MITRE ATT&CK Analytics¶

LP_Unsigned DLLs loaded by RunDLL32 or RegSvr32¶

• Trigger Condition: Injection of unsigned dynamic-link library (DLL), a common tactic attackers use to execute arbitrary code on Windows systems. Adversaries often leverage Windows builtin tools like RunDLL32 or RegSvr32 to execute the malicious code through unsigned or untrusted DLLs.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Regsvr32, Rundll32

• ATT&CK ID: T1218.010, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=Image label=Load "process" IN ["*\regsvr32.exe", "*\rundll32.exe"] ( -is_signed="true" OR status IN ["errorChaining", "errorCode_endpoint*", "errorExpired", "trusted"] )
  

LP_Terminal Service Configuration Modified¶

• Trigger Condition: Modifying settings related to terminal services. Adversaries can use this technique to bypass authentication requirements or bypass security settings.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (label="Registry" label=Set target_object IN ["*Software\Microsoft\Terminal Server Client*", "*Software\Policies\Microsoft\Windows NT\Terminal Services\"] target_object IN ["*AuthenticationLevelOverride*","*DisableRemoteDesktopAntiAlias*", "*DisableSeucirtySettings*"]) OR (label="Process" label=Create "process"="*\reg.exe" command="*add*" command IN ["*Software\Microsoft\Terminal Server Client*", "*Software\Policies\Microsoft\Windows NT\Terminal Services\"] command IN ["*AuthenticationLevelOverride*","*DisableRemoteDesktopAntiAlias*", "*DisableSeucirtySettings*"])
  

LP_System Service Reconnaissance through WMI¶

• Trigger Condition: Usage of WMI for service reconnaissance is detected. Adversaries might use WMI to check if a specific service is running on a host to gather reconnaissance information, identify potential vulnerabilities, plan further actions and maintain persistence within the target network.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: System Service Discovery, Windows Management Instrumentation

• ATT&CK ID: T1007, T1047

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*service*" -command IN ["*assoc*", "*call*", "*create* ", "*delete*"]
  

LP_Suspicious Msiexec Child Process¶

• Trigger Condition: Suspicious child processes spawned via Msiexec. Adversaries often use MSI files for initial access due to their legitimate appearance, making them less likely to raise suspicion when delivered through phishing or other social engineering tactics.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Msiexec

• ATT&CK ID: T1218.007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "parent_process"="*\msiexec.exe" "process" IN ["*\cmd.exe","*\powershell.exe","*\icacls.exe","*\expand.exe", "*\rundll32.exe"]
  

LP_Process Reconnaissance through WMI¶

• Trigger Condition: Usage of WMI for listing processes running on the compromised host. Adversaries might use WMI to list all the running processes on the host to bypass security measures.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: Windows Management Instrumentation, System Service Discovery

• ATT&CK ID: T1047, T1007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create("process"="*\wmic.exe" OR file="wmic.exe") command="*process*" -command IN ["*assoc*", "*call*", "*create* ", "*delete*"]
  

LP_Process Created through WMI¶

• Trigger Condition: Usage of WMI to spawn new processes either on local or remote hosts. Adversaries use WMI to spawn new processes because it provides them with a stealthy, persistent and flexible means of executing malicious code, bypassing security controls and maintaining control over compromised systems.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*process*" command="*call*" command="*create*"
  

LP_Local Users Reconnaissance through WMI¶

• Trigger Condition: Usage of Windows Management Instrumentation (WMI) to list all local user accounts. Adversaries might use WMI to list all local user accounts rather than a straightforward command like net user for defense evasion.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: Windows Management Instrumentation, Local Account

• ATT&CK ID: T1047, T1087.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*useraccount*"
  

LP_Installed Software Updates Reconnaissance through WMI¶

• Trigger Condition: Usage of Windows Management Instrumentation (WMI) to list installed software hotfixes and patches. Adversaries might use WMI to gather information about target systems, identify vulnerabilities and plan attack strategies.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: Windows Management Instrumentation, Software Discovery

• ATT&CK ID: T1047, T1518

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*qfe*"
  

LP_Application uninstall via WMIC¶

• Trigger Condition: Uninstallation of applications on a system using the Windows Management Instrumentation Command-line (WMIC) tool is detected. This uninstallation method is commonly observed in Advanced Persistent Threat (APT) activities, where adversaries aim to remove security products installed on target systems to evade detection and maintain persistence.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Windows Management Instrumentation, Disable or Modify Tools

• ATT&CK ID: T1047, T1562.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*product*" command="*call*" command="*uninstall*"
  

LP_AppInit DLLs Detected¶

• Trigger Condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, AppInit DLLs

• ATT&CK ID: T1546, T1546.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*" or target_object="*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*") -user IN EXCLUDED_USERS
  

LP_High Severity EPP Alert¶

• Trigger Condition: High or critical severity alert is generated by any endpoint protection platform like Crowdstrike and Microsoft Defender for Endpoint.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP

• Query:

  norm_id=* device_category=EPP log_level IN [ "High", "Critical"]
  

LP_Host Generating Multiple Medium Severity EPP Alert¶

• Trigger Condition: Multiple medium severity alerts are generated by endpoint protection platforms like Crowdstrike and Microsoft Defender for Endpoint.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP

• Query:

  norm_id=* device_category=EPP log_level="Medium" | chart distinct_count(detection_id) as DC by host_id  | search DC > 1
  

LP_Host Generating Multiple High Severity EPP Alert¶

• Trigger Condition: Multiple high or critical severity alerts are generated by endpoint protection platforms like Crowdstrike and Microsoft Defender for Endpoint.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP

• Query:

  norm_id=* device_category=EPP log_level IN ["high","criticial"] | chart distinct_count(detection_id) as DC by host_id  | search DC > 1
  

LP_Medium Severity EPP Alert¶

• Trigger Condition: Medium severity alert is generated by any endpoint protection platform like Crowdstrike and Microsoft Defender for Endpoint.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP

• Query:

  norm_id=* device_category=EPP log_level="Medium"
  

LP_Windows Service Stop or Delete¶

• Trigger Condition: Windows service or process being stopped, deleted or disabled via system binaries is detected. sc.exe, net.exe and net1.exe are Microsoft Windows system internal binaries that adversaries can use to stop or delete services and processes to render those services unavailable to legitimate users or to avoid hindrances in their attack chain.

• ATT&CK Category: Impact

• ATT&CK Tag: Service Stop

• ATT&CK ID: T1489

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create ("process" IN ["*\sc.exe", "*\net.exe", "*\net1.exe"] command="*stop*") OR ("process"="*\sc.exe" command IN ["*delete*", "*disabled*"]) -user IN EXCLUDED_USERS
  

LP_Suspicious Hack Tools Execution¶

• Trigger Condition: Execution of different Windows-based hack tools via their import hash (imphash) is detected, even if the files have been renamed. The MALICIOUS_TOOLS_IMPHASH list must be imported before activating this alert.

