MITRE ATT&CK Analytics¶

LP_Block Network Connections from EDR via WFP¶

• Trigger Condition: Endpoint Detection and Response (EDR) network connection blocked by the Windows Filtering Platform (WFP). Adversaries might use WFP filters to interfere with EDR agents, stopping them from sending essential signals like security alerts and helping the attackers stay hidden.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses

• ATT&CK ID: T1562

• Minimum Log Source Requirement: Windows

• Query:

  norm_id="Winserver" event_id="5157" application IN EDR_PROCESS
  

LP_RDP Extension File Dropped in Outlook Folder¶

• Trigger Condition: Creation of a file with .rdp extension in the Outlook folder.

• ATT&CK Category: Initial Access, Lateral Movement

• ATT&CK Tag: Remote Desktop Protocol, Spearphishing Attachment

• ATT&CK ID: T1021.001, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label="Create" label="File" file="*.rdp" path IN ["*\AppData\Local\Packages\Microsoft.Outlook_*", "*\AppData\Local\Microsoft\Olk\Attachments\*"] OR (path="*\AppData\Local\Microsoft\Windows\*" path="*\Content.Outlook\*")
  

LP_File Creation with RTLO Character for Filename Obfuscation¶

• Trigger Condition: Creation of a file with a filename having the Right-to-Left Override (RLO) characters, such as U+202E. This disguises malicious extensions like .exe or .msc as legitimate document formats.

• ATT&CK Category: Initial Access, Defense Evasion

• ATT&CK Tag: Right-to-Left Override, Spearphishing Attachment

• ATT&CK ID: T1036.002, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label="Create" label="File" target_file IN ["*\u202e*", "*???*"] target_file IN ["*fdp.*", "*xcod.*", "*cod.*", "*xtpp.*", "*xslx.*", "*slx.*", "*ftr.*", "*tdo.*", "*lmth.*"]
  

LP_Suspicious AutoIt Execution¶

• Trigger Condition: Execution of a suspicious AutoIt in a suspicious context. Adversaries leverage AutoIt for automation and payload delivery due to its flexibility and ability to evade detection.

• ATT&CK Category: Execution

• ATT&CK Tag: AutoHotKey & AutoIT

• ATT&CK ID: T1059.010

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label="Create" label="Process" "process"="*\Autoit*.exe" OR file="AutoIt*.exe" -"process" IN ["*:\Program Files (x86)\AutoIt*\", "*:\Program Files\AutoIt*\"]
  

LP_CVE-2024-38112 Exploitation Detected¶

• Trigger Condition: Manipulation of events with svchost.exe process to spawn iexplore.exe process that dropped an .hta file.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  [label="Process" label=Create parent_process="*\svchost.exe" "process"="*\iexplore.exe" process_guid=*] as s1 followed by [norm_id=WindowsSysmon event_id=11 "process"="*\iexplore.exe" file="*.hta*"] as s2 within 1 minute on s1.process_guid=s2.process_guid | rename s1.process as "process", s1.host as host, s1.parent_process as parent_process, s1.user as user, s2.path as path, s2.file as file
  

LP_Certipy Tool Execution for AD CS Abuse¶

• Trigger Condition: Execution of Certipy, a hacktool commonly used for Active Directory Certificate (AD CS) abuse. Adversaries may use this tool to steal or forge certificates used for authentication to access remote systems or resources. False positives for this alert rule are unknown.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Steal or Forge Authentication Certificates

• ATT&CK ID: T1649

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label="Process" label=Create ("process"="*\Certipy.exe" OR file="Certipy.exe" OR description="*Certipy*") OR (command IN ["* auth *", "* find *", "* forge *", "* relay *", "* req *", "* shadow *"] command IN ["* -bloodhound*", "* -ca-pfx *", "* -dc-ip *", "* -kirbi*", "* -old-bloodhound*", "* -pfx *", "* -target*", "* -username *", "* -vulnerable*", "*auth -pfx*", "*shadow auto*", "*shadow list*"])
  

