NON-MITRE ATT&CK Analytics¶

LP_Windows Login Attempt on Disabled Account¶

• Trigger condition: A user attempts to log in using a disabled account.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer* label=User label=Login label=Fail sub_status_code= "0xC0000072" -target_user=*−user = ∗-user IN EXCLUDED_USERS | rename user as target_user, domain as target_domain,reason as failure_reason
  

LP_VMware Link Up¶

• Trigger condition: VMware connection is up.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: VMware

• Query:

  norm_id=VmwareESX label = Link label=Up | chart count() by log_ts, host, switch, port_group, network_adapter
  

LP_VMware Link Down¶

• Trigger condition: VMmware’s connection is down.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: VMware

• Query:

  norm_id=VmwareESX label = Link label=Down | chart count() by log_ts, host, switch, port_group, network_adapter
  

LP_LogPoint License Expiry Status¶

• Trigger condition: Logpoint license is about to expire.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Logpoint

• Query:

  norm_id=LogPoint label=Audit object='License checker' days_remaining=*
  

LP_Mitre Initial Access Using Spearphishing link Detected¶

• Trigger condition: Malicious URL is detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Mimecast

• Query:

  norm_id=Mimecast label=Detect label=Malicious label=URL | process eval("attack_class='Initial Access'")| process eval("technique='Spearphishing Link'")
  

LP_Mitre Command and Control Using Standard Application Layer Protocol Detected¶

• Trigger condition: Command and control activity using standard application layer protocol is detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Proxy server

• Query:

  norm_id=*proxy source_address=* destination_address=* destination_port IN STANDARD_APPLICATION_PORTS | process ti(destination_address)| rename et_category as ti_category | process eval("attack_class='Command and Control'")| process eval("technique='Standard Application Layer Protocol'") |  search ti_category="*Command and Control*"
  

LP_Endpoint Protect Threat Content Detected¶

• Trigger condition: Threat content is detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Endpoint Protector

• Query:

  norm_id=EndPointProtector label=Threat label=Content (label=Detect OR label=Block) file=* user=*
  

LP_Endpoint Protect Device Disconnect¶

• Trigger condition: A USB device is disconnected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Endpoint Protector

• Query:

  norm_id = EndPointProtector label=disconnect user=* device_type="USB Storage Device"
  

LP_Endpoint Protect File Delete¶

• Trigger condition: A file is deleted.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Endpoint Protector

• Query:

  norm_id=EndPointProtector label=File label=Delete file=* user=*
  

LP_Endpoint Protect File Copied To USB Device¶

• Trigger condition: A file is copied to external USB drive.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Endpoint Protector

• Query:

  norm_id=EndPointProtector label=File label=Copy device_type="USB Storage Device" file=* user=*
  

LP_System Owner or User Discovery Process Detected¶

• Trigger condition: An attack Discovery is performed using the attack technique System Owner or User Discovery.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer label="Process" label=Create (commandline="*whoami*" OR commandline="*quser*" OR commandline="*wmic.exe*useraccount get*" OR command="*whoami*" OR command="*quser*" OR command="*wmic.exe*useraccount get*") -user IN EXCLUDED_USERS | rename commandline as command
  

LP_System Services Discovery Detected¶

• Trigger condition: An attack Discovery is performed using the attack technique System Service Discovery.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer label="Process" label=Create (commandline="*net.exe*start*" OR commandline="*tasklist.exe*" OR command="*net.exe*start*" OR command="*tasklist.exe*" ) -user IN EXCLUDED_USERS | rename commandline as command
  

LP_SolarisLDAP Password Spraying Attack Detected¶

• Trigger condition: Password spraying attack is detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Solaris LDAP

• Query:

  norm_id=SolarisLDAP label=User (label=Login OR label=Authentication) label=Fail | chart distinct_count(user) as UserCount, distinct_list(user) as Users | search UserCount > 5
  

LP_Microsoft Defender AMSI Trigger¶

• Trigger Condition: Logpoint detects Microsoft Defender with AMSI as the detection source.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer event_id=1116 source_name=AMSI event_source="Microsoft-Windows-Windows Defender"
  

LP_Petitpotam - Anonymous RPC and File Share¶

• Trigger Condition: Events related to Petitpotam are logged.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