• ATT&CK Category: Credential Access, Resource Development

• ATT&CK Tag: OS Credential Dumping, Tool

• ATT&CK ID: T1003, T1588.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 hash_import IN MALICIOUS_TOOLS_IMPHASH
  

LP_Suspicious Execution of XORDump Utility for LSASS Memory Dump¶

• Trigger Condition: Suspicious execution of XORDump Utility, commonly used for LSASS Memory Dump, is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create "process"="*\xordump.exe" OR command IN ["* -process lsass.exe *", "* -m comsvcs *", "* -m dbghelp *", "* -m dbgcore *"]
  

LP_Suspicious Execution of Createdump Utility for Memory Dump¶

• Trigger Condition: Usage of the createdump.exe LOLOBIN utility to dump process memory is detected. Adversaries often seek to dump the lsass.exe process memory because it contains sensitive information, such as user credentials and authentication tokens.

• ATT&CK Category: Credential Access, Defense Evasion

• ATT&CK Tag: LSASS Memory, Masquerading

• ATT&CK ID: T1003.001, T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create "process"="*\createdump.exe" OR file="FX_VER_INTERNALNAME_STR'" command IN ["* -u *", "* -full *", "* -f *", "* --name *", "*.dmp*"]
  

LP_Suspicious DsInternals Get-ADReplAccount Activities¶

• Trigger Condition: Suspicious activities related to Get-ADReplAccount from the DSInternals PowerShell Module are detected. Adversaries may use this tool to maliciously access Domain Controllers’ credentials. For event id 4104, Powershell Script Block logging is required.

• ATT&CK Category: Credential Access

• ATT&CK Tag: DCSync

• ATT&CK ID: T1003.006

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (label="process" label=create command="*Get-ADReplAccount*" command="*-All*" command="*Server*") OR (norm_id=WinServer event_id=4104 script_block="*Get-ADReplAccount*" script_block="*-All*" script_block="*Server*")
  

LP_Suspicious Activities Associated with NTDS Exfiltration¶

• Trigger Condition: Suspicious activities related to the Active Directory Domain Database (ntds.dit) are detected. Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information and obtain information about domain members, such as devices, users and access rights.

• ATT&CK Category: Credential Access

• ATT&CK Tag: NTDS

• ATT&CK ID: T1003.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create ("process" IN ["*\NTDSDump.exe", "*\NTDSDumpEx.exe"]) OR (command="*ntds.dit*" command="*system.hive*") OR (command="*NTDSgrab.ps1*") OR (command="*ac i ntds*" command="*create full*") OR (command="*/c copy*" command="*\windows\ntds\ntds.dit*") OR (command="*activate instance ntds*" command="*create full*") OR (command="*powershell*" command="*ntds.dit*") OR (command="*ntds.dit*" (parent_process IN ["*\apache*", "*\tomcat*", "*\AppData*", "*\Temp\*", "*\Public\*", "*\PerfLogs\*"] OR "process" IN ["*\apache*", "*\tomcat*", "*\AppData*", "*\Temp\*", "*\Public\*", "*\PerfLogs\*"]))
  

LP_Possible LSASS Memory Dump Via Windows Task Manager¶

• Trigger Condition: Creation of a lsass.dmp file by the taskmgr process is detected. Adversaries often seek to dump the lsass.exe process memory because it contains sensitive information, such as user credentials and authentication tokens.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=11 "process"="*\taskmgr.exe" path="*\Appdata\local\*" file="lsass*.dmp"
  

LP_Possible LSASS Dump Via SilentProcessExit Technique¶

• Trigger Condition: Dumping of a possible LSASS via the SilentProcessExit Technique is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id IN [12,13,14] target_object="*Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe*"
  

LP_NTDS or SAM Database Copy Operation¶

• Trigger Condition: Copy operation of Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files is detected. Adversaries may attempt to access or create a copy of the Active Directory domain database or SAM database to steal credential information and obtain other information about domain members, such as devices, users and access rights.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, Security Account Manager, NTDS

• ATT&CK ID: T1003, T1003.002, T1003.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create (command IN ["*copy*", "*xcopy*", "*Copy-Item*", "*move*", "*cp*", "*mv*"] OR "process"="*\esentutl.exe" command IN ["*/y*", "*/vss*", "*/d*"]) command IN ["*\\NTDS.dit", "*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*", "*\\SYSTEM*", "*\\SECURITY*", "*C:\\tmp\\log*", "**\\config\\SAM","*/system32/config/SAM*"]
  

LP_Microsoft IIS Service Account Password Dumped¶

• Trigger Condition: Execution of Information Services (IIS) command-line tool AppCmd to list passwords is detected. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\appcmd.exe" or file=appcmd.exe) command="*list *" (command IN ["* /config*", "* /xml*", "* -config*", "* -xml*"]) OR (command IN ["* /@t'*", "* /text*", "* /show*", "* -@t'*", "* -text*", "* -show*", "*password*", "*:\*"])
  

LP_Dumpert Process Dumper Execution¶

• Trigger Condition: Dumping of a possible credential via a tool called NPPSpy is detected. NPPSpy is a Network Provider/Credential Manager DLL that extracts credentials and stores them in plain text. This alert monitors file creation, registry manipulation and process creation events that indicate a potential credential dump via NPPSpy.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 hash_import="09D278F9DE118EF09163C6140255C690" or command="*Dumpert.dll*"
  

LP_Credential Dump Via NPPSpy¶

• Trigger Condition: Dumping of a possible credential via a tool called NPPSpy is detected. NPPSpy is a Network Provider/Credential Manager DLL that extracts credentials and stores them in plain text. This alert monitors file creation, registry manipulation and process creation events that indicate a potential credential dump via NPPSpy.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (label=Registry label=Set target_object IN ["*\System\CurrentControlSet\Services\*", "*CurrentControlSet\Control\*" ] target_object="*\NetworkProvider*" -(target_object IN ["*\System\CurrentControlSet\Services\WebClient\NetworkProvider*", "*\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider*", "*\System\CurrentControlSet\Services\RDPNP\NetworkProvider*"] OR "process"="C:\Windows\System32\poqexec.exe")) OR (label=file label=create file IN ["NPPSpy.txt", "NPPSpy.dll"]) OR (label="process" label=create command="*\System\CurrentControlSet\Services\*" command="*\NetworkProvider*" )
  

LP_Malicious PowerShell Commandlets Detected¶

• Trigger Condition: Commandlet names from well-known Command and Scripting Interpreter, PowerShell exploitation frameworks are detected. The MALICIOUS_POWERSHELL_COMMANDLET_NAMES list must be imported for this alert to work correctly.

• ATT&CK Category: Execution

• ATT&CK Tag: PowerShell

• ATT&CK ID: T1059.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  command IN MALICIOUS_POWERSHELL_COMMANDLET_NAMES -command="*Get-SystemDriveInfo*" OR script_block IN MALICIOUS_POWERSHELL_COMMANDLET_NAMES -script_block="*Get-SystemDriveInfo*"
  

LP_Code Execution Via Diskshadow Detected¶

• Trigger Condition: Usage of diskshadow binary to execute code from a file is detected. Adversaries can use diskshadow with -s or /s tag to execute a command from a file and bypass detection.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "process"="*\diskshadow.exe" command IN ["*/s *", "*-s *"]
  

LP_Image Mount Indicator in Recent Files¶

• Trigger Condition: Recent element files pointing to .iso, .img, .vhd or .vhdx files are detected. These image files are used in phishing attacks to deliver malware and circumvent the Mark of the Web (MotW) in Windows to execute malicious commands. It is a false positive on server systems, but on workstations, users rarely mount .iso or .img files.