LP_Certify Tool Execution for AD CS Abuse¶

• Trigger Condition: Execution of Certify, a hacktool commonly used for Active Directory Certificate abuse. Adversaries may use this tool to steal or forge certificates used for authentication to access remote systems or resources.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Steal or Forge Authentication Certificates

• ATT&CK ID: T1649

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label="Process" label=Create ("process"="*\Certify.exe" OR file="Certify.exe" OR description="*Certify*") OR (command IN ["*.exe cas *", "*.exe find *", "*.exe pkiobjects *", "*.exe request *", "*.exe download *"] command IN ["* /vulnerable*", "* /template:*", "* /altname:*", "* /domain:*", "* /path:*", "* /ca:*"])
  

LP_Password Dumper Activity on LSASS¶

• Trigger Condition: Process handle on the LSASS process with a specific access mask and SAM_DOMAIN object type. Tools like Mimikatz create a process handle on the LSASS process with an elevated access mask for dumping purposes. This alert detects Mimikatz lsadump attempts.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSA Secrets

• ATT&CK ID: T1003.004

• Minimum Log Source Requirement: Windows

• Query:

  norm_id=WinServer event_id IN [4656,4663] "process"="*\lsass.exe" access="0x705" object_type="SAM_DOMAIN"
  

LP_Disabling of UAC Detected¶

• Trigger Condition: Disabling of User Access Control (UAC) in the endpoint. Adversaries may disable UAC to execute code directly with high integrity.

• ATT&CK Category: Privilege Escalation, Defense Evasion

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon label=Registry label=Set label=Value target_object="*EnableLUA*" detail="DWORD (0x00000000)"
  

LP_Behavior Related to Named Pipe Impersonation¶

• Trigger Condition: Suspicious events related to named pipe impersonation are detected, such as creating a named pipe, creating a service with a named pipe, and using a named pipe in the command line. Adversaries use named pipe impersonation for privilege escalation and to evade defense.

• ATT&CK Category: Privilege Escalation, Defense Evasion

• ATT&CK Tag: Access Token Manipulation

• ATT&CK ID: T1134

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  ((label=Registry label=Set label=Value target_object="*HKLM\System\CurrentControlSet\Services\*\ImagePath*" detail="*\\.\pipe\*") OR (label=Service label=Install path="*\\.\pipe*") OR (label="Process" label=Create user=System "process" IN ["*\cmd.exe","*\powershell.exe"] command="*\\.\pipe*"))
  

LP_Usage of Ngrok Utility Detected¶

• Trigger Condition: Execution of the Ngrok utility. Ngrok allows users to expose local servers behind NATs and firewalls to the public Internet over secure tunnels. Threat actors often use Ngrok to expose internal services to the Internet, like making RDP publicly accessible.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Protocol Tunneling

• ATT&CK ID: T1572

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create (("process"="*\ngrok.exe" command IN ["* tcp *", "* http *", "* authtoken *"])OR (command="* start *" command="*--all*" command="*.yml*" command="*--config*") OR (command IN ["* tcp 139*", "* tcp 445*", "* tcp 3389*", "* tcp 5985*", "* tcp 5986*"]))
  

LP_Chrome Addition of VPN Extension¶

• Trigger Condition: Addition of well-known VPN extensions in Chrome. Adversaries may initially leverage external-facing remote services such as VPNs and Citrix to access or persist within a network.

• ATT&CK Category: Initial Access, Persistence

• ATT&CK Tag: External Remote Services

• ATT&CK ID: T1133

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label="Registry" label="Set" target_object="*Software\Wow6432Node\Google\Chrome\Extensions*" target_object IN CHROME_VPN_EXTENSIONS target_object="*update_url"
  

LP_Outlook Security Settings Change¶

• Trigger Condition: Modification to Outlook configuration through creating a security registry key. Changes to configuration can allow adversaries to run macros covertly without notifying users.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label="Registry" label="Value" label="Set" target_object="*\Outlook\Security\Level*" detail="DWORD (0x00000001)"
  

LP_Suspicious Certutil Command Detected¶

• Trigger Condition: Suspicious Certutil utility execution with parameters like decode or urlcache, which adversaries can use to download payloads from remote locations or encode/decode base64 obfuscated payloads.