  [event_id=4624 package="NTLM*" (user="ANONYMOUS LOGON" or -workstation=*)] as stream1 join [event_id=5145 share_name=IPC$ access="*ReadData (or ListDirectory) WriteData (or AddFile)*" relative_target IN ["lsarpc", "efsrpc", "lsass", "samr", "netlogon"]] as stream2 on stream1.source_address = stream2.source_address and stream1.host = stream2.host | rename stream1.user as user, stream1.host as host, stream1.domain as domain, stream2.source_address as source_address, stream2.share_name as share_name, stream2.access as access, stream2.log_ts as log_ts
  

norm_id=WindowsSysmon event_id=13 target_object IN ["*\services\TermService\Parameters\ServiceDll*", "*\Control\Terminal Server\fSingleSessionPerUser*", "*\Control\Terminal Server\fDenyTSConnections*"] -user IN EXCLUDED_USERS

LP_Secure Deletion with SDelete¶

• Trigger Condition: Renamed a file while deleting it with the SDelete tool. Adversaries use various tools to clean traces left after their intrusion activity.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN ["4656", "4663", "4658"] object_name IN ["*.AAA", "*.ZZZ"] -user IN EXCLUDED_USERS

LP_Suspicious Keyboard Layout Load Detected¶

• Trigger Condition: The keyboard preload installation with a suspicious keyboard layout, for example, Chinese, Iranian, or Vietnamese layout, loads in user sessions on systems that is maintained by US staff only.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=13 target_object IN ["*\Keyboard Layout\Preload\*", "*\Keyboard Layout\Substitutes\*"] detail IN ["00000804", "00000c04", "00000404", "00001004", "00001404", "00000429", "00050429", "0000042a", "00000401", "00010401", "00020401"] -user IN EXCLUDED_USERS

LP_Remote Code Execution using WMI Win32_Process Class over WinRM¶

• Trigger Condition: When an attempt to execute code or create a service on a remote host via winrm.vbs is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create
command="*winrm*"  command="*invoke Create wmicimv2/Win32_*" command="*-r:http*"

label=Create label="Process" command="*winrm*" command IN ['*format:pretty*', '*format:"pretty"*', '*format:"text"*', '*format:text*']  -(image IN ["C:\Windows\System32\*", "C:\Windows\SysWOW64\*"])

LP_Suspicious Microsoft SQL Server PowerShell Module Use Detected¶

• Trigger Condition: The execution of a PowerShell code by the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" ("process"="*\sqlps.exe" OR parent_process="*\sqlps.exe" OR file="*\sqlps.exe" ) -(parent_process="*\sqlagent.exe")

LP_Shadow Copy Deletion Using OS Utilities Detected¶

• Trigger Condition: When shadow copies are deleted using operating systems utilities. Shadow copy is a Microsoft technology that can create backup copies or snapshots of computer files or volumes.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" ("process" IN ["*\powershell.exe", "*\wmic.exe", "*\vssadmin.exe", "*\diskshadow.exe"] command="* shadow*" command="*delete*") OR ("process"= "*\wbadmin.exe" command="*delete*" command="*catalog*" command="*quiet*")  OR ("process"="*\vssadmin.exe" command="*resize*" command="*shadowstorage*" command="*unbounded*")

LP_Child Process Spawned via Diskshadow Detected¶

• Trigger Condition: When child processes are created using the diskshadow binary. DiskShadow.exe is a Windows internal binary that exposes the functionality offered by the Volume Shadow Copy Service.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "parent_process"="*\diskshadow.exe" -command="*conhost.exe*"

LP_Code Execution Via Diskshadow Detected¶

• Trigger Condition: When diskshadow binary is used to execute code from a file. DiskShadow.exe is Windows internal binary that exposes the functionality offered by the Volume Shadow Copy Service.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\diskshadow.exe" command IN ["*/s *", "*-s *"]

LP_Process Pattern Match For CVE-2021-40444 Exploitation¶

• Trigger Condition: The process pattern for CVE-2021-40444 is detected. CVE-22021-4044 is a remote code execution vulnerability in MSHTML, which is Microsoft’s proprietary browser engine for Internet Explorer.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create
"process"="*\control.exe" parent_process IN ["*\winword.exe", "*\excel.exe", "*\powerpnt.exe"] -command="*\control.exe input.dll"

Suspicious Extexport Execution Detected¶

• Trigger Condition: When a service is created by loading a DLL using the ExtExport service in IE. ExtExport is a module that serves to import/export data from other programs, for example, favorites or bookmarks from other browsers. Attackers can use Extexport.exe to load any DLL using the built-in tool ExtExport.exe which can be found inside the Internet Explorer directory.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" command IN ["*ExtExport*", "extexport"]