• ATT&CK Category: Initial Access, Defense Evasion

• ATT&CK Tag: Mark-of-the-Web Bypass, Spearphishing Attachment

• ATT&CK ID: T1553.005, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id="WindowsSysmon" event_id=11 path="*\Microsoft\Windows\Recent\*" file IN ["*.iso.lnk", "*.img.lnk", "*.vhd.lnk", "*.vhdx.lnk"]
  

LP_Disk Image File Created¶

• Trigger Condition: Image files with extensions like .iso, .vhd, and .vhdx are downloaded from the internet into a user’s download or temporary folder. Adversaries often deliver their malware payloads through a .iso file format to bypass the Mark of the Web (MotW) in Windows and execute their payload successfully.

• ATT&CK Category: Initial Access, Defense Evasion

• ATT&CK Tag: Mark-of-the-Web Bypass, Spearphishing Attachment

• ATT&CK ID: T1553.005, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id="WindowsSysmon" event_id=11 (path="*Users*" path="*Downloads*") OR (path="*Appdata*") file IN ["*.iso", "*.vhd", "*.vhdx", "*.img"]
  

LP_PowerShell Execution via DLL Detected¶

• Trigger Condition: Execution of PowerShell via DLL instead of powershell.exe is detected. Powershell is a command-line shell used in Windows. Adversaries can execute PowerShell for malicious activities even if powershell.exe is blocked and no strict application whitelisting is implemented.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: PowerShell, Rundll32

• ATT&CK ID: T1059.001, T1218.011

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process" IN ["*\rundll32.exe","*\regsvcs.exe","*\InstallUtil.exe","\regasm.exe"] OR file in ["RUNDLL32.EXE","RegSvcs.exe","InstallUtil.exe","RegAsm.exe"]) command IN ["*Default.GetString*","*FromBase64String*","*Invoke-Expression*","*IEX *","*Invoke-Command*","*ICM *","*DownloadString*"]
  

LP_Suspicious Windows Defender Registry keys Modification¶

• Trigger Condition: Changes in the Windows Defender registry settings to disable Windows Defender functionalities. Adversaries try to alter Windows Defender-associated registries to disable protection and detection features.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Disable or Modify Tools

• ATT&CK ID: T1562.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=registry label=set  target_object IN ["*\SOFTWARE\Microsoft\Windows Defender*",    "*\SOFTWARE\Policies\Microsoft\Windows Defender*"]  (  detail="DWORD (0x00000001)"   target_object IN ["*\DisableAntiSpyware", "*\DisableAntiVirus", "*\DisableBehaviorMonitoring",  "*\DisableIntrusionPreventionSystem",   "*\DisableIOAVProtection",  "*\DisableOnAccessProtection",   "*\DisableRealtimeMonitoring",  "*\DisableScanOnRealtimeEnable",   "*\DisableScriptScanning",  "*\DisableEnhancedNotifications",   "*\DisableBlockAtFirstSeen"]  )  OR  (  detail="DWORD (0x00000000)"  target_object IN ["*\App and Browser protection\DisallowExploitProtectionOverride",  "*\Features\TamperProtection", "*\MpEngine\MpEnablePus", "*\PUAProtection",   "*\Signature Update\ForceUpdateFromMU", "*\SpyNet\SpynetReporting",   "*\SpyNet\SubmitSamplesConsent",   "*\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess"]  )
  

LP_Executable Files Created and Executed by Office Applications¶

• Trigger Condition: When the executable file dropped or modified via office applications and executed within a specific time range is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  [norm_id=WindowsSysmon event_id=11 "process" IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.EXE", "*\MSACCESS.EXE"] file IN ["*.exe", "*.com","*bat","*.cmd"]] as s1 followed by  [norm_id=WindowsSysmon event_id=1] as s2 within 2 minute on s1.path=s2.path and s1.file=s2.file  | rename s1.host as host, s1.user as user, s1.domain as domain, s1.process as "process",  s1.file as file, s1.path as path
  

LP_WMI Backdoor in Exchange Transport Agent¶

• Trigger Condition: A WMI backdoor in Exchange Transport Agents (ETA) via WMI event filters is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: Event Triggered Execution, Windows Management Instrumentation Event Subscription

• ATT&CK ID: T1546, T1546.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create (parent_process="*\EdgeTransport.exe" -("process"="C:\Windows\System32\conhost.exe" OR ("process"="C:\Program Files\Microsoft\Exchange Server\*" "process"="*\Bin\OleConverter.exe"))) -user IN EXCLUDED_USERS
  

LP_Suspicious Msiexec Usage Detected¶

• Trigger Condition: A .msi file executed from publicly writable folder and a command prompt or powershell spawned by msiexec.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Msiexec

• ATT&CK ID: T1218.007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\msiexec.exe" command IN
  ["*\ProgramData*", "*\AppData\Local*", "*\AppData\Roaming*", "*\Users\Public*"]
  command IN ["*.msi *","*.msi"]) OR
  (parent_process="*\msiexec.exe" "process" IN
  ["*\cmd.exe","*\powershell.exe", "*\pwsh.exe"])
  

LP_Suspicious Usage of Advanced IP Scanner¶

• Trigger Condition: Suspicious usage of Advanced IP Scanner is detected.

• ATT&CK Category: Reconnaissance, Discovery

• ATT&CK Tag: Network Service Discovery, Network Share Discovery, Gather Victim Network Information

• ATT&CK ID: T1046, T1135, T1590

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create ("process"="*\advanced_ip_scanner*" OR file="*advanced_ip_scanner*") OR (description="*Advanced IP Scanner*") OR (command="*/portable*" command="*/lng*")
  

LP_Persistence through Port Monitor Registry modification¶

• Trigger Condition: A new entry in the printer monitor registry is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors

• ATT&CK ID: T1547, T1547.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=13 target_object="HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\*" detail="*.dll" -(("process"="C:\Windows\System32\spoolsv.exe" target_object="*\System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver*" detail="cpwmon64_v40.dll"user IN ["*AUTHORI*", "*AUTORI*"]) OR (target_object="*Control\Print\Monitors\MONVNC\Driver*") OR (target_object="*Control\Print\Environments\*"target_object="*\Drivers\*" target_object="*\VNC Printer*"))
  

LP_File Dropped in Suspicious Location¶

• Trigger Condition: Dropping a file in a suspicious system location is detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Ingress Tool Transfer

• ATT&CK ID: T1105

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=11 path IN ["C:\ProgramData*", "*\AppData\Local*", "*\AppData\Roaming*", "C:\Users\Public*"] -"process" IN ["*\Microsoft Visual Studio\Installer\*\BackgroundDownload.exe", "C:\Windows\system32\cleanmgr.exe", "*\Microsoft\Windows Defender\*\MsMpEng.exe", "C:\Windows\SysWOW64\OneDriveSetup.exe", "*\AppData\Local\Microsoft\OneDrive*", "*\Microsoft\Windows Defender\platform\*\MpCmdRun.exe", "*\AppData\Local\Temp\mpam-*.exe"] -file IN ["vs_setup_bootstrapper.exe", "DismHost.exe","*_PSScriptPolicyTest*.ps1"]
  

