log Source Requirement: Proxy Server

  • Query:

    norm_id=*Proxy* source_address=* destination_address=* destination_address IN CLOUD_APPLICATION_IP | process eval("attack_class='Exfiltration'")| process eval("technique='Exfiltration Over Alternative Protocol'")
    

LP_Mitre Lateral Movement Using Remote Desktop Protocol Detected

  • Trigger Condition: Lateral Movement uses attack techniques Remote Services and Remote Desktop Protocol.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services, Remote Desktop Protocol

  • ATT&CK ID: T1021, T1021.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label=Remote label=Login label=Successful -user IN EXCLUDED_USERS | chart count() by user, domain, host, workstation, source_address order by count() desc limit 10
    

LP_Mitre Lateral Movement Using Remote Services Detected

  • Trigger Condition: Lateral Movement uses an attack technique Remote Services.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Exploitation of Remote Services

  • ATT&CK ID: T1210

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=7045 start_type="auto start" service="remotesvc" -user IN EXCLUDED_USERS | process eval("attack_class='Lateral Movement'")| process eval("technique='Remote Services'") | chart count() by user, image, log_ts, service, service_type, attack_class, technique order by count() desc limit 10
    

LP_Mitre Persistence Attack through Accessibility Process Feature

  • Trigger Condition: An OS’s accessibility features are used adversely to get a command prompt or backdoor without logging in to the system.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Event Triggered Execution, Accessibility Features

  • ATT&CK ID: T1546, T1546.008

  • Minimum Log Source Requirement: Windows

  • Query:

    (label="Process" label=Create "process" IN PERSISTENCE_ACCESSIBILITY_PROCESS) OR (parent_image IN PERSISTENCE_ACCESSIBILITY_PROCESS) OR (target_object IN PERSISTENCE_ACCESSIBILITY_OBJECT) -user IN EXCLUDED_USERS
    

LP_Mitre Persistence Attack through AppInit DLLs

  • Trigger Condition: Suspicious AppInit_DLL functionality is detected in an environment that could be a persistence attack.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Event Triggered Execution, AppInit DLLs

  • ATT&CK ID: T1546, T1546.01

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (target_object="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" OR target_object="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs")
    

LP_Mitre Persistence Using Account Creation Detected

  • Trigger Condition: The creation of an account with persistence is detected.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Account Manipulation

  • ATT&CK ID: T1098

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create commandline="*net*/add /y" -user IN EXCLUDED_USERS | process eval("attack_class='Persistence'")| process eval("technique='Create Account'") | rename commandline as command
    

LP_Mitre Persistence Using Account Manipulation Detected

  • Trigger Condition: Persistence uses an attack technique Account Manipulation.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Account Manipulation

  • ATT&CK ID: T1098

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer label="Process" label=Create commandline="*net.exe*localgroup*/add" -user IN EXCLUDED_USERS | process eval("attack_class='Persistence'")| process eval("technique='Account Manipulation'") | rename commandline as command
    

LP_Mitre Persistence via Winlogon Helper DLL Detected

  • Trigger Condition: Modifications in Winlogon registry keys are detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Boot or Logon Autostart Execution, Winlogon Helper DLL

  • ATT&CK ID: T1547, T1547.004

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4657 object=Winlogon event_category=Registry path="*Windows NT\CurrentVersion*" new_value=* -user IN EXCLUDED_USERS
    

LP_Mitre Possible Privilege Escalation using Application Shimming

  • Trigger Condition: Installation or registration of shim databases to escalate privilege in an environment is detected.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Event Triggered Execution, Application Shimming

  • ATT&CK ID: T1546, T1546.011

  • Minimum Log Source Requirement: Windows

  • Query:

    ('process'=*sdbinst.exe OR image=*sdbinst.exe OR target_object IN APPLICATION_SHIM_OBJECTS) | rename 'process' as image
    

LP_Mitre Privilege Escalation Using Bypass User Access Control Detected

  • Trigger Condition: Privilege Escalation using Abuse Elevation Control Mechanism or Bypass User Access Control is detected.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control

  • ATT&CK ID: T1548

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (norm_id=WindowsSysmon OR (commandline=* norm_id=WinServer)) label="Process" label=Create (command="*eventvwr.exe*" OR commandline="*eventvwr.exe*" OR command="*wscript.exe*" OR commandline="*wscript.exe*" OR token_elevation_type="TokenElevationTypeLimited*") -user IN EXCLUDED_USERS | process eval("attack_class='Privilege Escalation'")| process eval("technique='Bypass User Access Control'") | rename commandline as command
    

LP_MMC Spawning Windows Shell Detected

  • Trigger Condition: Windows command line executable starting from MMC is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Command and Scripting Interpreter, Indirect Command Execution

  • ATT&CK ID: T1059, T1202

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\mmc.exe" image IN ["*\cmd.exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\sh.exe", "*\bash.exe", "*\reg.exe", "*\regsvr32.exe", "*\BITSADMIN*"] -user IN EXCLUDED_USERS
    

LP_MMC20 Lateral Movement Detected

  • Trigger Condition: MMC20.Application Lateral Movement is detected explicitly for the spawning of the parent MMC.exe with a command line of -Embedding as a child of svchost.exe.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Inter-Process Communication, Component Object Model

  • ATT&CK ID: T1559, T1559.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\svchost.exe" image="*\mmc.exe" command="*-Embedding*" -user IN EXCLUDED_USERS
    

LP_Most Exploitable Vulnerabilities Detected

  • Trigger Condition: The most exploitable vulnerabilities from 2015 are detected in a network. For this alert to work, MOST_EXPLOITABLE_CVE must be updated with the list of exploitable vulnerabilities.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1518, T1518.001

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    norm_id=VulnerabilityManagement cve_id IN MOST_EXPLOITABLE_CVE
    

LP_MS Office Product Spawning Exe in User Dir

  • Trigger Condition: An executable in the users directory from Microsoft Word, Excel, Powerpoint, Publisher, or Visio is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Command-Line Interface, Indirect Command Execution

  • ATT&CK ID: T1059, T1202

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\OUTLOOK.EXE"] image IN ["C:\users\*.exe"] -user IN EXCLUDED_USERS
    

LP_MSHTA - File Access Detected

  • Trigger Condition: Creation of a file with .hta extension. Adversaries abuse mshta.exe for proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=11 or event_id=15) file="*.hta*" -user IN EXCLUDED_USERS
    

LP_MSHTA - Network Detected

  • Trigger Condition: LogPoint detects network connection events initiated by mshta.exe. Adversaries abuse mshta.exe for proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 (command="*mshta.exe" or parent_command="*mshta.exe") -user IN EXCLUDED_USERS
    

LP_MSHTA - Process Detected

  • Trigger Condition: The execution of mshta.exe to create a malicious process. Adversaries abuse mshta.exe to proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*mshta.exe" or parent_command="*mshta.exe") -user IN EXCLUDED_USERS
    

LP_Mshta JavaScript Execution Detected

  • Trigger Condition: The mshta.exe command is detected.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\mshta.exe" command="*javascript*" -user IN EXCLUDED_USERS
    

LP_MSHTA Spawning Windows Shell Detected

  • Trigger Condition: Windows command line executable started from MSHTA is detected.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\mshta.exe" image IN ["*\cmd.exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\sh.exe", "*\bash.exe", "*\reg.exe", "*\regsvr32.exe", "*\BITSADMIN*"] -user IN EXCLUDED_USERS
    

LP_MSHTA Spwaned by SVCHOST Detected

  • Trigger Condition: mshta.exe spawned by SVCHOST observed in LethalHTA is detected.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\svchost.exe" image="*\mshta.exe" -user IN EXCLUDED_USERS
    

LP_MSHTA Suspicious Execution Detected

  • Trigger Condition: mshta.exe suspicious execution patterns sometimes involving file polyglotism is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Deobfuscate/Decode Files or Information

  • ATT&CK ID: T1140

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=1 image="*\mshta.exe" command IN ["*vbscript*", "*.jpg*", "*.png*", "*.lnk*", "*.xls*", "*.doc*", "*.zip*"] -user IN EXCLUDED_USERS
    

LP_MsiExec Web Install Detected

  • Trigger Condition: The msiexec process starts with the web address as a parameter.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Msiexec

  • ATT&CK ID: T1218, T1218.007

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="* msiexec*://*" -user IN EXCLUDED_USERS
    

LP_MSTSC Shadowing Detected

  • Trigger Condition: Hijacking of RDP session using MSTSC shadowing is detected.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Service Session Hijacking, RDP Hijacking

  • ATT&CK ID: T1563, T1563.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*noconsentprompt*" command="*shadow:*" -user IN EXCLUDED_USERS
    

LP_Multiple Failed Login Followed by Successful Login Followed by Logoff

  • Trigger Condition: Multiple failed login attempts are followed by successful login, and then by log off from the same user are detected.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access

  • ATT&CK Tag: Valid Accounts, Brute Force

  • ATT&CK ID: T1078, T1110

  • Minimum Log Source Requirement: Windows

  • Query:

    [incident_name="Multiple Failed User Login Followed by Successful Login" incident_user=*] as FirstAlert followed by [norm_id=WinServer* label=User label=Logoff user=* -user IN EXCLUDED_USERS] as Logoff on FirstAlert.incident_user=Logoff.user | rename Logoff.user as User, FirstAlert.incident_address as SourceAddress
    

LP_Mustang Panda Dropper Detected

  • Trigger Condition: Specific process parameters used by Mustang Panda droppers are detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Exploitation for Defense Evasion

  • ATT&CK ID: T1211

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command IN ["*Temp\wtask.exe /create*", "*%windir:~-3, 1%%PUBLIC:~-9, 1%*", "*/E:vbscript * C:\Users\*.txt* /F", "*/tn *Security Script *", "*%windir:~-1, 1%*"]) OR (image IN ["*Temp\winwsh.exe"]) -user IN EXCLUDED_USERS
    

LP_Named Pipe added to Null Session Detected

  • Trigger Condition: Lateral Movement attempt by enabling of null session through named pipe is detected.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services

  • ATT&CK ID: T1021

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=13 image="*reg.exe" target_object="*lanmanserver*NullSessionPipes" detail="Binary Data" -user IN EXCLUDED_USERS
    

LP_Narrators Feedback-Hub Persistence Detected

  • Trigger Condition: Abusing Windows 10 Narrator’s Feedback-Hub is detected.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder

  • ATT&CK ID: T1547, T1547.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (event_id=12 event_type="DeleteValue" target_object="*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute") OR (event_id=13 target_object="*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)")
    

LP_Nefilim Ransomware Infected Host Detected

  • Trigger Condition: Nefilim double extortion ransomware-infected host is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Data Encrypted for Impact

  • ATT&CK ID: T1486

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

  • Query:

    host=* hash=* hash IN NEFILIM_RANSOMWARE_HASHES
    

LP_Net exe Execution Detected

  • Trigger Condition: The execution of Net.exe, which can be suspicious or benign, is detected.

  • ATT&CK Category: Lateral Movement, Discovery, Defense Evasion

  • ATT&CK Tag: Obfuscated Files or Information, System Network Connections Discovery, Remote Services, Network Share Discovery

  • ATT&CK ID: T1027, T1049, T1021, T1135

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image IN ["*\net.exe", "*\net1.exe"] command IN ["* group*", "* localgroup*", "* user*", "* view*", "* share", "* accounts*", "* use*", "* stop *"] -user IN EXCLUDED_USERS
    

LP_Net exe User Account Creation

  • Trigger Condition: The creation of local users via the net.exe command is detected.

  • ATT&CK Category: Persistence, Credential Access

  • ATT&CK Tag: Create Account

  • ATT&CK ID: T1136

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image IN ["*\net.exe", "*\net1.exe"] command="*user*" command="*add*" -user IN EXCLUDED_USERS
    

LP_NetNTLM Downgrade Attack Detected

  • Trigger Condition: Post exploitation via NetNTLM downgrade attacks is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Disable or Modify Tools, Modify Registry

  • ATT&CK ID: T1562, T1562.001, T1112

  • Minimum Log Source Requirement: Windows

  • Query:

    (event_id=13 target_object IN ["*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel", "*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec", "*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic"]) OR (norm_id=WinServer event_id=4657 object_name="\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa" object_value IN ["LmCompatibilityLevel", "NtlmMinClientSec", "RestrictSendingNTLMTraffic"]) -user IN EXCLUDED_USERS
    

LP_Firewall Addition via Netsh Detected

  • Trigger Condition: A connection is allowed by port or application on Windows firewall.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Impair Defenses, Disable or Modify System Firewall

  • ATT&CK ID: T1562, T1562.004

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*netsh firewall add*"] -user IN EXCLUDED_USERS
    

LP_Netsh Helper DLL - Process Detected

  • Trigger Condition: Adversaries use Netshell helper DLLs to execute arbitrary code persistently. Netsh.exe is a command-line scripting utility used to interact with the network configuration of a system.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Event Triggered Execution, Netsh Helper DLL

  • ATT&CK ID: T1546, T1546.007

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*netsh.exe" command="*helper*") -user IN EXCLUDED_USERS
    

LP_Netsh Helper DLL - Registry Detected

  • Trigger Condition: Windows registry at HKLMSOFTWAREMicrosoftNetsh is detected. HKLMSOFTWAREMicrosoftNetsh is a path to registered netsh.exe helper DLLs.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Event Triggered Execution, Netsh Helper DLL

  • ATT&CK ID: T1546, T1546.007

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*\SOFTWARE\Microsoft\Netsh\*" -user IN EXCLUDED_USERS
    

LP_Netsh Port Forwarding Detected

  • Trigger Condition: The netsh command used in the configuration of port forwarding is detected.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Event Triggered Execution, Netsh Helper DLL

  • ATT&CK ID: T1546, T1546.007

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="netsh interface portproxy add v4tov4 *" -user IN EXCLUDED_USERS
    

LP_Netsh RDP Port Forwarding Detected

  • Trigger Condition: The netsh command used in the configuration of port forwarding of port 3389 for RDP is detected.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services

  • ATT&CK ID: T1021

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["netsh i* p*=3389 c*"] -user IN EXCLUDED_USERS
    

LP_Network Share Connection Removed

  • Trigger Condition: The removal of a share connection is detected. Adversaries remove share connections that are no longer useful to clean traces of their operation.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Indicator Removal on Host, Network Share Connection Removal

  • ATT&CK ID: T1070, T1070.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*net.exe" command="*net delete*") or command="*Remove-SmbShare*" or command="*Remove-FileShare*" -user IN EXCLUDED_USERS
    

LP_Network Share Discovery

  • Trigger Condition: The net utility is used to query a system for available shared drives using net view or net share command. Adversaries look for folders and drive shared on remote systems to identify sources of information to gather as a precursor for collection and identification of potential systems of interest for Lateral Movement.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Network Share Discovery

  • ATT&CK ID: T1135

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*net.exe" (command="*net view*" or command="*net share*")) or command="*get-smbshare -Name*" -user IN EXCLUDED_USERS
    

LP_Network Sniffing Detected

  • Trigger Condition: The execution of network sniffing tools is detected. Adversaries sniff network traffic to capture information about an environment, including authentication material passed over the network.

  • ATT&CK Category: Credential Access, Discovery

  • ATT&CK Tag: Network Sniffing

  • ATT&CK ID: T1040

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*tshark.exe" or image="*windump.exe" or image="*logman.exe" or image="*tcpdump.exe" or image="*wprui.exe" or image="*wpr.exe") -user IN EXCLUDED_USERS
    

LP_New Driver File Creation Detected

  • Trigger Condition: Creation of a new driver file.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Shared Modules

  • ATT&CK ID: T1129

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 path="C:\Windows*Drivers*" -user IN EXCLUDED_USERS
    

LP_New Firewall Port Opening Detected

  • Trigger Condition: An opening of a new port in a firewall is detected.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Non-Standard Port

  • ATT&CK ID: T1571

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4657 object=FirewallRules event_category=Registry object_name="*ControlSet*FirewallPolicy\FirewallRules" new_value=* -user IN EXCLUDED_USERS | norm on new_value <:all>Action=<action:word><:all>Active=<active:word><:all>Dir=<direction:word><:all>Protocol=<proto:int><:all>Port=<port:int><:all>Name=<rule:string><:'\|'> | process eval("protocol = if(proto == 6) {return 'TCP'} else {return 'UDP'}")
    

LP_New RUN Key Pointing to Suspicious Folder Detected

  • Trigger Condition: A new suspicious RUN key element pointing to an executable in a folder is detected.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder

  • ATT&CK ID: T1547, T1547.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=13 target_object IN ["*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*", "*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*"] detail IN ["*C:\Windows\Temp\*", "*\AppData\*", "%AppData%\*", "*C:\$Recycle.bin\*", "*C:\Temp\*", "*C:\Users\Public\*", "%Public%\*", "*C:\Users\Default\*", "*C:\Users\Desktop\*", "wscript*", "cscript*"] -detail IN ["*\AppData\Local\Microsoft\OneDrive\\*"] -user IN EXCLUDED_USERS
    

LP_New Service Creation

  • Trigger Condition: LogPoint detects creation of a new service.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Create or Modify System Process, Windows Services

  • ATT&CK ID: T1547, T1547.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*sc.exe" or image="*powershell.exe" or image="*cmd.exe") (command="*New-Service*BinaryPathName*" or command="*sc*create*binpath*" or command="*Get-WmiObject*Win32_Service*create*") -user IN EXCLUDED_USERS
    

LP_Non Interactive PowerShell Execution

  • Trigger Condition: Non-interactive Command and Scripting Interpreter and PowerShell activity by looking at powershell.exe with no explorer.exe as a parent.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" -parent_Image="*\explorer.exe" -user IN EXCLUDED_USERS
    

LP_NoPowerShell Tool Activity Detected

  • Trigger Condition: Execution of NoCommand and Scripting Interpreter and PowerShell tool.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Shared Modules

  • ATT&CK ID: T1129

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 -file in ["*cscript.exe.log", "*wscript.exe.log", "*wmic.exe.log", "*mshta.exe.log", "*svchost.exe.log", "*regsvr32.exe.log", "*rundll32.exe.log"] file="*.exe.log" -user IN EXCLUDED_USERS
    

LP_NotPetya Ransomware Activity Detected

  • Trigger Condition: NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe is detected. The file system journal of drive C is deleted, and window event logs are cleared using wevtutil.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Rundll32, Indicator Removal on Host

  • ATT&CK ID: T1218, T1218.011, T1070

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*\AppData\Local\Temp\* \.\pipe\*" OR (image="*\rundll32.exe" command="*.dat, #1")) -user IN EXCLUDED_USERS
    

LP_OceanLotus Registry Activity Detected

  • Trigger Condition: Creation of registry keys in OceanLotus attacks, which is also known as APT32.