• ATT&CK Category: Defense Evasion, Command and Control

• ATT&CK Tag: Ingress Tool Transfer, Deobfuscate/Decode Files or Information

• ATT&CK ID: T1105, T1140

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\certutil.exe" OR file="CertUtil.exe") command IN ["* -decode *", "* /decode *", "* -decodehex *", "* /decodehex *", "* -urlcache *", "* /urlcache *", "* -verifyctl *", "* /verifyctl *", "* -encode *", "* /encode *","* /exportPFX *","* -exportPFX *" ]
  

LP_Unsigned DLLs loaded by RunDLL32 or RegSvr32¶

• Trigger Condition: Injection of unsigned dynamic-link library (DLL), a common tactic attackers use to execute arbitrary code on Windows systems. Adversaries often leverage Windows builtin tools like RunDLL32 or RegSvr32 to execute the malicious code through unsigned or untrusted DLLs.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Regsvr32, Rundll32

• ATT&CK ID: T1218.010, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=Image label=Load "process" IN ["*\regsvr32.exe", "*\rundll32.exe"] ( -is_signed="true" OR status IN ["errorChaining", "errorCode_endpoint*", "errorExpired", "trusted"] )
  

LP_Terminal Service Configuration Modified¶

• Trigger Condition: Modifying settings related to terminal services. Adversaries can use this technique to bypass authentication requirements or bypass security settings.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (label="Registry" label=Set target_object IN ["*Software\Microsoft\Terminal Server Client*", "*Software\Policies\Microsoft\Windows NT\Terminal Services\"] target_object IN ["*AuthenticationLevelOverride*","*DisableRemoteDesktopAntiAlias*", "*DisableSeucirtySettings*"]) OR (label="Process" label=Create "process"="*\reg.exe" command="*add*" command IN ["*Software\Microsoft\Terminal Server Client*", "*Software\Policies\Microsoft\Windows NT\Terminal Services\"] command IN ["*AuthenticationLevelOverride*","*DisableRemoteDesktopAntiAlias*", "*DisableSeucirtySettings*"])
  

LP_System Service Reconnaissance through WMI¶

• Trigger Condition: Usage of WMI for service reconnaissance is detected. Adversaries might use WMI to check if a specific service is running on a host to gather reconnaissance information, identify potential vulnerabilities, plan further actions and maintain persistence within the target network.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: System Service Discovery, Windows Management Instrumentation

• ATT&CK ID: T1007, T1047

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*service*" -command IN ["*assoc*", "*call*", "*create* ", "*delete*"]
  

LP_Process Reconnaissance through WMI¶

• Trigger Condition: Usage of WMI for listing processes running on the compromised host. Adversaries might use WMI to list all the running processes on the host to bypass security measures.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: Windows Management Instrumentation, System Service Discovery

• ATT&CK ID: T1047, T1007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create("process"="*\wmic.exe" OR file="wmic.exe") command="*process*" -command IN ["*assoc*", "*call*", "*create* ", "*delete*"]
  

LP_Process Created through WMI¶

• Trigger Condition: Usage of WMI to spawn new processes either on local or remote hosts. Adversaries use WMI to spawn new processes because it provides them with a stealthy, persistent and flexible means of executing malicious code, bypassing security controls and maintaining control over compromised systems.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*process*" command="*call*" command="*create*"
  

LP_Local Users Reconnaissance through WMI¶

• Trigger Condition: Usage of Windows Management Instrumentation (WMI) to list all local user accounts. Adversaries might use WMI to list all local user accounts rather than a straightforward command like net user for defense evasion.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: Windows Management Instrumentation, Local Account

• ATT&CK ID: T1047, T1087.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*useraccount*"
  