LP_Proxy Execution via Workfolders¶

• Trigger Condition: This alert is triggered whenever it detects the usage of workfolders binary to execute other process.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "parent_process"="*\workfolders.exe" "process"="*\control.exe" "process"="C:\Windows\System32\control.exe"

Proxy Execution via Windows Update Client¶

• Trigger Condition: When wuauclt.exe is used to proxy execute codes.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" ("process"="*\wuauclt.exe" OR file="wuauclt.exe")
(command="*UpdateDeploymentProvider*" command="*.dll*" command="*RunHandlerComServer*")
-(command IN ["* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *", "* wuaueng.dll *"])

Suspicious DLL Execution Using Windows Address Book¶

• Trigger Condition: When a suspicious DLL is executed using wab.exe.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1564.004 - NTFS File Attributes

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="registry" label="set" target_object="*\Software\Microsoft\WAB\DLLPath*" - detail="%CommonProgramFiles%\System\wab32.dll"

LP_Suspicious Use of Dotnet Detected¶

• Trigger Condition: This alert is triggered when execution of either suspicious DLL or unsigned code using dotnet.exe is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create command IN ["*.dll", "*.csproj"] "process"="*\dotnet.exe"

Execution of Arbitrary Executable Using Stordiag¶

• Trigger Condition: When a renamed arbitrary executable is executed using stordiag.exe. stordiag.exe collects storage and file system diagnostic logs and outputs to a folder.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" parent_process="*\stordiag.exe" "process" IN ["*\schtasks.exe", "*\systeminfo.exe", "*\fltmc.exe"] - parent_process IN ["C:\windows\system32\*", "C:\windows\syswow64\*"]

Process Creation via Time Travel Tracer¶

• Trigger Condition: When a new child process is spawned via tttracer.exe.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "parent_process"="*\tttracer.exe"

LP_Time Travel Debugging Utility DLL Loaded¶

• Trigger Condition: This alert is triggered whenever time travel debugging utility DLLs are loaded. Ttdrecord.dll, ttdwriter.dll and ttdloader.dll are part of time travel debugging utility.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=Image label=Load image IN ["*\ttdrecord.dll","*\ttdwriter.dll","*\ttdloader.dll"]

File Execution via Msdeploy¶

• Trigger Condition: This alert is triggered whenever Msdeploy is used to execute files. Microsoft deploy (Msdeploy) is a binary that allows user to deploy Web Apllications.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\msdeploy.exe" command="*verb:sync*" command="*-source:RunCommand*" command="*-dest:runCommand*"

CVE-2022-40684 Exploitation Detected¶

• Trigger Condition: When an exploitation attempt of CVE-2022-40684 is detected. CVE-2022-40684 is an authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Firewall, Proxy Server, Web Server

• Query:

(url="*/api/v2/cmdb/system/admin/*" OR resource="*/api/v2/cmdb/system/admin/*") user_agent IN ["report runner","Node.js"]

Possible Proxy Execution of Malicious Code¶

• Trigger Condition: When the possible use of TE.exe for proxy execution of malicious scripts is detected. TE.exe is a testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label="create" "process"="*\te.exe" OR parent_process="*\te.exe" OR file="\te.exe"

LP_Suspicious Usage of BitLocker Management Script¶

• Trigger Condition: This alert is triggered whenever proxy execution of malicious payloads via Manage-bde.wsf is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" (("process"="*\wscript.exe" OR file="wscript.exe") command="*manage-bde.wsf*")
OR ( parent_process IN ["*\cscript.exe", "*\wscript.exe"] command="*manage-bde.wsf*" -"process"="*\cmd.exe")

Proxy Execution of Payloads via Microsoft Signed Script¶

• Trigger Condition: This alert rule is triggered when it detects proxy execution of PowerShell code via Microsoft signed script “CL_Mutexverifiers.ps1”.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

norm_id="WinServer" event_id=4104 script_block IN ["*\CL_Mutexverifiers.ps1*", "*runAfterCancelProcess *"]

Execution of Windows Defender Offline Shell from Suspicious Folder¶

• Trigger Condition: When OfflineScannerShell.exe is executed from a folder other than the default.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Create" label="Process" ("process"="*\OfflineScannerShell.exe"  -((path="C:\Program Files\Windows Defender\Offline\") OR (-path=*)))

DLL Loaded Via AccCheckConsole¶

• Trigger Condition: When DLL loading through AccCheckConsole binary is detected. AccCheckConsole is a command-line tool for verifying the accessibility implementation of your application’s UI. Adversaries can use this technique to load their malicious DLL.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\AccCheckConsole.exe" command="*-window*" command="*.dll*"