  • ATT&CK Category: Persistence, Defense Evasion

  • ATT&CK Tag: Modify Registry

  • ATT&CK ID: T1112

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=13 target_object IN ["HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model", "HKU\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model",
    "*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application",
    "*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon","*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application",
    "*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon",
    "*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application", "*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon",
    "HKU\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\*", "HKU\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\*",
    "HKU\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\*"]
    -user IN EXCLUDED_USERS
    

LP_Office365 Multiple Failed Login from Different Host by Single User

  • Trigger Condition: A user attempts multiple failed logins from distinct hosts with a count greater than one.

  • ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege Escalation, Initial Access

  • ATT&CK Tag: Brute Force, Valid Accounts

  • ATT&CK ID: T1110, T1078

  • Minimum Log Source Requirement: Office365

  • Query:

    norm_id="Office365" source_address=* label=User label=Login label=Fail | chart distinct_count(source_address) as DC by user | search DC>1
    

LP_Office365 Multiple Failed Login from Same Host

  • Trigger Condition: Multiple failed logins from the same host with a count greater than five.

  • ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege Escalation, Initial Access

  • ATT&CK Tag: Brute Force, Valid Accounts

  • ATT&CK ID: T1110, T1078

  • Minimum Log Source Requirement: Office365

  • Query:

    norm_id="Office365" source_address=* label=User label=Login label=Fail | chart count() as"Cnt" by user, source_address| search Cnt > 5
    

LP_Office365 Multiple Successful Login from Different Country by Single User

  • Trigger Condition: A user attempts multiple failed logins from different countries with a count greater than one.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Office365

  • Query:

    norm_id="Office365" label=User label=login label=Successful source_address=* | process geoip(source_address) as country |chart distinct_count(country) as DC by user| search DC >1
    

LP_Office365 Multiple Successful Login From Different Host by Single User

  • Trigger Condition: A user attempts multiple successful logins from a distinct host with a count greater than one.

  • ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access

  • ATT&CK Tag: Valid Accounts

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Office365

  • Query:

    norm_id="Office365" label=User label=login label=Successful source_address=* | chart distinct_count(source_address) as DC by user |search DC >1
    

LP_Office365 Password Resets

  • Trigger Condition: A user’s password is reset.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Account Manipulation

  • ATT&CK ID: T1098

  • Minimum Log Source Requirement: Office365

  • Query:

    norm_id="Office365" label=Password label=Reset user=*
    

LP_OpenWith Execution of Specified Binary Detected

  • Trigger Condition: The execution of OpenWith.exe is detected as a specified binary. It characterized as a malicious activity when executed from a location other than C:WindowsSystem32* path.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution

  • ATT&CK ID: T1218

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\OpenWith.exe" command="*/c*" -user IN EXCLUDED_USERS
    

LP_Operation Wocao Activity Detected

  • Trigger Condition: Activity mentioned in Operation Wocao report is detected.

  • ATT&CK Category: Defense Evasion,Execution, Persistence, Privilege Escalation

  • ATT&CK Tag: Exploitation for Defense Evasion, Obfuscated Files or Information, Masquerade Task or Service, Masquerading, Scheduled Task/Job, Scheduled Task

  • ATT&CK ID: T1211, T1012, T1036, T1036.004, T1053, T1053.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    ((norm_id=WinServer event_id=4799 group="Administrators" "process"="*\checkadmin.exe") OR (norm_id=WindowsSysmon event_id=1 command IN ["*checkadmin.exe 127.0.0.1 -all*", "*netsh advfirewall firewall add rule name=powershell dir=in*", "*cmd /c powershell.exe -ep bypass -file c:\s.ps1*", "*/tn win32times /f*", "*create win32times binPath=*", "*\c$\windows\system32\devmgr.dll*", "* -exec bypass -enc JgAg*", "*type *keepass\KeePass.config.xml*", "*iie.exe iie.txt*", "*reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\\*"])) -user IN EXCLUDED_USERS
    

LP_Pandemic Registry Key Detected

  • Trigger Condition: LogPoint detects pandemic Windows implant. It turns file servers into patient zero on a local network, infecting machines requesting files with trojanized replacements.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote File Copy

  • ATT&CK ID: T1105

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (event_id=13 target_object IN ["HKLM\SYSTEM\CurrentControlSet\services\null\Instance*"]) OR (event_id=1 command="loaddll -a *")
    

LP_Password Change on DSRM Account Detected

  • Trigger Condition: Password change in Directory Service Restore Mode (DSRM) account is detected.

  • ATT&CK Category: Persistence, Privilege Escalation

  • ATT&CK Tag: Account Manipulation

  • ATT&CK ID: T1098

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4794 -user IN EXCLUDED_USERS
    

LP_Password Dumper Remote Thread in LSASS

  • Trigger Condition: Password dumper activity by monitoring remote thread creation event ID 8 in combination with the lsass.exe process as TargetImage is detected. The process in the field Process is a malicious program and a single execution can lead to hundreds of events.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=8 image="C:\Windows\System32\lsass.exe" -start_module=* -user IN EXCLUDED_USERS
    

LP_Password Spraying Attack Detected

  • Trigger Condition: Password spraying attack is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Brute Force

  • ATT&CK ID: T1110

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4625 -user IN EXCLUDED_USERS -user IN EXCLUDED_USERS | chart distinct_count(user) as UserCount, distinct_list(user) as Users by source_address | search UserCount > 5
    

LP_Persistence and Execution at Scale via GPO Scheduled Task

  • Trigger Condition: Lateral movement using GPO scheduled task used to deploy ransomware at scale is detected.

  • ATT&CK Category: Persistence, Lateral Movement, Execution, Privilege Escalation

  • ATT&CK Tag: Scheduled Task/Job, Scheduled Task

  • ATT&CK ID: T1053, T1053.005

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=5145 share_name="\*\SYSVOL" relative_target="*ScheduledTasks.xml" access="*WriteData*" -user IN EXCLUDED_USERS
    

LP_Petya Affected Hosts

  • Trigger Condition: Applications and commands like wevtutil,wmic,rundll,or schtasks are executed for defense evasion. For this alert to work, you must update the list PETYA_COMMAND.

  • ATT&CK Category: Discovery, Defense Evasion

  • ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery

  • ATT&CK ID: T1046, T1211, T1518, T1518.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer* event_id=106 event_source="Microsoft-Windows-TaskScheduler" task IN PETYA_COMMAND -user IN EXCLUDED_USERS
    

LP_Petya Compromised Files

  • Trigger Condition: A file with IOC’s of Petya file digest value is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Data Encrypted for Impact, Data Destruction, Proxy

  • ATT&CK ID: T1486, T1485, T1090

  • Minimum Log Source Requirement: Integrity Scanner

  • Query:

    norm_id=IntegrityScanner digest IN PETYA_DIGEST OR prev_digest IN PETYA_DIGEST path=*
    

LP_Ping Hex IP Detected

  • Trigger Condition: Ping command using a hex-encoded IP address is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Deobfuscate/Decode Files or Information, Obfuscated Files or Information

  • ATT&CK ID: T1140, T1027

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*\ping.exe 0x*", "*\ping 0x*"] -user IN EXCLUDED_USERS
    

LP_Ping of Death Attack

  • Trigger Condition: Datagrams with a size greater than 65536 are received.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Network Denial of Service, Direct Network Flood

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    label=Receive label=Packet (packet_length>65536 or fragment_length>65536)
    

LP_Possible Access to ADMIN Share

  • Trigger Condition: Access to $ADMIN share and may help to detect lateral movement attempts. Since Windows Admin Share activity is so common, it provides adversaries with a powerful, discreet way to move laterally within an environment. Self-propagating ransomware and cryptocurrency miners, both rapidly emerging threats, rely on Windows Admin Shares. Suppose an adversary can obtain legitimate Windows credentials. The hidden shares (C$, ADMIN$, and IPC$) can be accessed remotely via server message block (SMB) or the Net utility to transfer files and execute code. Windows Admin Shares are often used in conjunction with behaviors relating to Remote File Copy (T1105)—because adversaries commonly use the technique to copy files remotely—and Network Share Discovery (T1135). It can also occur with New Service (T1050) and Service Execution (T1035) because tools like PsExec deploys their receiver executable to admin shares, scheduling a service to execute it. Legitimate administrative activities may generate false positives and will require whitelisting.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services

  • ATT&CK ID: T1021

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=5140 share_name="Admin"−user="∗" -user IN EXCLUDED_USERS
    

LP_Possible Account Misuse-Abnormal Login

  • Trigger Condition: Admin is logged in or running an application beyond regular office hours is detected.