LP_Installed Software Updates Reconnaissance through WMI¶

• Trigger Condition: Usage of Windows Management Instrumentation (WMI) to list installed software hotfixes and patches. Adversaries might use WMI to gather information about target systems, identify vulnerabilities and plan attack strategies.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: Windows Management Instrumentation, Software Discovery

• ATT&CK ID: T1047, T1518

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*qfe*"
  

LP_Application uninstall via WMIC¶

• Trigger Condition: Uninstallation of applications on a system using the Windows Management Instrumentation Command-line (WMIC) tool is detected. This uninstallation method is commonly observed in Advanced Persistent Threat (APT) activities, where adversaries aim to remove security products installed on target systems to evade detection and maintain persistence.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Windows Management Instrumentation, Disable or Modify Tools

• ATT&CK ID: T1047, T1562.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\wmic.exe" OR file="wmic.exe") command="*product*" command="*call*" command="*uninstall*"
  

LP_AppInit DLLs Detected¶

• Trigger Condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, AppInit DLLs

• ATT&CK ID: T1546, T1546.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object="*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*" or target_object="*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*") -user IN EXCLUDED_USERS
  

LP_High Severity EPP Alert¶

• Trigger Condition: High or critical severity alert generated by any endpoint protection platform like Crowdstrike and Microsoft Defender for Endpoint.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision

• Query:

  norm_id=* device_category=EPP risk_level IN [ "High", "Critical"]
  

LP_Host Generating Multiple Medium Severity EPP Alert¶

• Trigger Condition: Multiple medium severity alerts generated by endpoint protection platforms like Crowdstrike and Microsoft Defender for Endpoint.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision

• Query:

  norm_id=* device_category=EPP risk_level="Medium" | chart distinct_count(detection_id) as DC by host_id | search DC > 1
  

LP_Host Generating Multiple High Severity EPP Alert¶

• Trigger Condition: Multiple high or critical severity alerts generated by endpoint protection platforms like Crowdstrike and Microsoft Defender for Endpoint.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision

• Query:

  norm_id=* device_category=EPP risk_level IN ["high","criticial"] | chart distinct_count(detection_id) as DC by host_id | search DC > 1
  

LP_Medium Severity EPP Alert¶

• Trigger Condition: Medium severity alert generated by any endpoint protection platform like Crowdstrike and Microsoft Defender for Endpoint.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision

• Query:

  norm_id=* device_category="EPP" risk_level="Medium"
  

LP_Windows Service Stop or Delete¶

• Trigger Condition: Windows service or process being stopped, deleted or disabled via system binaries is detected. sc.exe, net.exe and net1.exe are Microsoft Windows system internal binaries that adversaries can use to stop or delete services and processes to render those services unavailable to legitimate users or to avoid hindrances in their attack chain.

• ATT&CK Category: Impact

• ATT&CK Tag: Service Stop

• ATT&CK ID: T1489

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create ("process" IN ["*\sc.exe", "*\net.exe", "*\net1.exe"] command="*stop*") OR ("process"="*\sc.exe" command IN ["*delete*", "*disabled*"]) -user IN EXCLUDED_USERS
  

LP_Suspicious Hack Tools Execution¶

• Trigger Condition: Execution of different Windows-based hack tools via their import hash (imphash) is detected, even if the files have been renamed. The MALICIOUS_TOOLS_IMPHASH list must be imported before activating this alert.

• ATT&CK Category: Credential Access, Resource Development

• ATT&CK Tag: OS Credential Dumping, Tool

• ATT&CK ID: T1003, T1588.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 hash_import IN MALICIOUS_TOOLS_IMPHASH
  

LP_Suspicious Execution of XORDump Utility for LSASS Memory Dump¶

• Trigger Condition: Suspicious execution of XORDump Utility, commonly used for LSASS Memory Dump, is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create "process"="*\xordump.exe" OR command IN ["* -process lsass.exe *", "* -m comsvcs *", "* -m dbghelp *", "* -m dbgcore *"]
  

LP_Suspicious Execution of Createdump Utility for Memory Dump¶

• Trigger Condition: Usage of the createdump.exe LOLOBIN utility to dump process memory is detected. Adversaries often seek to dump the lsass.exe process memory because it contains sensitive information, such as user credentials and authentication tokens.