LP_Alternate PowerShell Hosts via Powershell Module¶

• Trigger Condition: Alternate Command and Scripting Interpreter and PowerShell hosts are detected. Adversaries might use this technique to bypass detections looking for powershell.exe. PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary. Powershell module logging is needed for log source.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer event_id=4103 host_application IN ["*= powershell*", "*= C:\Windows\System32\WindowsPowerShell\v1.0\powershell*", "*= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell*", "*= C:/Windows/System32/WindowsPowerShell/v1.0/powershell*", "*= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell*"] -(host_application IN ["*= C:\WINDOWS\System32\sdiagnhost.exe -Embedding*", "*ConfigSyncRun.exe*", "*C:\Windows\system32\dsac.exe*", "*C:\Windows\system32\wsmprovhost.exe -Embedding*"] OR payload IN ["*Update-Help*", "*Failed to update Help for the module*"] )
  

LP_Suspicious Usage of Where Binary¶

• Trigger Condition: An enumeration attempt on browser bookmarks to learn more about compromised hosts is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Browser Bookmark Discovery

• ATT&CK ID: T1217

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label="Process" label=Create "process"="*\where.exe" command in ["*places.sqlite*","*cookies.sqlite*",  "*formhistory.sqlite*", "*logins.json*",  "*key4.db*","*key3.db*",  "*sessionstore.jsonlz4*", "*History*", "*Bookmarks*", "*Cookies*", "*Login Data*" ]
  

LP_MSHTA - Activity Detected¶

• Trigger Condition: Network connection events initiated by mshta.exe are detected. Adversaries abuse mshta.exe for proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=3 (command="*mshta.exe" or parent_command="*mshta.exe") -user IN EXCLUDED_USERS
  

LP_Alternate PowerShell Hosts via Named Pipe¶

• Trigger Condition: Alternate Command and Scripting Interpreter and PowerShell hosts are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=17 pipe="\PSHost*" source_image=* -source_image IN ["*\powershell.exe", "*\powershell_ise.exe", "*\WINDOWS\System32\sdiagnhost.exe", "*\WINDOWS\System32\wsmprovhost.exe", "*\Windows\system32\dsac.exe", "*\Windows\system32\wbem\wmiprvse.exe", "*\ForefrontActiveDirectoryConnector.exe", "*c:\windows\system32\inetsrv\w3wp.exe", "C:\Program Files\Citrix\*", "C:\Program Files\Microsoft\Exchange Server\*", "C:\Windows\system32\ServerManager.exe", "C:\Program Files\PowerShell\7\pwsh.exe", "*:\Program Files*\Microsoft SQL Server\*\Tools\Binn\SQLPS.exe"]
  

LP_Suspicious File Execution Using Wcript or Cscript¶

• Trigger Condition: Process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers is detected. An adversary may attempt to block indicators or events captured by sensors from being gathered and analyzed.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

• ATT&CK ID: T1562, T1562.006

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label="Process" label=Create ("process"="*\fltmc.exe" OR command="*fltmc*unload*") -user IN EXCLUDED_USERS
  

LP_Suspicious Child Process Spawned by Microsoft Office Product¶

• Trigger Condition: Suspicious child process spawned by Microsoft Office Products such as Excel, Powerpoint, Onenote or Visio are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Windows Command Shell, Malicious File

• ATT&CK ID: T1059, T1059.001, T1059.003, T1204.002

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label="Process" label=Create parent_process IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\OUTLOOK.EXE","*\MSACCESS.EXE","*\EQNEDT32.EXE", "*\Onenote.exe","*\wordview.exe","*\outlook.exe"]   ("process" IN ["\AppVLP.exe","*\bash.exe","*\bitsadmin.exe","*\certoc.exe","*\certutil.exe","*\cmd.exe","*\cmstp.exe","*\control.exe","*\cscript.exe","*\curl.exe","*\forfiles.exe","*\hh.exe","*\ieexec.exe","*\installutil.exe","*\javaw.exe","*\mftrace.exe","*\Microsoft.Workflow.Compiler.exe","*\msbuild.exe","*\msdt.exe","*\mshta.exe","*\msidb.exe","*\msiexec.exe","*\msxsl.exe","*\odbcconf.exe","*\pcalua.exe","*\powershell.exe","*\pwsh.exe","*\regasm.exe","*\regsvcs.exe","*\regsvr32.exe","*\rundll32.exe","*\schtasks.exe","*\scrcons.exe","*\scriptrunner.exe","*\sh.exe","*\svchost.exe","*\verclsid.exe","*\wmic.exe","*\workfolders.exe","*\wscript.exe","*\AppData\*","*\Users\Public\*","*\ProgramData\*","*\Windows\Tasks\*","*\Windows\Temp\*","*\Windows\System32\Tasks\*"] OR file in ["bitsadmin.exe","CertOC.exe","CertUtil.exe","Cmd.Exe","CMSTP.EXE","cscript.exe","curl.exe","HH.exe","IEExec.exe","InstallUtil.exe","javaw.exe","Microsoft.Workflow.Compiler.exe","msdt.exe","MSHTA.EXE","msiexec.exe","Msxsl.exe","odbcconf.exe","pcalua.exe","PowerShell.EXE","RegAsm.exe","RegSvcs.exe","REGSVR32.exe","RUNDLL32.exe","schtasks.exe","ScriptRunner.exe","wmic.exe","WorkFolders.exe","wscript.exe"])
  

LP_Windows Login Attempt on Disabled Account¶

• Trigger Condition: Login attempt on disabled account is detected.

• ATT&CK Category: Initial Access, Persistence, Privilege Escalation, Defense Evasion

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer* label=User label=Login label=Fail sub_status_code="0xC0000072" -target_user=*$ -user=*$ -user IN EXCLUDED_USERS | rename user as target_user, domain as target_domain, reason as failure_reason
  

LP_RClone Utility Execution¶

• Trigger Condition: Execution of the RClone tool or command line option used in the tool is detected.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Web Service, Exfiltration to Cloud Storage

• ATT&CK ID: T1567, T1567.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create (command="*--config *" command="*--no-check-certificate *" command="* copy *") OR  (("process"="*\rclone.exe" OR description="Rsync for cloud storage") command IN ["*pass*","*user*","*copy*","*sync*","*config*","*lsd*","*remote*","*ls*","*mega*","*pcloud*","*ftp*","*ignore-existing*","*auto-confirm*","*transfers*","*multi-thread-streams*","*no-check-certificate *"])
  

LP_UAC Bypass via SDCLT¶

• Trigger Condition: User Account Control (UAC) bypass attempt via SDCLT.exe is detected or it detects modification to registry keys HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand and HKCU:\Software\Classes\Folder\shell\open\command which can indicate UAC bypass using registry key manipulation of sdclt.exe.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  (norm_id=WindowsSysmon event_id=1  parent_process="*\sdclt.exe" parent_command="*/kickoffelev*" integrity_level=High  -"process" IN ["C:\Windows\SysWOW64\sdclt.exe", "C:\Windows\System32\sdclt.exe", "C:\Windows\SysWOW64\control.exe", "C:\Windows\System32\control.exe", "C:\Windows\System32\WerFault.exe", "C:\Windows\SysWOW64\WerFault.exe", "C:\Windows\System32\wermgr.exe", "C:\Windows\SysWOW64\wermgr.exe"]) OR (norm_id=WindowsSysmon event_id="13"  target_object IN ["*\Classes\exefile\shell\runas\command\isolatedCommand*", "*\Classes\Folder\shell\open\command*"])
  