  • ATT&CK Category: Initial Access, Privilege Escalation, Defense Evasion, Persistence

  • ATT&CK Tag: Valid Accounts

  • ATT&CK ID: T1078

  • Minimum Log Source Requirement: Windows

  • Query:

    (label=User label=Login label=Successful user in ADMINS ((day_of_week(log_ts) IN ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"]) and (hour(log_ts)<9 or hour(log_ts)>17)) or (day_of_week(log_ts) IN ["Saturday", "Sunday"] )) or (label=User label=Login label=Successful sub_status_code="0xC000006F") user=* (workstation=* or source_address=*)
    

LP_Possible Account Misuse-Privilege Escalation

  • Trigger Condition: The non-admin users are assigned privileged access. The event maps to event ID of 4648 and 4672 in Windows.

  • ATT&CK Category: Privilege Escalation, Persistence, Defense Evasion

  • ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Account Control

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Windows

  • Query:

    ((label=Privilege label=Assign) or (label=Login label=Explicit label=Credential) user=* -user in ADMINS) OR (label=User label=Add label=Group user=* group=*admin*)
    

LP_Possible Applocker Bypass Detected

  • Trigger Condition: The execution of executables like msdt,installutil,regsvcs,regasm,or msbuild.ieexec is detected, which is used to bypass Applocker whitelisting.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Mshta, InstallUtil, Regsvcs/Regasm, Trusted Developer Utilities

  • ATT&CK ID: T1218, T1218.004, T1218.009, T1127, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*\msdt.exe*", "*\installutil.exe*", "*\regsvcs.exe*", "*\regasm.exe*", "*\msbuild.exe*", "*\ieexec.exe*"] -user IN EXCLUDED_USERS
    

LP_Possible Baby Shark Activity Detected

  • Trigger Condition: LogPoint detects activity related to Baby Shark malware involving access to registry keys of terminal server client, execution of mshta via powershell, and task kill of cmd.exe.

  • ATT&CK Category: Execution, Discovery, Defense Evasion

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Query Registry, Signed Binary Proxy Execution, Mshta

  • ATT&CK ID: T1059, T1059.001, T1012, T1218, T1218.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["reg query *HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default*", "powershell.exe mshta.exe http*", "cmd.exe /c taskkill /im cmd.exe"] -user IN EXCLUDED_USERS
    

LP_Possible Bitsadmin Download Detected

  • Trigger Condition: The use of bitsadmin downloading a file is detected.

  • ATT&CK Category: Defense Evasion, Persistence

  • ATT&CK Tag: BITS Jobs

  • ATT&CK ID: T1197

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\bitsadmin.exe" (command="* /transfer *" OR command="*copy bitsadmin.exe*") -user IN EXCLUDED_USERS
    

LP_Possible Botnet Connection-DNS Server Modified

  • Trigger Condition: An unauthorized default Application Layer Protocol and DNS server modification are detected in Unix or Windows Server.

  • ATT&CK Category: Impact, Command and Control, Defense Evasion

  • ATT&CK Tag: Network Denial of Service, Proxy, Exploitation for Defense Evasion

  • ATT&CK ID: T1498, T1090, T1211

  • Minimum Log Source Requirement: Windows

  • Query:

    ((norm_id=Unix action="RUN" (file="etc/resolv.conf" or file="*\etc\host")) or (norm_id=WinServer* (label=File (label=Write or label=Modify) path="C:\Windows\System32\Drivers\etc" object="hosts") or (label=DNS label=Update (label=Successful or label=Request OR label=Fail)) (host=* or source_address=*))) -user IN EXCLUDED_USERS
    

LP_Possible Botnet Connection-IRC Port

  • Trigger Condition: The connection through the IRC port is detected. For this alert to work, you must update the list IRC_PORTS, including commonly used ports 6660 to 6669 and 6700.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    source_address=* destination_address=* destination_port in IRC_PORTS
    

LP_Possible Botnet Connection-Outbound DDOS

  • Trigger Condition: Multiple hosts connecting to the same destination address is detected.

  • ATT&CK Category: Impact, Command and Control, Defense Evasion

  • ATT&CK Tag: Network Denial of Service, Proxy, Exploitation for Defense Evasion

  • ATT&CK ID: T1498, T1090, T1211

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Connection source_address in HOMENET destination_address=* | chart distinct_count(source_address) as source by destination_address| search source>100
    

LP_Possible Botnet Connection-Outbound Spam

  • Trigger Condition: An unauthorized email sent through an open relay is detected.

  • ATT&CK Category: Command and Control, Defense Evasion, Impact

  • ATT&CK Tag: Proxy, Exploitation for Defense Evasion, Network Denial of Service

  • ATT&CK ID: T1090, T1211, T1498

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (source_address=* or host=* method="HELO" or method="EHLO") or (label=Connection destination_port="25" source_address=* or host=*) | search -source_address IN MAIL_SERVER_IP
    

LP_Possible CLR DLL Loaded Via Office Applications

  • Trigger Condition: CLR DLL is loaded by an Office Product like WinWord, PowerPoint Excel, or Outlook.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: Phishing, Spearphishing Attachment

  • ATT&CK ID: T1566, T1566.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe", "*\powerpnt.exe", "*\excel.exe", "*\outlook.exe"] image IN ["*\clr.dll*"] -user IN EXCLUDED_USERS
    

LP_Possible Credential Dump-Tools Named Pipes Detected

  • Trigger Condition: A well-known credential dumping tool execution via specifically named pipes like lsadump, cachedump, or wceservicepipe is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: OS Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=17 pipe IN ["*\lsadump*", "*\cachedump*", "*\wceservicepipe*"] -user IN EXCLUDED_USERS
    

LP_Possible Data Breach

  • Trigger Condition: Unauthorized transfer of sensitive data is detected using mail applications, cloud applications, or other sources. For the alert to work, you must update the lists RESIGNED_EMPLOYEES, KNOWN_DOMAINS, and CLOUD_APPLICATIONS.

  • ATT&CK Category: Exfiltration

  • ATT&CK Tag: Exfiltration Over Web Service, Exfiltration to Cloud Storage

  • ATT&CK ID: T1567, T1567.002

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (label=Mail object="*attachment*" sender in RESIGNED_EMPLOYEES -receiver in KNOWN_DOMAINS) or (label=Object label=Access (label=Write or label=Modify) event_category="*Removable*" user in RESIGNED_EMPLOYEES) or (label=Access label=Object (label=Write or label=Modify) path IN CLOUD_APPLICATIONS user in RESIGNED_EMPLOYEES) or (label=Data label=Transfer label=Sensitive source_address=* destination_address=*)
    

LP_Possible Data Breach-Off Hour Transfer

  • Trigger Condition: Unauthorized transfer of sensitive data during off-hours is detected.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (norm_id=*Firewall or norm_id=*IDS*) label=Connection source_address=* destination_address=* destination_port=* sent_datasize=* ((day_of_week(log_ts) IN ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"]) and (hour(log_ts)<9 or hour(log_ts)>17)) or (day_of_week(log_ts) IN ["Saturday", "Sunday"] ) | chart sum((sent_datasize)/1024/1024) as TotalSentMB by user | search TotalSentMB>20
    

LP_Possible DDOS Attack

  • Trigger Condition: A considerable number of inbound traffic within a short period is detected.

  • ATT&CK Category: Initial Access, Impact

  • ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service

  • ATT&CK ID: T1190, T1498

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Deny ((protocol=icmp or application="icmp" or service=icmp) or (protocol=http or protocol=https) or (protocol=udp) or 'dns reply' or 'SYN') source_address=* destination_address=*| chart count(source_address) as ddos_source by destination_address| search ddos_source>2000
    

LP_Possible Detection of SafetyKatz

  • Trigger Condition: SafetyKatz behavior where a temp file debug.bin is created in temp folder to dump credentials using lsass.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: OS Credential Dumping, LSASS Memory

  • ATT&CK ID: T1003, T1003.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 path="*\Temp" file="debug.bin" -user IN EXCLUDED_USERS
    

LP_Possible DNS Rebinding Detected

  • Trigger Condition: Different DNS answers by one domain with IPs from internal and external networks are detected. Typically, DNS-answer contains TTL greater than 100. Application Layer Protocol and DNS-record are saved in the host cache during TTL.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=22 query="*" status_code="0" query_result IN ["(::ffff:)?10.*", "(::ffff:)?192.168.*", "(::ffff:)?172.16.*", "(::ffff:)?172.17.*", "(::ffff:)?172.18.*", "(::ffff:)?172.19.*", "(::ffff:)?172.20.*", "(::ffff:)?172.21.*", "(::ffff:)?172.22.*", "(::ffff:)?172.23.*", "(::ffff:)?172.24.*", "(::ffff:)?172.25.*", "(::ffff:)?172.26.*", "(::ffff:)?172.27.*", "(::ffff:)?172.28.*", "(::ffff:)?172.29.*", "(::ffff:)?172.30.*", "(::ffff:)?172.31.*", "(::ffff:)?127.*"] -user IN EXCLUDED_USERS | chart count(QueryName) as val by host | search val > 3
    

LP_Possible DoS Attack

  • Trigger Condition: LogPoint detects DOS attack.