• ATT&CK Category: Credential Access, Defense Evasion

• ATT&CK Tag: LSASS Memory, Masquerading

• ATT&CK ID: T1003.001, T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create "process"="*\createdump.exe" OR file="FX_VER_INTERNALNAME_STR'" command IN ["* -u *", "* -full *", "* -f *", "* --name *", "*.dmp*"]
  

LP_Suspicious DsInternals Get-ADReplAccount Activities¶

• Trigger Condition: Suspicious activities related to Get-ADReplAccount from the DSInternals PowerShell Module are detected. Adversaries may use this tool to maliciously access Domain Controllers’ credentials. For event id 4104, Powershell Script Block logging is required.

• ATT&CK Category: Credential Access

• ATT&CK Tag: DCSync

• ATT&CK ID: T1003.006

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (label="process" label=create command="*Get-ADReplAccount*" command="*-All*" command="*Server*") OR (norm_id=WinServer event_id=4104 script_block="*Get-ADReplAccount*" script_block="*-All*" script_block="*Server*")
  

LP_Suspicious Activities Associated with NTDS Exfiltration¶

• Trigger Condition: Suspicious activities related to the Active Directory Domain Database (ntds.dit) are detected. Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information and obtain information about domain members, such as devices, users and access rights.

• ATT&CK Category: Credential Access

• ATT&CK Tag: NTDS

• ATT&CK ID: T1003.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create ("process" IN ["*\NTDSDump.exe", "*\NTDSDumpEx.exe"]) OR (command="*ntds.dit*" command="*system.hive*") OR (command="*NTDSgrab.ps1*") OR (command="*ac i ntds*" command="*create full*") OR (command="*/c copy*" command="*\windows\ntds\ntds.dit*") OR (command="*activate instance ntds*" command="*create full*") OR (command="*powershell*" command="*ntds.dit*") OR (command="*ntds.dit*" (parent_process IN ["*\apache*", "*\tomcat*", "*\AppData*", "*\Temp\*", "*\Public\*", "*\PerfLogs\*"] OR "process" IN ["*\apache*", "*\tomcat*", "*\AppData*", "*\Temp\*", "*\Public\*", "*\PerfLogs\*"]))
  

LP_Possible LSASS Memory Dump Via Windows Task Manager¶

• Trigger Condition: Creation of a lsass.dmp file by the taskmgr process is detected. Adversaries often seek to dump the lsass.exe process memory because it contains sensitive information, such as user credentials and authentication tokens.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=11 "process"="*\taskmgr.exe" path="*\Appdata\local\*" file="lsass*.dmp"
  

LP_Possible LSASS Dump Via SilentProcessExit Technique¶

• Trigger Condition: Dumping of a possible LSASS via the SilentProcessExit Technique is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id IN [12,13,14] target_object="*Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe*"
  

LP_NTDS or SAM Database Copy Operation¶

• Trigger Condition: Copy operation of Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files is detected. Adversaries may attempt to access or create a copy of the Active Directory domain database or SAM database to steal credential information and obtain other information about domain members, such as devices, users and access rights.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, Security Account Manager, NTDS

• ATT&CK ID: T1003, T1003.002, T1003.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="process" label=create (command IN ["*copy*", "*xcopy*", "*Copy-Item*", "*move*", "*cp*", "*mv*"] OR "process"="*\esentutl.exe" command IN ["*/y*", "*/vss*", "*/d*"]) command IN ["*\\NTDS.dit", "*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*", "*\\SYSTEM*", "*\\SECURITY*", "*C:\\tmp\\log*", "**\\config\\SAM","*/system32/config/SAM*"]
  