• Trigger Condition: When proxy execution of binaries via appvlp.exe is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "process"="*\appvlp.exe"  command IN ["*cmd.exe*","*powershell.exe*"] command IN ["*.sh*","*.exe*","*.dll*","*.bin*","*.bat*","*.cmd*","*.js*","*.msh*","*.reg*","*.scr*","*.ps*","*.vb*","*.jar*","*.pl*","*.inf*"]

LP_Proxy DLL Execution via UtilityFunctions¶

• Trigger Condition: When the use of UtilityFunctions script to execute a managed DLL is detected. UtilityFunctions is one of several powershell scripts from Microsoft for diagnostic and maintenance work. Adversaries can use this technique to proxy execute malicious files.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create command IN ["*UtilityFunctions.ps1*", "*RegSnapin*"]

Suspicious Usage of Squirrel Binary¶

• Trigger Condition: When squirrel.exe is run via using arguments download, update and updateRoolback arguments.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" "process"="*\Squirrel.exe" command IN ["*download*","*update*"]

LP_Suspicious File Share Permission¶

• Trigger Condition: This alert is triggered whenever it detects execution of binaries from suspicious folder.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\net.exe" command="* share *grant:*FULL*"

LP_Legitimate Application Dropping Script File¶

• Trigger Condition: When the creation of a new script file by those applications which should not create one such as office applications, Wordpad. Script files contain a set of instructions or commands and are executed by a script interpreter or runtime environment. Adversaries can use this technique to drop their payload in the system and execute it.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 file IN ["*.ps1","*.bat","*.vbs","*.scf","*.wsf","*.wsh"] "process" IN ["*\onenote.exe","*\winword.exe","*\excel.exe","*\powerpnt.exe","*\msaccess.exe","*\mspub.exe","*\eqnedt32.exe","*\visio.exe","*\wordpad.exe","*\wordview.exe","*\certutil.exe","*\certoc.exe","*\CertReq.exe","*\Desktopimgdownldr.exe","*\esentutl.exe","*\finger.exe","*\AcroRd32.exe","*\RdrCEF.exe","*\mshta.exe","*\hh.exe"]

LP_Default Possible Non-PCI Compliant Inbound Network Traffic Detected¶

• Trigger Condition: This alert is triggered whenever inbound connection is seen into secure devices over non-compliant ports as specified by PCI compliance practices. NON_PCI_COMPLIANT_PORT list needs to be updated for this query to work properly.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Firewall, IDS, IPS

• Query:

  label=Inbound label=Connection destination_port IN NON_PCI_COMPLIANT_PORT -source_address IN HOMENET
  

LP_High Severity EPP Alert¶

• Trigger Condition: This alert is triggered whenever a high or critical severity alert is generated by any Endpoint Protection Platform (EPP).

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision

• Query:

norm_id=* device_category=EPP risk_level IN [ "High", "Critical"]

LP_Medium Severity EPP Alert¶

• Trigger Condition: This alert is triggered whenever a medium severity alert is generated by any Endpoint Protection Platform (EPP).

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision

• Query:

norm_id=* device_category="EPP" risk_level="Medium"

LP_Proxy Execution via Appvlp¶

• Trigger Condition: This alert is triggered whenever proxy execution of binaries via appvlp.exe is detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\appvlp.exe"  command IN ["*cmd.exe*","*powershell.exe*"] command IN ["*.sh*","*.exe*","*.dll*","*.bin*","*.bat*","*.cmd*","*.js*","*.msh*","*.reg*","*.scr*","*.ps*","*.vb*","*.jar*","*.pl*","*.inf*"]

LP_Suspicious Extexport Execution Detected¶

• Trigger Condition: This alert is triggered when a service is created by loading a DLL using the ExtExport service in IE.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create command IN ["*ExtExport*", "extexport"]

LP_Suspicious Usage of Squirrel Binary¶

• Trigger Condition: This alert is triggered whenever squirrel.exe is run via using arguments download, update, and updateRoolback arguments.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\Squirrel.exe" command IN ["*download*","*update*"]

LP_Threat Intel Connections with Suspicious Domains¶

• Trigger Condition: This alert is triggered when a connection is established with suspicious domain.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: IDS, Firewall, IPS

• Query:

label=Connection (url=* OR domain=*)| process domain(url) as domain | process ti(domain) | rename et_category as Category, cs_category as Category, rf_category as Category,et_score as Score,cs_score as Score,rf_score as Score ,rf_domain as Domain, et_domain as Domain,cs_domain as Domain