  • ATT&CK Category: Initial Access, Impact

  • ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service, Endpoint Denial of Service

  • ATT&CK ID: T1190, T1498, T1499

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    label=Dos label=Attack source_address=* destination_address=*
    

LP_Possible Empire Monkey Detected

  • Trigger Condition: LogPoint detects EmpireMonkey APT reported activity involving exploitation of scrobj.dll file using cutil or regsvr32.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*/i:%APPDATA%\logs.txt scrobj.dll" (image IN ["*\cutil.exe"] OR message IN ["Microsoft(C) Registerserver"]) -user IN EXCLUDED_USERS
    

LP_Possible Executable Used by PlugX in Uncommon Location

  • Trigger Condition: The execution of an executable used by PlugX for DLL side loading initated from an exotic location.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

  • ATT&CK ID: T1574, T1574.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*\CamMute.exe" -image="*\Lenovo\Communication Utility\*") OR (image="*\chrome_frame_helper.exe" -image="*\Google\Chrome\application\*") OR (image="*\dvcemumanager.exe" -image="*\Microsoft Device Emulator\*") OR (image="*\Gadget.exe" -image="*\Windows Media Player\*") OR (image="*\hcc.exe" -image="*\HTML Help Workshop\*") OR (image="*\hkcmd.exe" -image IN ["*\System32\*", "*\SysNative\*", "*\SysWowo64\*"]) OR (image="*\Mc.exe" -image IN ["*\Microsoft Visual Studio*", "*\Microsoft SDK*", "*\Windows Kit*"]) OR (image="*\MsMpEng.exe" -image IN ["*\Microsoft Security Client\*", "*\Windows Defender\*", "*\AntiMalware\*"]) OR (image="*\msseces.exe" -image IN ["*\Microsoft Security Center\*", "*\Microsoft Security Client\*", "*\Microsoft Security Essentials\*"]) OR (image="*\OInfoP11.exe" -image="*\Common Files\Microsoft Shared\*") OR (image="*\OleView.exe" -image IN ["*\Microsoft Visual Studio*", "*\Microsoft SDK*", "*\Windows Kit*", "*\Windows Resource Kit\*"]) OR (image="*\rc.exe" -image IN ["*\Microsoft Visual Studio*", "*\Microsoft SDK*", "*\Windows Kit*", "*\Windows Resource Kit\*", "*\Microsoft.NET\*"])) -user IN EXCLUDED_USERS
    

LP_Possible Exploitation for CVE-2015-1641 Detected

  • Trigger Condition: Winword starting uncommon subprocess MicroScMgmt.exe used in exploits for CVE-2015-1641 is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image="*\MicroScMgmt.exe " -user IN EXCLUDED_USERS
    

LP_Possible Hijack of Legit RDP Session to Move Laterally

  • Trigger Condition: The use of tsclient share to place a backdoor on the RDP source machine’s startup folder is detected.

  • ATT&CK Category: Persistence, Lateral Movement, Privilege Escalation

  • ATT&CK Tag: Remote Service Session Hijacking, RDP Hijacking, Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder

  • ATT&CK ID: T1563, T1563.002, T1547, T1547.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=11 image="*\mstsc.exe" file="*\Microsoft\Windows\Start Menu\Programs\Startup\*" -user IN EXCLUDED_USERS
    

LP_Possible Impacket Lateralization Detected

  • Trigger Condition: wmiexec/dcomexec/atexec/smbexec from the Impacket framework is detected.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Windows Management Instrumentation, Inter-Process Communication, Inter-Process Communication, Component Object Model and Distributed COM

  • ATT&CK ID: T1047, T1021, T1021.003, T1559, T1559.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((parent_image IN ["*\wmiprvse.exe", "*\mmc.exe", "*\explorer.exe", "*\services.exe"] command IN ["*cmd.exe* /Q /c * \\127.0.0.1\*&1*"]) OR (parent_command IN ["*svchost.exe -k netsvcs", "taskeng.exe*"] command IN ["cmd.exe /C *Windows\Temp\*&1"])) -user IN EXCLUDED_USERS
    

LP_Possible Impacket SecretDump Remote Activity

  • Trigger Condition: LogPoint detects share_nameAD credential dumping using impacket secretdump HKTL.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: OS Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=5145 share_name="\*\ADMIN$" relative_target="SYSTEM32\*.tmp" -user IN EXCLUDED_USERS
    

LP_Possible Inbound Spamming Detected

  • Trigger Condition: LogPoint detects possible inbound spam.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Mail Server

  • Query:

    (sender=* receiver=* -sender in KNOWN_DOMAINS) | chart distinct_count(receiver) as spam_receiver by sender | search spam_receiver>100
    

LP_Possible Insider Threat

  • Trigger Condition: LogPoint detects alerts like privilege escalation, unauthorized access, and data breach for the same user.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Logpoint

  • Query:

    event_type="Possible Insider Threat" incident_user=* -incident_user in EXCLUDED_USERS| rename incident_user as user | chart distinct_count(incident_name) as AlertCount by user | search AlertCount>2
    

LP_Possible Land Attack

  • Trigger Condition: LogPoint detects a Cisco land-attack with event ID 106017.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Network Denial of Service

  • ATT&CK ID: T1498

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    event_id=106017 label=Connection label=Attack label=Deny
    

LP_Possible Malicious Payload Download via Office Binaries Detected

  • Trigger Condition: A payload is downloaded from a remote server with HTTP command using Microsoft Office applications like PowerPoint, Word, and Excel in a compromised system.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Ingress Tool Transfer

  • ATT&CK ID: T1105

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image IN ["*\powerpnt.exe", "*\winword.exe", "*\excel.exe"] command="*http*" -user IN EXCLUDED_USERS
    

LP_Possible Malware Detected

  • Trigger Condition: A file or software is detected as worm, virus, trojan, or malware.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Antivirus

  • Query:

    (label=Malware or label=Threat or label=Virus or label=Quarantine or label=Risk) (malware=* OR risk=* OR virus=*) (file=* or application=* or url=*)
    

LP_Possible Modification of Boot Configuration

  • Trigger Condition: The use of the bcdedit command to delete boot configuration data is detected. The tactic is used by malware or an attacker as a destructive technique.

  • ATT&CK Category: Impact, Defense Evasion, Persistence

  • ATT&CK Tag: Inhibit System Recovery, Pre-OS Boot, Bootkit

  • ATT&CK ID: T1490, T1542, T1542.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*\bcdedit.exe" command IN ["*delete*", "*import*","set"]) OR ((command="*bootstatuspolicy*" command="*ignoreallfailures*") OR (command="*recoveryenabled*" command="*no*"))) -user IN EXCLUDED_USERS
    

LP_Possible Outbound Spamming Detected

  • Trigger Condition: An outbound spamming is detected.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Mail Server

  • Query:

    (sender=* receiver=* -receiver in KNOWN_DOMAINS sender in KNOWN_DOMAINS) | chart distinct_count(receiver) as spam_receiver by sender | search spam_receiver>100
    

LP_Possible Pass the Hash Activity Detected

  • Trigger Condition: An attack technique Pass the Hash used to move laterally inside the network is detected.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Use Alternate Authentication Material, Pass the Hash

  • ATT&CK ID: T1550, T1550.002

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4624 ((caller_id="S-1-0-0" logon_type="3" logon_process="NtLmSsp" key_length="0") OR (logon_type="9" logon_process="seclogo")) -user="ANONYMOUS LOGON" -user IN EXCLUDED_USERS
    

LP_Possible Privilege Escalation via Service Permissions Weakness

  • Trigger Condition: Modification of services configuration (ImagePath, FailureCommand, and ServiceDLL) in the registry by processes with medium integrity level.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Hijack Execution Flow, Service Registry Permissions Weakness

  • ATT&CK ID: T1574, T1574.011

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=13 integrity_level="Medium" target_object="*\services\\*" target_object IN ["*\path", "*\FailureCommand", "*\Parameters\ServiceDll"] -user IN EXCLUDED_USERS
    

LP_Possible Privilege Escalation via Weak Service Permissions

  • Trigger Condition: The sc.exe utility spawning by a user with medium integrity level to change the service ImagePath or FailureCommand is detected.