LP_Microsoft IIS Service Account Password Dumped¶

• Trigger Condition: Execution of Information Services (IIS) command-line tool AppCmd to list passwords is detected. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process"="*\appcmd.exe" or file=appcmd.exe) command="*list *" (command IN ["* /config*", "* /xml*", "* -config*", "* -xml*"]) OR (command IN ["* /@t'*", "* /text*", "* /show*", "* -@t'*", "* -text*", "* -show*", "*password*", "*:\*"])
  

LP_Dumpert Process Dumper Execution¶

• Trigger Condition: Dumping of a possible credential via a tool called NPPSpy is detected. NPPSpy is a Network Provider/Credential Manager DLL that extracts credentials and stores them in plain text. This alert monitors file creation, registry manipulation and process creation events that indicate a potential credential dump via NPPSpy.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 hash_import="09D278F9DE118EF09163C6140255C690" or command="*Dumpert.dll*"
  

LP_Credential Dump Via NPPSpy¶

• Trigger Condition: Dumping of a possible credential via a tool called NPPSpy is detected. NPPSpy is a Network Provider/Credential Manager DLL that extracts credentials and stores them in plain text. This alert monitors file creation, registry manipulation and process creation events that indicate a potential credential dump via NPPSpy.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (label=Registry label=Set target_object IN ["*\System\CurrentControlSet\Services\*", "*CurrentControlSet\Control\*" ] target_object="*\NetworkProvider*" -(target_object IN ["*\System\CurrentControlSet\Services\WebClient\NetworkProvider*", "*\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider*", "*\System\CurrentControlSet\Services\RDPNP\NetworkProvider*"] OR "process"="C:\Windows\System32\poqexec.exe")) OR (label=file label=create file IN ["NPPSpy.txt", "NPPSpy.dll"]) OR (label="process" label=create command="*\System\CurrentControlSet\Services\*" command="*\NetworkProvider*" )
  

LP_Malicious PowerShell Commandlets Detected¶

• Trigger Condition: Execution of malicious PowerShell commandlets.

• ATT&CK Category: Execution

• ATT&CK Tag: PowerShell

• ATT&CK ID: T1059.001

• Minimum Log Source Requirement: PowerShell, Windows

• Query:

  event_source="Microsoft-Windows-PowerShell" ((event_id="4103" command IN MALICIOUS_POWERSHELL_COMMANDLET_NAMES -command="*Get-SystemDriveInfo*") OR (event_id="4104" script_block IN MALICIOUS_POWERSHELL_COMMANDLET_NAMES -script_block="*Get-SystemDriveInfo*" ))
  

LP_Suspicious Base64 Encoded PowerShell Command¶

• Trigger Condition: Execution of suspicious base64 encoded commands via PowerShell.

• ATT&CK Category: Execution

• ATT&CK Tag: PowerShell

• ATT&CK ID: T1059.001

• Minimum Log Source Requirement: PowerShell, Windows, Windows Sysmon

• Query:

  label="Process" label=Create ("process" IN ["*\powershell.exe", "\*pwsh.exe"] OR file IN ["PowerShell.EXE", "pwsh.dll"]) command IN ["* hidden *", "*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*", "*aXRzYWRtaW4gL3RyYW5zZmVy*", "*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*", "*JpdHNhZG1pbiAvdHJhbnNmZX*", "*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*", "*Yml0c2FkbWluIC90cmFuc2Zlc*", "*AGMAaAB1AG4AawBfAHMAaQB6AGUA*", "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*", "*JGNodW5rX3Npem*", "*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*", "*RjaHVua19zaXpl*", "*Y2h1bmtfc2l6Z*", "*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*", "*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", "*lPLkNvbXByZXNzaW9u*", "*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", "*SU8uQ29tcHJlc3Npb2*", "*Ty5Db21wcmVzc2lvb*", "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*", "*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*", "*lPLk1lbW9yeVN0cmVhb*", "*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*", "*SU8uTWVtb3J5U3RyZWFt*", "*Ty5NZW1vcnlTdHJlYW*", "*4ARwBlAHQAQwBoAHUAbgBrA*", "*5HZXRDaHVua*", "*AEcAZQB0AEMAaAB1AG4Aaw*", "*LgBHAGUAdABDAGgAdQBuAGsA*", "*LkdldENodW5r*", "*R2V0Q2h1bm*", "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*", "*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", "*RIUkVBRF9JTkZPNj*", "*SFJFQURfSU5GTzY0*", "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*", "*VEhSRUFEX0lORk82N*", "*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*", "*cmVhdGVSZW1vdGVUaHJlYW*", "*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*", "*NyZWF0ZVJlbW90ZVRocmVhZ*", "*Q3JlYXRlUmVtb3RlVGhyZWFk*", "*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*", "*0AZQBtAG0AbwB2AGUA*", "*1lbW1vdm*", "*AGUAbQBtAG8AdgBlA*", "*bQBlAG0AbQBvAHYAZQ*", "*bWVtbW92Z*", "*ZW1tb3Zl*"]
  