LP_Suspicious Binary Execution in User Directory¶

• Trigger condition: An executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Malicious File

• ATT&CK ID: T1204.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create parent_process IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\MSACCESS.exe", "*\EQNEDT32.exe"] "process"="C:\users\*.exe" -"process"="*\Teams.exe"
  

LP_Suspicious WMIC Child Process¶

• Trigger condition: Suspicious child process of WMIC is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create parent_process="*\wmic.exe" -"process" IN ["C:\Windows\System32\conhost.exe", "C:\Windows\system32\wbem\WMIC.exe", "C:\Windows\syswow64\wbem\WMIC.exe", "C:\Windows\system32\WerFault.exe", "C:\Windows\SysWOW64\WerFault.exe"]
  

LP_Suspicious File Execution Using Wscript or Cscript¶

• Trigger condition: File with extensions of .jse, .vbe, .js and .vba is executed using wscript or cscript is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Visual Basic, JavaScript

• ATT&CK ID: T1059.005, T1059.007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Create" label="Process" "process" IN ["*\wscript.exe", "*\cscript.exe"] -command="*.json*" command IN ["*.jse*", "*.vbe*", "*.js*", "*.vba*"]
  

LP_BCDEdit Safe Mode Command Execution¶

• Trigger condition: Spawning of Boot Configuration Data Edit (BCDEdit) from suspicious processes, to configure a reboot into safe mode, is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Inhibit System Recovery

• ATT&CK ID: T1490

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "process"="*\bcdedit.exe" command IN ["*minimal*", "*network*", "*safebootalternateshell*"] parent_process IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.EXE", "*\MSACCESS.EXE", "*\MSPUB.EXE", "*\OUTLOOK.EXE", "*\fltldr.exe", "*\cscript.exe", "*\powershell.exe", "*\pwsh.exe", "*\wscript.exe", "*\cmd.exe", "*\rundll32.exe", "*\regsvr32.exe", "*\mshta.exe", "*\msbuild.exe"]
  

LP_Suspicious Encoded PowerShell Command Line¶

• Trigger condition: A suspicious PowerShell base64 encoded command is detected. Adversaries can use this technique to evade defense mechanisms by encoding and decoding payload.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create command IN ["* -e JAB*", "* -e JAB*", "* -e JAB*", "* -e JAB*", "* -e JAB*", "* -e JAB*", "* -en JAB*", "* -enc JAB*", "* -enc* JAB*", "* -w hidden -e* JAB*", "* BA^J e-", "* -e SUVYI*", "* -e aWV4I*", "* -e SQBFAFgA*", "* -e aQBlAHgA*", "* -enc SUVYI*", "* -enc aWV4I*", "* -enc SQBFAFgA*", "* -enc aQBlAHgA*"] -command="* -ExecutionPolicy remotesigned *" -user IN EXCLUDED_USERS
  

LP_Persistence Attack through Accessibility Process Feature¶

• Trigger condition: Accessibility features used to execute a command prompt or other backdoors are detected.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, Accessibility Features

• ATT&CK ID: T1546, T1546.008

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 user="SYSTEM" parent_process IN ["*\Utilman.exe","*\winlogon.exe"]  "process" IN ["*\osk.exe","*\Magnify.exe","*\Narrator.exe","*\sethc.exe","*\utilman.exe", "*\ATBroker.exe", "*\DisplaySwitch.exe"] -file IN ["osk.exe","sethc.exe","utilman2.exe","DisplaySwitch.exe","ATBroker.exe","ScreenMagnifier.exe","SR.exe","Narrator.exe","magnify.exe"]
  

LP_Firewall Rule Addition via Netsh Detected¶

• Trigger condition: A connection allowed by a port or application on the Windows firewall is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify System Firewall

• ATT&CK ID: T1562, T1562.004

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create command IN ["*netsh* firewall add*"] -user IN EXCLUDED_USERS
  

LP_MSHTA Spawned by SVCHOST Detected¶

• Trigger condition: Microsoft HTML Application Host (MSHTA) binary spawned by the Svchost process is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Mshta

• ATT&CK ID: T1218.005

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create parent_process="*\svchost.exe" "process"="*\mshta.exe" -user IN EXCLUDED_USERS
  

LP_Exploitation of CVE-2019-1388 Detected¶

• Trigger condition: An exploitation attempt of CVE-2019-1388 in which the UAC consent dialogue used to invoke a Windows process running as LOCAL_SYSTEM is detected. CVE-2019-1388 is an elevation of privilege vulnerability in the Windows Certificate Dialog.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Exploitation for Privilege Escalation

• ATT&CK ID: T1068

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create parent_process="*\consent.exe" "process"="*\iexplore.exe" command="* http*" (integrity_level="System" OR user IN ["SYSTEM","*AUTHORI*","*AUTORI*","*AUKTORI*"])
  

LP_Sophos EPP Registry Modification¶

• Trigger condition: Modifying Sophos EPP Tamper Protection registry keys to turn off services is detected. Sophos EPP Tamper Protection is the service offered by the EPP that constantly checks if a malware or adversary or rogue employee turns off the AV services to avoid detection.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=Registry label=Set label=value target_object IN ["*\CurrentControlSet\Services\Sophos Endpoint*\SEDEnabled", "*\CurrentControlSet\Services\Sophos Endpoint*\SAVEnabled "] detail="DWORD (0x00000000)"
  

LP_Office365 Inbox Rule with Special Characters Created¶

• Trigger condition: A new inbox rule created on Office365 with a suspicious name made of only special characters is detected.

• ATT&CK Category: Collection

• ATT&CK Tag: Email Forwarding Rule

• ATT&CK ID: T1114.003

• Minimum Log Source Requirement: Office365

• Query:

  norm_id=Office365 action="New-InboxRule" name=*| process regex("(?P<match>^[^a-zA-Z0-9]*$)", "name") | search match=*
  

LP_Suspicious WerFault Process Creation¶

• Trigger condition: A services.exe spawns werfault.exe process from non-default paths is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create  "process"="*\WerFault.exe" ("process"="C:\Windows\WinSxS\*" OR -"process" IN ["C:\Windows\System32\*","C:\Windows\SysWOW64\*"])
  

LP_Suspicious WerFault File Creation¶

• Trigger condition: A non-system process drops the WerFault.exe binary inside the C:\Windows\WinSxS\ folder is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=File label=Create  path="C:\Windows\WinSxS\*" file="WerFault.exe" -"process" IN ["C:\Windows\Systems32\*","C:\Windows\SysWOW64\*","*C:\Windows\WinSxS\*"]
  

LP_Snake Malware Covert Store Registry Key Detected¶

• Trigger condition: A registry operation for the key SECURITYPolicySecretsn is detected. Snake Malware utilizes the registry key to store the encryption key.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (norm_id=WindowsSysmon event_id IN [12,13,14]  target_object="*SECURITY\Policy\Secrets\n") OR (norm_id=Winserver event_id=4657 path="*SECURITY\Policy\Secrets\n")
  

LP_Suspicious WerFault Service Creation¶

• Trigger condition: A new service installed using the WerFault.exe file is detected. WerFault.exe is a system component that plays a crucial role in Windows operating systems. It manages system error reporting.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  norm_id=WinServer event_id IN [4697,7045] (file="WerFault.exe"  OR path="*WerFault.exe") (path="C:\Windows\WinSxS\*" OR -path IN ["C:\Windows\System32*","C:\Windows\SysWOW64*"])
  

LP_Suspicious Named Pipe Connection to Azure AD Connect Database¶

• Trigger condition: Named pipe connection to Azure AD Connect database from suspicious processes coming from command shells like PowerShell, which may indicate attackers attempting to dump plaintext credentials of AD and Azure AD connector account using tools such as AADInternals is detected.