  • ATT&CK Category: Privilege Escalation

  • ATT&CK Tag: Access Token Manipulation

  • ATT&CK ID: T1134

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\sc.exe" integrity_level="Medium" command IN ["*config*", "*binPath*", "*failure*", "*command*"] -user IN EXCLUDED_USERS
    

LP_Possible Process Hollowing Image Loading

  • Trigger Condition: Loading of samlib.dll or WinSCard.dll from untypical process is detected. For example, through process hollowing by Mimikatz.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, Process Injection, Process Hollowing

  • ATT&CK ID: T1574, T1574.002, T1055, T1055.012

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=7 source_image IN ["*\notepad.exe"] image IN ["*\samlib.dll", "*\WinSCard.dll"] -user IN EXCLUDED_USERS
    

LP_Possible SPN Enumeration Detected

  • Trigger Condition: Service Principal Name Enumeration used for Steal or Forge Kerberos Tickets and Kerberoasting is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

  • ATT&CK ID: T1558, T1558.003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*-q*" (image="*\setspn.exe" OR message="*Query or reset the computer* SPN attribute*") -user IN EXCLUDED_USERS
    

LP_Possible SquiblyTwo Detected

  • Trigger Condition: WMI SquiblyTwo Attack with possible renamed WMI seeking for imphash is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Windows Management Instrumentation

  • ATT&CK ID: T1047

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((image="*\wmic.exe" command="wmic *format:*http*") OR (hash_imphash IN ["1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206"] command="*format:*http*")) -user IN EXCLUDED_USERS
    

LP_Possible Taskmgr run as LOCAL_SYSTEM Detected

  • Trigger Condition: Creation of a taskmgr.exe process in context of LOCAL_SYSTEM.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 user="NT AUTHORITY\SYSTEM" image="*\taskmgr.exe" -user IN EXCLUDED_USERS
    

LP_Possible WebApp Attack

  • Trigger Condition: A web application based attack is detected.

  • ATT&CK Category: Initial Access, Impact

  • ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service, Endpoint Denial of Service

  • ATT&CK ID: T1190, T1498, T1499

  • Minimum Log Source Requirement: WAF

  • Query:

    norm_id=*WebAppFirewall ((label=Buffer label=Overflow) or (label=Attack label=Alert) or (label=Web label=Attack) or (label=Violation) or (label=Deny label=Rule) OR (label=SQL label=Injection))
    

LP_Potential RDP Exploit CVE-2019-0708 Detected

  • Trigger Condition: An error on protocol RDP potential CVE-2019-0708 is detected.

  • ATT&CK Category: Initial Access, Lateral Movement

  • ATT&CK Tag: Exploitation of Remote Services, Exploit Public-Facing Application

  • ATT&CK ID: T1210, T1190

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id IN ["56", "50"] event_source="TermDD" -user IN EXCLUDED_USERS
    

LP_Powershell AMSI Bypass via dotNET Reflection

  • Trigger Condition: Request to amsiInitFailed used to disable AMSI Scanning is detected.

  • ATT&CK Category: Execution, Defense Evasion

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*System.Management.Automation.AmsiUtils*"] command IN ["*amsiInitFailed*"] -user IN EXCLUDED_USERS
    

LP_PowerShell Base64 Encoded Shellcode Detected

  • Trigger Condition: Base64 encoded shellcode is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="*AAAAYInlM*" command IN ["*OiCAAAAYInlM*", "*OiJAAAAYInlM*"] -user IN EXCLUDED_USERS
    

LP_PowerShell Execution Policy Modification Detected

  • Trigger Condition: The execution policy of Command and Scripting Interpreter and PowerShell is changed to unrestricted.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Modify Registry

  • ATT&CK ID: T1112

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon label=Registry label=Set label=Value detail=Unrestricted target_object="*ExecutionPolicy" -user IN EXCLUDED_USERS
    

LP_PowerShell Network Connections Detected

  • Trigger Condition: LogPoint detects a Command and Scripting Interpreter and PowerShell process that opens network connections. We recommend you check suspicious target ports and systems, and adjust them according to your environment. For example, extend filters with the company’s IP range.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 image="*\powershell.exe" initiated="true" -destination_address IN HOMENET -user="NT AUTHORITY\SYSTEM" -user IN EXCLUDED_USERS
    

LP_PowerShell Profile Modification

  • Trigger Condition: Modification of Command and Scripting Interpreter and PowerShell profile is detected.

  • ATT&CK Category: Persistence, Privilege Escalation, Execution

  • ATT&CK Tag: Command and Scripting Interpreter, Event Triggered Execution, PowerShell Profile, Powershell

  • ATT&CK ID: T1546, T1546.013, T1059, T1059.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4103 command in ["Write-Output", "Add-Content"] payload= "*powershell_profile*" -user IN EXCLUDED_USERS
    

LP_PowerShell PSAttack Detected

  • Trigger Condition: The use of a PSAttack command via PowerShell hack tool is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows

  • Query:

    event_id=4103 command="PS ATTACK!!!" -user IN EXCLUDED_USERS
    

LP_PowerShell Rundll32 Remote Thread Creation Detected

  • Trigger Condition: Command and Scripting Interpreter and PowerShell remote thread creation in Signed Binary Proxy Execution and Rundll32.exe is detected.

  • ATT&CK Category: Defense Evasion, Execution

  • ATT&CK Tag: Signed Binary Proxy Execution, Rundll32, Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1218, T1218.011, T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=8 source_image="*\powershell.exe" image="*\rundll32.exe" -user IN EXCLUDED_USERS
    

LP_PowerShell Script Run in AppData Detected

  • Trigger Condition: A suspicious command line execution that invokes Command and Scripting Interpreter and PowerShell concerning an AppData folder is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["* /c powershell*\AppData\Local\*", "* /c powershell*\AppData\Roaming\*"] -user IN EXCLUDED_USERS
    

LP_PowerShell Version Downgrade Detected

  • Trigger Condition: The execution of Command and Scripting Interpreter and PowerShell v2 is detected. We recommend you avoid Powershell v2 as it offers zero-logging. PowerShell v5.x or higher offers better login.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=400 host_version="2.0" -user IN EXCLUDED_USERS
    

LP_Process Dump via Comsvcs DLL Detected

  • Trigger Condition: Process memory dump via comsvcs.dll and rundll32 is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: OS Credential Dumping

  • ATT&CK ID: T1003

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*\rundll32.exe" OR file="RUNDLL32.EXE") command IN ["*comsvcs*MiniDump*full*", "*comsvcs*MiniDumpW*full*"] -user IN EXCLUDED_USERS
    

LP_Process Dump via Rundll32 and Comsvcs Detected

  • Trigger Condition: Process memory dump performed via ordinal function 24 in comsvcs.dll is detected.

  • ATT&CK Category: Defense Evasion, Credential Access

  • ATT&CK Tag: Masquerading, OS Credential Dumping, LSASS Memory

  • ATT&CK ID: T1036, T1003, T1003.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["*comsvcs.dll, #24*", "*comsvcs.dll, MiniDump*"] -user IN EXCLUDED_USERS
    

LP_Process Hollowing Detected

  • Trigger Condition: Adversaries attempt to inject malicious code into suspended and hollowed processes to evade process-based defenses.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Process Injection, Process Hollowing

  • ATT&CK ID: T1055, T1055.012

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (image="*smss.exe" parent_command!="*smss.exe") or (image="*csrss.exe" (parent_command!="*smss.exe" and parent_command!="*svchost.exe")) or (image="*wininit.exe" parent_command!="*smss.exe") or (image="*winlogon.exe" parent_command!="*smss.exe") or
    (image="*lsass.exe" parent_command!="*wininit.exe") or (image="*LogonUI.exe" (parent_command!="*winlogon.exe" and parent_command!="*wininit.exe")) or (image="*services.exe" parent_command!="*wininit.exe") or (image="*spoolsv.exe" parent_command!="*services.exe")
    or (image="*taskhost.exe" (parent_command!="*services.exe" and parent_command!="*svchost.exe")) or (image="*taskhostw.exe" (parent_command!="*services.exe" and parent_command!="*svchost.exe"))
    or (image="*userinit.exe" (parent_command!="*dwm.exe" and parent_command!="*winlogon.exe")) -user IN EXCLUDED_USERS
    

LP_Process Injection Detected

  • Trigger Condition: Adversaries inject code into processes to evade process-based defenses and possibly elevate privileges using commands like Invoke-DllInjection.

  • ATT&CK Category: Defense Evasion, Privilege Escalation

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 (command="*Invoke-DllInjection*" or command="*C:\windows\sysnative\*") -user IN EXCLUDED_USERS
    

LP_Protected Storage Service Access Detected

  • Trigger Condition: An access to a protected_storage service over the network is detected. The potential abuse of DPAPI to extract domain backup keys from Domain Controllers.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services

  • ATT&CK ID: T1021

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=5145 share_name="*IPC*" relative_target="protected_storage" -user IN EXCLUDED_USERS
    

LP_Prowli Malware Affected Host

  • Trigger Condition: Widows Server is affected by Prowli malware.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=Winserver* hash in PROWLI_FILE host=*
    

LP_Prowli Malware Connection to Malicious Destination

  • Trigger Condition: An outbound connection to Prowli Malware sources is established by hosts.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Windows

  • Query:

    (source_address=* OR destination_address=*) destination_address in PROWLI_IP | process dns(source_address) as host | process geoip(destination_address) as country
    

LP_Prowli Malware Emails Sent to Attacker

  • Trigger Condition: An email is sent to Prowli Malware listed emails.