LP_Code Execution Via Diskshadow Detected¶

• Trigger Condition: Usage of diskshadow binary to execute code from a file is detected. Adversaries can use diskshadow with -s or /s tag to execute a command from a file and bypass detection.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "process"="*\diskshadow.exe" command IN ["*/s *", "*-s *"]
  

LP_Image Mount Indicator in Recent Files¶

• Trigger Condition: Recent element files pointing to .iso, .img, .vhd or .vhdx files are detected. These image files are used in phishing attacks to deliver malware and circumvent the Mark of the Web (MotW) in Windows to execute malicious commands. It is a false positive on server systems, but on workstations, users rarely mount .iso or .img files.

• ATT&CK Category: Initial Access, Defense Evasion

• ATT&CK Tag: Mark-of-the-Web Bypass, Spearphishing Attachment

• ATT&CK ID: T1553.005, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id="WindowsSysmon" event_id=11 path="*\Microsoft\Windows\Recent\*" file IN ["*.iso.lnk", "*.img.lnk", "*.vhd.lnk", "*.vhdx.lnk"]
  

LP_Disk Image File Created¶

• Trigger Condition: Image files with extensions like .iso, .vhd, and .vhdx are downloaded from the internet into a user’s download or temporary folder. Adversaries often deliver their malware payloads through a .iso file format to bypass the Mark of the Web (MotW) in Windows and execute their payload successfully.

• ATT&CK Category: Initial Access, Defense Evasion

• ATT&CK Tag: Mark-of-the-Web Bypass, Spearphishing Attachment

• ATT&CK ID: T1553.005, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id="WindowsSysmon" event_id=11 (path="*Users*" path="*Downloads*") OR (path="*Appdata*") file IN ["*.iso", "*.vhd", "*.vhdx", "*.img"]
  

LP_PowerShell Execution via DLL Detected¶

• Trigger Condition: Execution of PowerShell via DLL instead of powershell.exe is detected. Powershell is a command-line shell used in Windows. Adversaries can execute PowerShell for malicious activities even if powershell.exe is blocked and no strict application whitelisting is implemented.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: PowerShell, Rundll32

• ATT&CK ID: T1059.001, T1218.011

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create ("process" IN ["*\rundll32.exe","*\regsvcs.exe","*\InstallUtil.exe","\regasm.exe"] OR file in ["RUNDLL32.EXE","RegSvcs.exe","InstallUtil.exe","RegAsm.exe"]) command IN ["*Default.GetString*","*FromBase64String*","*Invoke-Expression*","*IEX *","*Invoke-Command*","*ICM *","*DownloadString*"]
  

LP_Suspicious Windows Defender Registry keys Modification¶

• Trigger Condition: Changes in the Windows Defender registry settings to disable Windows Defender functionalities. Adversaries try to alter Windows Defender-associated registries to disable protection and detection features.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Disable or Modify Tools