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon label=Pipe label=Connect pipe="*\tsql\query" -image IN ["*\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe", "*\Tools\Binn\SqlCmd.exe"]
  

LP_Suspicious Driver Loaded¶

• Trigger condition: Misuse of known drivers by adversaries for malicious purposes is detected. The driver itself are not malicious but are misused by threat actors. For this alert to trigger SUSPICIOUS_DRIVER list is required.

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=Image label=Load image IN SUSPICIOUS_DRIVER
  

LP_AADInternals PowerShell Cmdlet Execution¶

• Trigger condition: The execution of AADInternals commandlets is detected. AADInternals (S0677) toolkit is a PowerShell module containing tools for administering and hacking Azure AD and Office 365. Adversaries use AADInternals to extract the credentials from the system where the AAD Connect server was installed and compromise the AAD environment.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows, PowerShell

• Query:

  norm_id=WinServer event_source="Microsoft-Windows-PowerShell" event_id=4104 script_block IN AADINTERNALS_CMDLETS
  

LP_Suspicious Scheduled Task Creation via Masqueraded XML File¶

• Trigger condition: The creation of a suspicious scheduled task using an XML file with a masqueraded extension is detected.

• ATT&CK Category: Persistence, Defense Evasion

• ATT&CK Tag: Masquerading, Match Legitimate Name or Location, Scheduled Task/Job and Scheduled Task

• ATT&CK ID: T1036, T1036.005, T1053 and T1053.005

• Minimum Log Source Requirement: Windows Sysmon, Windows

  label=create label="process" "process"="*\schtasks.exe" command IN ["*/create*", "*-create*"]  command IN ["*/xml*","*-xml*"] (-integrity_level=system OR -integrity_label=*system*) -command = *.xml* ((-parent_process IN ["*:\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe", "*:\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe", "*:\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe", "*:\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe", "*:\Program Files\Dell\SupportAssist\pcdrcui.exe" ] ) OR (-parent_process = "*\rundll32.exe" command = "*:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc" ))
  

LP_Suspicious Microsoft Equation Editor Child Process¶

• Trigger condition: A suspicious child process of Microsoft’s equation editor is detected as a sign of possible exploitation of CVE-2017-11882. CVE-2017-11882 is a vulnerability in Microsoft Office’s Equation Editor component.

• ATT&CK Category: Execution

• ATT&CK Tag: Exploitation for Client Execution

• ATT&CK ID: T1203

• Minimum Log Source Requirement: Windows Sysmon, Windows

  label="Process" label=Create parent_process="*\EQNEDT32.exe" -"process" IN ["C:\Windows\System32\WerFault.exe", "C:\Windows\SysWOW64\WerFault.exe"]
  

LP_Windows Error Process Masquerading¶

• Trigger condition: Suspicious Windows error reporting process behavior, where network connections are made after execution is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

  [norm_id=WindowsSysmon event_id=1 "process" IN ["*\WerMgr.exe", "*\WerFault.exe"]] as s1 followed by [norm_id=WindowsSysmon event_id=3 "process" IN ["*\WerMgr.exe", "*\WerFault.exe"]] as s2 within 1 minute on s1.process_guid=s2.process_guid | rename s1.host as host, s1.user as user, s1.domain as domain, s1.image as image, s2.destination_address as destination_address, s2.destination_port as destination_port
  

LP_Bypass UAC via CMSTP Detected¶

• Trigger condition: Child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe) are detected.

• ATT&CK Category: Privilege Escalation, Defense Evasion

• ATT&CK Tag: CMSTP, Abuse Elevation Control Mechanism, Bypass User Account Control

• ATT&CK ID: T1218.003, T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "process"="*\cmstp.exe" command IN ["*/s*", "*/au*", "*/ni*", "*-s*", "*-au*", "*-ni*"] -user IN EXCLUDED_USERS
  

LP_Application Whitelisting Bypass via Dxcap Detected¶

• Trigger condition: Adversaries bypass process and/or signature-based defenses by execution of Dxcap.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution

• ATT&CK ID: T1127

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "process"="*\dxcap.exe" command="*-c*" command="*.exe*" -user IN EXCLUDED_USERS
  

LP_Suspicious WMIC XSL Script Execution¶

• Trigger condition: Loading of a Windows Script module through wmic by Microsoft Core XML Services (MSXML) process is detected to bypass application whitelisting.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: XSL Script Processing

• ATT&CK ID: T1220

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  [norm_id=WindowsSysmon event_id=1 file="wmic.exe"  command IN ["* format*:*", "*/format*:*", "*-format*:*"]  -command IN ["*format:list*", "*format:table*", "*format:htable", "*format:texttablewsys*", "*format:texttable*", "*format:textvaluelist*", "*format:TEXTVALUELIST*", "*format:csv*", "*format:value*"]] as s1 followed by [norm_id=WindowsSysmon event_id=7 image IN ["*\jscript.dll", "*\vbscript.dll"]] as s2 within 2 minute on s1.process_guid=s2.process_guid | rename s1.process as "process", s1.host as host, s1.domain as domain, s1.command as command, s2.image as loaded_image
  

LP_Suspicious File Execution via MSHTA¶

• Trigger condition: Execution of javascript or VBScript files and other abnormal extension files executed via mshta binary is detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: JavaScript, Deobfuscate/Decode Files or Information, Mshta

• ATT&CK ID: T1059.007, T1140, T1218.005

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label="create" "process"="*\mshta.exe" command IN ["*javascript*", "*vbscript*", "*.jpg*", "*.png*", "*.lnk*", "*.xls*", "*.doc*", "*.zip*"] -user IN EXCLUDED_USERS
  

LP_Regsvr32 Anomalous Activity Detected¶

• Trigger condition: Various anomalies concerning regsvr32.exe are detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

• ATT&CK ID: T1218, T1218.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 ((image="*\regsvr32.exe" command="*\Temp\*") OR (image="*\regsvr32.exe" parent_image="*\powershell.exe") OR (image="*\regsvr32.exe" parent_image="*\cmd.exe") OR (image="*\regsvr32.exe" command IN ["*/i:http* scrobj.dll", "*/i:ftp* scrobj.dll"]) OR (image="*\wscript.exe" parent_image="*\regsvr32.exe") OR (image="*\EXCEL.EXE" command="*..\..\..\Windows\System32\regsvr32.exe *")) -user IN EXCLUDED_USERS
  

LP_Remote File Execution via MSIEXEC¶

• Trigger condition: Suspicious use of msiexec.exe to install remote Microsoft Software Installer (MSI) files is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Msiexec