  • ATT&CK Category: Exfiltration, Collection

  • ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

  • ATT&CK ID: T1041, T1114

  • Minimum Log Source Requirement: Mail Server

  • Query:

    sender=* receiver=* receiver in PROWLI_EMAIL (host=* OR source_host=*) | rename source_host as host
    

LP_PsExec Service Start Detected

  • Trigger Condition: LogPoint detects malicious PsExec service started by the Windows Service Control Manager.

  • ATT&CK Category: Execution

  • ATT&CK Tag: System Services, Service Execution

  • ATT&CK ID: T1569, T1569.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command="C:\Windows\PSEXESVC.exe" -user IN EXCLUDED_USERS
    

LP_PsExec Tool Execution Detected

  • Trigger Condition: PsExec service installation and execution event (Service and Sysmon) is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: System Services, Service Execution

  • ATT&CK ID: T1569, T1569.002

  • Minimum Log Source Requirement: Windows

  • Query:

    (norm_id=WinServer service="PSEXESVC" ((event_id=7045 service="*\PSEXESVC.exe") OR event_id="7036")) OR (event_id=1 image="*\PSEXESVC.exe" user="NT AUTHORITY\SYSTEM") -user IN EXCLUDED_USERS
    

LP_Psr Capture Screenshots Detected

  • Trigger Condition: The psr.exe captures desktop screenshots and saves them in a local machine.

  • ATT&CK Category: Collection

  • ATT&CK Tag: Screen Capture

  • ATT&CK ID: T1113

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\Psr.exe" command="*/start*" -user IN EXCLUDED_USERS
    

LP_Pulse Secure Arbitrary File Reading Detected

  • Trigger Condition: The exploitation of arbitrary file reading vulnerability (CVE-2019-11510) in Pulse Secure is detected.

  • ATT&CK Category: Initial Access

  • ATT&CK Tag: External Remote Services

  • ATT&CK ID: T1113

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    norm_id=* url IN ['*dana*guacamole*', '*lmdb*data.mdb*', '*data*mtmp/system*']
    

LP_QBot Process Creation Detected

  • Trigger Condition: LogPoint detects QBot like process execution of wscript or use of commands to manipulate program data or ping local host.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, Visual Basic

  • ATT&CK ID: T1059, T1059.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 ((parent_image="*\WinRAR.exe" image="*\wscript.exe") OR command="* /c ping.exe -n 6 127.0.0.1 & type *" OR (command="*regsvr32.exe*" command="*C:\ProgramData*" command="*.tmp*")) -user IN EXCLUDED_USERS
    

LP_QuarksPwDump Clearing Access History Detected

  • Trigger Condition: QuarksPwDump clearing access history in hive is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: OS Credential Dumping, NTDS, Valid Accounts, Local Accounts

  • ATT&CK ID: T1003, T1003.003, T1078, T1078.003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=16 hive="*\AppData\Local\Temp\SAM*" hive="*.dmp" -user IN EXCLUDED_USERS
    

LP_QuarksPwDump Dump File Detected

  • Trigger Condition: A dump file written by QuarksPwDump password dumper is detected.

  • ATT&CK Category: Credential Access

  • ATT&CK Tag: OS Credential Dumping, Security Account Manager

  • ATT&CK ID: T1003, T1003.002

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=11 file="*\AppData\Local\Temp\SAM-*.dmp*" -user IN EXCLUDED_USERS
    

LP_Query Registry Network

  • Trigger Condition: Adversaries use reg.exe component for network connection and interact with the Windows Registry to gather information about the system, configuration, and installed software.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Query Registry

  • ATT&CK ID: T1012

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 image="*reg.exe" command="*reg query*" -user IN EXCLUDED_USERS
    

LP_Query Registry Detected

  • Trigger Condition: A registry query is detected. Adversaries interact with the Windows Registry to gather information about the system, configuration, and installed software.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Query Registry, System Service Discovery

  • ATT&CK ID: T1012, T1007

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 image="*\reg.exe" command IN ["*query*", "*save*", "*export*"] command IN ["*currentVersion\windows*", "*currentVersion\runServicesOnce*", "*currentVersion\runServices*", "*winlogon\\*", "*currentVersion\shellServiceObjectDelayLoad*", "*currentVersion\runOnce*", "*currentVersion\runOnceEx*", "*currentVersion\run*", "*currentVersion\policies\explorer\run*", "*currentcontrolset\services*"] -user IN EXCLUDED_USERS
    

LP_Rare Scheduled Task Creations Detected

  • Trigger Condition: Rare scheduled task creations are detected. A software gets installed on multiple systems. The aggregation and count function selects tasks with rare names.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Scheduled Task/Job, Scheduled Task

  • ATT&CK ID: T1053, T1053.005

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id="106" | chart count() as val by task | search val < 5
    

LP_RDP Login from Localhost Detected

  • Trigger Condition: RDP login with a localhost source address that may be a tunneled login is detected.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services, Remote Desktop Protocol

  • ATT&CK ID: T1021, T1021.001

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4624 logon_type="10" source_address IN ["::1", "127.0.0.1"] -user IN EXCLUDED_USERS
    

LP_RDP Over Reverse SSH Tunnel Detected

  • Trigger Condition: svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 is detected.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services, Remote Desktop Protocol

  • ATT&CK ID: T1021, T1021.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 image="*\svchost.exe" initiated="true" source_port="3389" destination_address IN ["127.*", "::1"] -user IN EXCLUDED_USERS
    

LP_RDP over Reverse SSH Tunnel WFP

  • Trigger Condition: svchost hosting RDP termsvcs communicating with the loopback address is detected.

  • ATT&CK Category: Command and Control, Lateral Movement

  • ATT&CK Tag: Remote Services, Remote Desktop Protocol, Proxy

  • ATT&CK ID: T1021, T1021.001, T1090

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=5156 ((source_port="3389" destination_address IN ["127.*", "::1"]) OR (destination_port="3389" source_address IN ["127.*", "::1"])) -user IN EXCLUDED_USERS
    

LP_RDP Registry Modification

  • Trigger Condition: Potential malicious modification of the property value of fDenyTS Connections and UserAuthentication to enable remote desktop connections is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Modify Registry

  • ATT&CK ID: T1112

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=13 target_object IN ["*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication", "*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"] details="DWORD (0x00000000)" -user IN EXCLUDED_USERS
    

LP_RDP Sensitive Settings Changed

  • Trigger Condition: Changes to RDP terminal service sensitive settings are detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=13 target_object IN ["*\services\TermService\Parameters\ServiceDll*", "*\Control\Terminal Server\fSingleSessionPerUser*", "*\Control\Terminal Server\fDenyTSConnections*"] -user IN EXCLUDED_USERS
    

LP_Reconnaissance Activity with Net Command

  • Trigger Condition: A set of commands often used in recon stages by different attack groups to discover the victim’s information, systems, or network are detected.

  • ATT&CK Category: Discovery, Reconnaissance

  • ATT&CK Tag: Account Discovery, System Information Discovery, Gather Victim Host Information, Gather Victim Identity Information

  • ATT&CK ID: T1087, T1082, T1589, T1592

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 command IN ["tasklist", "net time", "systeminfo", "whoami", "nbtstat", "net start", "*\net1 start", "qprocess", "nslookup", "hostname.exe", "*\net1 user /domain", "*\net1 group /domain", "*\net1 group *domain admins* /domain", "*\net1 group *Exchange Trusted Subsystem* /domain", "*\net1 accounts /domain", "*\net1 user net localgroup administrators", "netstat -an"]
    -user IN EXCLUDED_USERS | chart count() as val by command | search val > 4
    

LP_RedSocks Backdoor Connection

  • Trigger Condition: A backdoor event is detected. Adversaries develop malware and malware components as backdoors, which are used during targeting.

  • ATT&CK Category: Resource Development

  • ATT&CK Tag: Develop Capabilities, Malware

  • ATT&CK ID: T1587, T1587.001

  • Minimum Log Source Requirement: Redsocks

  • Query:

    norm_id=RedSocks description="*backdoor*" | process geoip(destination_address) as country
    

LP_RedSocks Bad Neighborhood Detection

  • Trigger Condition: A bad neighborhood is detected where adversaries use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a Command and Control server to avoid direct connections to their infrastructure.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Redsocks

  • Query:

    norm_id=RedSocks category="bad hood" | process geoip(destination_address) as country
    

LP_RedSocks Blacklist URL Detection

  • Trigger Condition: Blacklist URLs are detected.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Redsocks

  • Query:

    norm_id=RedSocks category="URL blacklist" | process geoip(destination_address) as country
    

LP_RedSocks FileSharing

  • Trigger Condition: Filesharing using an alternate platform like 4Shared, FileHippo, Torrent, Picofile, or WeTransfer is detected.