• ATT&CK ID: T1218.007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create "process"="*/msiexec.exe" command="*http*" command IN ["*/i*", "*-i*"] ((command IN ["*/q*", "*/quiet*", "*/qn*", "*-q*", "*-quiet*", "*-qn*"]) OR (command IN ["*-Q-I*", "*-I-Q*", "*/q-i*", "*-q/i*", "*/q/i*" ])) -(parent_image="*setup*") -integrity_level=SYSTEM
  

LP_Execution of Trojanized 3CX Application¶

• Trigger Condition: Execution of the trojanized version of the 3CX Desktop is detected. 3CX Desktop versions 18.12.407 and 18.12.416 are known to be trojanized by the Lazarus Group and are also signed using the 3CX signature.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masqueradings

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 file="3CXDesktopApp.exe" product IN ["*3CX Ltd*","*3CX Desktop App*"] file_version IN ["*18.12.407*","18.12.416*"]
  

LP_Msbuild Spawned by Unusual Parent Process¶

• Trigger condition: Suspicious use of msbuild.exe by an uncommon parent process is detected. msbuild.exe is a legitimate Microsoft tool used for building and deploying software applications.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution, MSBuild

• ATT&CK ID: T1127, T1127.001

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label=Create label="Process" "process"="*\MSBuild.exe" -parent_process in ["*\devenv.exe", "*\cmd.exe", "*\msbuild.exe", "*\python.exe", "*\explorer.exe", "*\nuget.exe"]
  

LP_Suspicious Files Designated as System Files Detected¶

• Trigger condition: The execution of the +s option of the attrib command is detected to designate scripts or executable files in suspicious locations as system files, hiding them from users and making them difficult to detect or remove. attrib.exe is a Windows command-line utility that allows users to adjust file or folder attributes such as read-only, hidden and system.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

• ATT&CK ID: T1564, T1564.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label=Create label="Process" "process"="*\attrib.exe" command = "* +s *" command in ["* %*", "*\Users\Public\*", "*\AppData\Local\*", "*\ProgramData\*", "*\Windows\Temp\*"] command in ["*.bat*", "*.dll*", "*.exe*", "*.hta*", "*.ps1*", "*.vbe*", "*.vbs*"] -command="*\Windows\TEMP\*.exe*"
  

LP_Bypass User Account Control using Registry¶

• Trigger condition: Bypass of User Account Control (UAC) is detected. Adversaries bypass UAC mechanisms to elevate process privileges on the system. The alert queries for *\mscfile\shell\open\command\* or *\ms-settings\shell\open\command\*.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon ((event_id=12 event_type=*Create*) OR (event_id=13 event_type=SetValue)) target_object IN ["*\mscfile\shell\open\command\*","*\ms-settings\shell\open\command\*"]
  

LP_Unsigned Image Loaded Into LSASS Process¶

• Trigger condition: Loading of unsigned images like DLL or EXE into the LSASS process is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, LSASS Memory

• ATT&CK ID: T1003, T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=7 image="*\lsass.exe" signed="false" -user IN EXCLUDED_USERS
  

LP_Usage of Sysinternals Tools Detected¶

• Trigger condition: The use of Sysinternals tools due to the addition of accepteula key to a registry is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (label=Registry label=Set target_object="*\EulaAccepted") or (label=Create label="Process" command IN ["* -accepteula*", "* /accepteula*"])
  

LP_Microsoft SharePoint Remote Code Execution Detected¶

• Trigger condition: The execution of a remote code in Microsoft SharePoint (CVE-2019-19781).

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, IDS/IPS, Web server

• Query:

  request_method=POST (url='*_layouts/15/Picker.aspx*WebControls.ItemPickerDialog*' OR resource='*_layouts/15/Picker.aspx*WebControls.ItemPickerDialog*')
  

LP_DenyAllWAF SQL Injection Attack¶

• Trigger condition: DenyALLWAF detects SQL injection attack.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: DenyAll WAF

• Query:

  norm_id=DenyAllWAF label=SQL label=Injection
  

LP_Windows CryptoAPI Spoofing Vulnerability Detected¶

• Trigger condition: Vulnerability related to CVE-2020-0601 is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Subvert Trust Controls, Code Signing

• ATT&CK ID: T1553, T1553.002

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer label=CVE label=Exploit label=Detect cve_id="CVE-2020-0601" -user IN EXCLUDED_USERS
  

LP_Malicious use of Scriptrunner Detected¶

• Trigger condition: The malicious use of Scriptrunner.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="create" label="process" ("process"="*\ScriptRunner.exe" OR file="ScriptRunner.exe") command="* -appvscript *"
  

LP_Suspicious process related to Rundll32 Detected¶

• Trigger condition: A suspicious process related to RunDLL32.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Rundll32

• ATT&CK ID: T1218.011

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="create" label="process" (command IN ["*javascript:*", "*.RegisterXLL*"] OR (command="*url.dll*" command="*OpenURL*") OR (command="*url.dll*" command="*OpenURLA*") OR (command="*url.dll*" command="*FileProtocolHandler*") OR (command="*zipfldr.dll*" command="*RouteTheCall*") OR (command="*shell32.dll*" command="*Control_RunDLL*") OR (command="*shell32.dll*" command="*ShellExec_RunDLL*") OR (command="*mshtml.dll*" command="*PrintHTML*") OR (command="*advpack.dll*" command="*LaunchINFSection*") OR (command="*advpack.dll*" command="*RegisterOCX*") OR (command="*ieadvpack.dll*" command="*LaunchINFSection*") OR (command="*ieadvpack.dll*" command="*RegisterOCX*") OR (command="*ieframe.dll*" command="*OpenURL*") OR (command="*shdocvw.dll*" command="*OpenURL*") OR (command="*syssetup.dll*" command="*SetupInfObjectInstallAction'*") OR (command="*setupapi.dll*" command="*InstallHinfSection*") OR (command="*pcwutl.dll*" command="*LaunchApplication*") OR (command="*dfshim.dll*" command="*ShOpenVerbApplication*"))
  

LP_Javascript conversion to executable Detected¶

• Trigger condition: A windows executable jsc.exe is used to convert javascript files to craft malicious executables.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution

• ATT&CK ID: TT1127

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="create" label="process" "process"="*\jsc.exe" command="*.js*"
  

LP_Suspicious Execution of Gpscript Detected¶

• Trigger condition: A group policy script gpscript.exe is used to execute logon or startup scripts configured in Group Policy.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="create" label="process" "process"="*\gpscript.exe" command IN ["* /logon*", "* /startup*"]
  

LP_Proxy Execution via Desktop Setting Control Panel¶

• Trigger condition: A windows internal binary rundll32 with desk.cpl is used to execute spoof binary with “.cpl” extension.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Rundll32

• ATT&CK ID: T1218.011

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label="Create" "process"="*\rundll32.exe" command="*desk.cpl*InstallScreenSaver*.scr*"
  

LP_Xwizard DLL Side Loading Detected¶

• Trigger condition: The use of xwizard binary from the non-default directory is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: DLL Side-Loading

• ATT&CK ID: T1574.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "process"="*\xwizard.exe" -"process"="C:\Windows\System32\*"
  

LP_DLL Side Loading Via Microsoft Defender¶

• Trigger condition: An execution of mpcmdrun binary from non default path is detected.