  • ATT&CK Category: Exfiltration

  • ATT&CK Tag: Exfiltration over Alternative Protocol

  • ATT&CK ID: T1048

  • Minimum Log Source Requirement: Redsocks

  • Query:

    norm_id=RedSocks category="Filesharing" description in ["*4share*","*torrent*" ,"*FileHippo*","*picofile*","*wetransfer*"]| process geoip(destination_address) as country
    

LP_RedSocks Ransomware Connection

  • Trigger Condition: A ransomware event is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: Disk Wipe, Disk Content Wipe, Data Encrypted for Impact, Data Destruction, Proxy

  • ATT&CK ID: T1561, T1561.001, T1486, T1485, T1090

  • Minimum Log Source Requirement: Redsocks

  • Query:

    norm_id=RedSocks description="*ransomware*" | process geoip(destination_address) as country
    

LP_RedSocks Sinkhole Detection

  • Trigger Condition: Sinkhole is detected.

  • ATT&CK Category: Impact

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Redsocks

  • Query:

    norm_id=RedSocks category="Sinkhole" | process geoip(destination_address) as country
    

LP_RedSocks Tor Connection

  • Trigger Condition: A Tor connection is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Redsocks

  • Query:

    norm_id=RedSocks category="tor" | process geoip(destination_address) as country
    

LP_RedSocks Trojan Connection

  • Trigger Condition: A trojan event is detected.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Redsocks

  • Query:

    norm_id=RedSocks description="*trojan*" | process geoip(destination_address) as country
    

LP_Register new Logon Process by Rubeus

  • Trigger Condition: Potential use of Rubeus via registered new trusted logon process is detected. Adversaries abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.

  • ATT&CK Category: Lateral Movement, Privilege Escalation

  • ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

  • ATT&CK ID: T1558, T1558.003

  • Minimum Log Source Requirement: Windows

  • Query:

    norm_id=WinServer event_id=4611 logon_process="User32LogonProcesss" -user IN EXCLUDED_USERS
    

LP_Registry Persistence Mechanisms Detected

  • Trigger Condition: Persistence registry keys at the current version folder for registry keys are detected. Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.

  • ATT&CK Category: Privilege Escalation, Persistence

  • ATT&CK Tag: Event Triggered Execution, Image File Execution Options Injection

  • ATT&CK ID: T1546, T1546.012

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=13 target_object IN ["*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\GlobalFlag", "*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode", "*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess"] event_type="SetValue" -user IN EXCLUDED_USERS
    

LP_Registry Persistence via Explorer Run Key Detected

  • Trigger Condition: Persistence mechanism using a RUN key for Windows Explorer and pointing to a suspicious folder is detected.

  • ATT&CK Category: Persistence

  • ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder

  • ATT&CK ID: T1547, T1547.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    event_id=13 target_object="*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" detail IN ["C:\Windows\Temp\*", "C:\ProgramData\*", "*\AppData\*", "C:\$Recycle.bin\*", "C:\Temp\*", "C:\Users\Public\*", "C:\Users\Default\*"] -user IN EXCLUDED_USERS
    

LP_Regsvcs-Regasm Detected

  • Trigger Condition: Adversary abuses trusted Windows command line utilities regsvcs and regasm for proxy execution of code.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Signed Binary Proxy Execution, Regsvcs/Regasm

  • ATT&CK ID: T1218, T1218.009

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=3 (image="*regsvcs.exe" or image="*regasm.exe")
    

LP_Remote Desktop Protocol - Process

  • Trigger Condition: Adversaries use valid accounts to log into a computer using the Remote Desktop Protocol (RDP) and perform actions as the logged-on user.

  • ATT&CK Category: Lateral Movement

  • ATT&CK Tag: Remote Services, Remote Desktop Protocol

  • ATT&CK ID: T1021, T1021.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (image="*LogonUI.exe" or target_object="*\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\*") -user IN EXCLUDED_USERS
    

LP_Remote PowerShell Session

  • Trigger Condition: Remote Command and Scripting Interpreter and PowerShell sessions by monitoring network outbound connections to ports 5985 or 5986 from network service accounts are detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Command and Scripting Interpreter, PowerShell

  • ATT&CK ID: T1059, T1059.001

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    (norm_id=WinServer event_id IN ["4103", "400"] host="ServerRemoteHost" application="*wsmprovhost.exe*") OR (norm_id=WindowsSysmon event_id=1 (image="*\wsmprovhost.exe" OR parent_image="*\wsmprovhost.exe")) -user IN EXCLUDED_USERS | rename application as service
    

LP_Remote System Discovery

  • Trigger Condition: The components like net.exe and ping.exe are used to list other systems by IP address, hostname, or other logical identifiers on a network used for Lateral Movement from the current system.

  • ATT&CK Category: Discovery

  • ATT&CK Tag: Remote System Discovery

  • ATT&CK ID: T1018

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon (image="*net.exe" or image="*ping.exe") (command="*view*" or command="*ping*") -user IN EXCLUDED_USERS
    

LP_Renamed Binary Detected

  • Trigger Condition: The execution of a renamed binary used by attackers or malware leveraging new Sysmon OriginalFileName datapoint is detected.

  • ATT&CK Category: Defense Evasion

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 file IN ["cmd.exe", "powershell.exe", "powershell_ise.exe", "psexec.exe", "psexec.c", "cscript.exe", "wscript.exe", "mshta.exe", "regsvr32.exe", "wmic.exe", "certutil.exe", "rundll32.exe", "cmstp.exe", "msiexec.exe", "7z.exe", "winrar.exe", "wevtutil.exe", "net.exe", "net1.exe"] -image IN ["*\cmd.exe", "*\powershell.exe", "*\powershell_ise.exe", "*\psexec.exe", "*\psexec64.exe", "*\cscript.exe", "*\wscript.exe", "*\mshta.exe", "*\regsvr32.exe", "*\wmic.exe", "*\certutil.exe", "*\rundll32.exe", "*\cmstp.exe", "*\msiexec.exe", "*\7z.exe", "*\winrar.exe", "*\wevtutil.exe", "*\net.exe", "*\net1.exe"] -user IN EXCLUDED_USERS
    

LP_Renamed ProcDump Detected

  • Trigger Condition: Execution of a renamed ProcDump executable used by attackers or malware.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon file="procdump" -image IN ["*\procdump.exe", "*\procdump64.exe"]
    

LP_Renamed PsExec Detected

  • Trigger Condition: Execution of a renamed PsExec used by attackers or malware.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Masquerading

  • ATT&CK ID: T1036

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon message="Execute processes remotely" product="Sysinternals PsExec" -image IN ["*\PsExec.exe", "*\PsExec64.exe"]
    

LP_Renamed ZOHO Dctask64 Detected

  • Trigger Condition: Renamed dctask64.exe used for process injection, command execution, and process creation with a signed binary by ZOHO Corporation is detected.

  • ATT&CK Category: Execution

  • ATT&CK Tag: Process Injection

  • ATT&CK ID: T1055

  • Minimum Log Source Requirement: Windows Sysmon

  • Query:

    norm_id=WindowsSysmon event_id=1 hash="6834B1B94E49701D77CCB3C0895E1AFD" -image="*\dctask64.exe" -user IN EXCLUDED_USERS
    

LP_REvil-Sodinokibi Ransomware Connection to Malicious Domains

  • Trigger Condition: The connection to REvil-Sodinokibi Double Extortion ransomware-related domains is detected. For the alert to work, you must use the list REVIL_RANSOMWARE_DOMAINS, which includes IOC domains for Sodinokibi ransomware.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

  • Query:

    norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in REVIL_RANSOMWARE_DOMAINS
    

LP_REvil-Sodinokibi Ransomware Connection to Malicious Sources

  • Trigger Condition: Hosts establishing an outbound connection to REvil-Sodinokibi Double Extortion ransomware sources are deteted. For the alert to work, you must use the list REVIL_RANSOMWARE_IPS, which includes IOC IPs for Sodinokibi ransomware.

  • ATT&CK Category: Command and Control

  • ATT&CK Tag: Proxy

  • ATT&CK ID: T1090

  • Minimum Log Source Requirement: Firewall, IDS/IPS

  • Query:

    (destination_address IN REVIL_RANSOMWARE_IPS OR source_address IN REVIL_RANSOMWARE_IPS) | process geoip(destination_address) as country
    

LP_REvil-Sodinokibi Ransomware Exploitable Vulnerabilities Detected

  • Trigger Condition: Vulnerability management detects the presence of vulnerabilities linked to REvil-Sodinokibi ransomware. For the alert to work, you must use the list REVIL_RANSOMWARE_CVE, which includes IOC CVE IDs for Sodinokibi ransomware.

  • ATT&CK Category: -

  • ATT&CK Tag: -

  • ATT&CK ID: -

  • Minimum Log Source Requirement: Vulnerability Management

  • Query:

    norm_id=VulnerabilityManagement cve_i