• ATT&CK Category: Persistence, Defense Evasion

• ATT&CK Tag: DLL Side-Loading

• ATT&CK ID: T1574.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label=Image label=Load "process" IN ["*\MpCmdRun.exe","*\NisSrv.exe"] -"process" IN ["C:\Program Files\Windows Defender\*","'C:\ProgramData\Microsoft\Windows Defender\Platform\*"] image="*\mpclient.dll"
  

LP_ZIP File Creation or Extraction via Printer Migration CLI Tool¶

• Trigger condition: The creation or extraction of .zip file via printbrm utility is detected.

• ATT&CK Category: Defense Evasion, Command and Control

• ATT&CK Tag: Ingress Tool Transfer, NTFS File Attributes

• ATT&CK ID: T1105, T1564.004

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label="Create" "process"="*\printbrm.exe" command="*f *" command="*.zip*"
  

LP_Credentials Capture via Rpcping Detected¶

• Trigger condition: The creation of Remote Procedure Call (RPC) via Rpcping binary is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label="Create" "process"="*\rpcping.exe" command="*s *" ( (command="*u *" command="*NTLM*") OR ( command="*t *" command="*ncacn_np*"))
  

LP_Suspicious ConfigSecurityPolicy Execution Detected¶

• Trigger condition: A local file upload via ConfigSecurityPolicy binary to attack the control server is detected.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Web Service

• ATT&CK ID: T1567

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label="Create" "process"="*\ConfigSecurityPolicy.exe" command IN ["*https://*","*http://*","*ftp://*"]
  

LP_C-Sharp Code Compilation Using Ilasm Detected¶

• Trigger condition: C# code is either compiled into executables or into DLL using Ilasm utility.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution

• ATT&CK ID: T1127

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label="Process" label="Create" ("process"="*\ilasm.exe" OR file="ilasm.exe")
  

LP_Process Dump via Resource Leak Diagnostic Tool¶

• Trigger condition: A process dump is detected using a Microsoft Windows native tool rdrleakdiag.exe.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create ("process"="*\RdrLeakDiag.exe" or file="RdrLeakDiag.exe") command="*fullmemdmp*"
  

LP_Suspicious DLL execution via Register-Cimprovider¶

• Trigger condition: A dll file load/execution is detected using a Microsoft Windows native tool Register-Cimprovider.exe.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hijack Execution Flow

• ATT&CK ID: TT1574

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label="create" "process"="*\register-cimprovider.exe" command="*-path*" command="*dll*"
  

Accessibility features - Process¶

• Trigger condition: Adversaries establish persistence and/or elevate privileges by executing malicious content by process features.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, Accessibility Features

• ATT&CK ID: T1546,T1546.008

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 parent_image="*winlogon.exe" (image="*sethc.exe" or image="*utilman.exe" or image="*osk.exe" or image="*magnify.exe" or image="*displayswitch.exe" or image="*narrator.exe" or image="*atbroker.exe") -user IN EXCLUDED_USERS
  

LP_Accessibility Features-Registry¶

• Trigger condition: An adversary establish persistence and/or elevates privileges by executing malicious content, replacing accessibility feature binaries, pointers, or references to these binaries in the registry.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, Accessibility Features

• ATT&CK ID: T1546,T1546.008

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object="*HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*" -user IN EXCLUDED_USERS
  

LP_Active Directory DLLs Loaded By Office Applications¶

• Trigger condition: Kerberos DLL or DSParse DLL loaded by the Office products like WinWord, Microsoft PowerPoint, Microsoft Excel or Microsoft Outlook is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Malicious File

• ATT&CK ID: T1204.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=7 "process" IN ["*\winword.exe*", "*\powerpnt.exe*", "*\excel.exe*", "*\outlook.exe*"] image IN ["*\kerberos.dll*","*\c.dll*"] -user IN EXCLUDED_USERS
  

LP_DCSync detected¶

• Trigger condition: The abuse of Active Directory Replication Service (ADRS) detected from a non-machine account to request credentials or DC Sync by creating a new SPN.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, DCSync

• ATT&CK ID: T1003,T1003.006

• Minimum Log Source Requirement: Windows

• Query:

  ((norm_id=WinServer event_id=4662 access_mask="0x100" properties IN ["*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*", "*Replicating Directory Changes All*"] -user="*$" -user="MSOL_*") or (norm_id=WinServer event_id=4742 service="*GC/*"))-user IN EXCLUDED_USERS
  

LP_Active Directory Replication User Backdoor¶

• Trigger condition: Modification of the security descriptor of a domain object for granting Active Directory replication permissions to a user.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: File and Directory Permissions Modification, Windows File and Directory Permissions Modification

• ATT&CK ID: T1222,T1222.001

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer event_id=5136 ldap_display="ntsecuritydescriptor" attribute_value IN ["*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*"] -user IN EXCLUDED_USERS
  

LP_Activity Related to NTDS Domain Hash Retrieval¶

• Trigger condition: Copying of ntds.dit file is detected. NTDS.dit file is a database that stores the Active Directory data (including users, groups, security descriptors and password hashes).

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, NTDS

• ATT&CK ID: T1003, T1003.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create command IN [ "*vssadmin.exe Delete Shadows*", "*vssadmin create shadow /for=C:*", "*copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*", "*copy \\?\GLOBALROOT\Device\\*\config\SAM*", "*vssadmin delete shadows /for=C:*", "*reg SAVE HKLM\SYSTEM*", "*esentutl.exe /y /vss *\ntds.dit*", "*esentutl.exe /y /vss *\SAM*", "*esentutl.exe /y /vss *\SYSTEM*"]
  

LP_AD Object WriteDAC Access Detected¶

• Trigger condition: WRITE_DAC, which can modify the discretionary access-control list (DACL) in the object security descriptor, is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: File and Directory Permissions Modification

• ATT&CK ID: T1222

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer event_id=4662 object_server="DS" access_mask=0x40000 object_type IN ["19195a5b-6da0-11d0-afd3-00c04fd930c9", "domainDNS"] -user IN EXCLUDED_USERS
  

LP_AD Privileged Users or Groups Reconnaissance Detected¶

• Trigger condition: priv users or groups recon based on 4661 event ID and privileged users or groups SIDs are detected. The object names must be; domain admin, KDC service account, admin account, enterprise admin, group policy creators and owners, backup operator, or remote desktop users.

• ATT&CK Category: Discovery

• ATT&CK Tag: Account Discovery, Local Account, Domain Account

• ATT&CK ID: T1087,T1087.001,T1087.002

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer event_id=4661 object_type IN ["SAM_USER", "SAM_GROUP"] object_name IN ["*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551", "*-555", "*admin*"] -user IN EXCLUDED_USERS
  

LP_Addition of SID History to Active Directory Object¶

• Trigger condition: Addition of SID History to Active Directory Object is detected. An attacker can use the SID history attribute to gain additional privileges.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Access Token Manipulation, SID-History Injection

• ATT&CK ID: T1134,T1134.005

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer (event_id IN ["4765", "4766"] OR (event_id=4738 -sid_history="%%1793" sid_history=*)) -user IN EXCLUDED_USERS