• ATT&CK ID: T1562.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=registry label=set  target_object IN ["*\SOFTWARE\Microsoft\Windows Defender*",    "*\SOFTWARE\Policies\Microsoft\Windows Defender*"]  (  detail="DWORD (0x00000001)"   target_object IN ["*\DisableAntiSpyware", "*\DisableAntiVirus", "*\DisableBehaviorMonitoring",  "*\DisableIntrusionPreventionSystem",   "*\DisableIOAVProtection",  "*\DisableOnAccessProtection",   "*\DisableRealtimeMonitoring",  "*\DisableScanOnRealtimeEnable",   "*\DisableScriptScanning",  "*\DisableEnhancedNotifications",   "*\DisableBlockAtFirstSeen"]  )  OR  (  detail="DWORD (0x00000000)"  target_object IN ["*\App and Browser protection\DisallowExploitProtectionOverride",  "*\Features\TamperProtection", "*\MpEngine\MpEnablePus", "*\PUAProtection",   "*\Signature Update\ForceUpdateFromMU", "*\SpyNet\SpynetReporting",   "*\SpyNet\SubmitSamplesConsent",   "*\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess"]  )
  

LP_Executable Files Created and Executed by Office Applications¶

• Trigger Condition: Executable file dropped or modified via office applications and executed within a specific time range.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  [norm_id=WindowsSysmon event_id=11 "process" IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.EXE", "*\MSACCESS.EXE"] file IN ["*.exe", "*.com","*bat","*.cmd"]] as s1 followed by  [norm_id=WindowsSysmon event_id=1] as s2 within 2 minute on s1.path=s2.path and s1.file=s2.file  | rename s1.host as host, s1.user as user, s1.domain as domain, s1.process as "process",  s1.file as file, s1.path as path
  

LP_WMI Backdoor in Exchange Transport Agent¶

• Trigger Condition: A WMI backdoor in Exchange Transport Agents (ETA) via WMI event filters is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: Event Triggered Execution, Windows Management Instrumentation Event Subscription

• ATT&CK ID: T1546, T1546.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create (parent_process="*\EdgeTransport.exe" -("process"="C:\Windows\System32\conhost.exe" OR ("process"="C:\Program Files\Microsoft\Exchange Server\*" "process"="*\Bin\OleConverter.exe"))) -user IN EXCLUDED_USERS
  

LP_Suspicious Msiexec Usage Detected¶

• Trigger Condition: A .msi file executed from the publicly writable folder, and a command prompt or powershell spawned by msiexec. Adversaries can use this technique to execute their payload by evading defence.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Msiexec

• ATT&CK ID: T1218.007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create(("process"="*\msiexec.exe" (command IN ["*C:\Users*","*\ProgramData*", "*\AppData\Local*", "*\AppData\Roaming*", "*\Users\Public*"] command="*msi*") OR (command ="*://*") OR (command IN ["*/i*", "*-i*"] ((command IN ["*/q*", "*/quiet*", "*/qn*", "*-q*", "*-quiet*", "*-qn*"]) OR (command IN ["*-Q-I*", "*-I-Q*", "*/q-i*", "*-q/i*", "*/q/i*" ])) -(parent_image="*setup*") -integrity_level=SYSTEM) OR ("process"="*/msiexec.exe" command="*http*") OR (-"process" IN ["C:\Windows\System32\*", "C:\Windows\SysWOW64\*", "C:\Windows\WinSxS\*"]) ) OR ("parent_process"="*\msiexec.exe" "process" IN ["*\cmd.exe","*\powershell.exe","*\icacls.exe","*\expand.exe", "*\rundll32.exe", "*\pwsh.exe"]))
  

LP_Suspicious Usage of Advanced IP Scanner¶

• Trigger Condition: Suspicious usage of Advanced IP Scanner is detected.

• ATT&CK Category: Reconnaissance, Discovery

• ATT&CK Tag: Network Service Discovery, Network Share Discovery, Gather Victim Network Information

• ATT&CK ID: T1046, T1135, T1590

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create (("process"="*\advanced_ip_scanner*" OR file="*advanced_ip_scanner*") OR (description="*Advanced IP Scanner*") OR (command="*/portable*" command="*/lng*"))
  

LP_Persistence through Port Monitor Registry modification¶

• Trigger Condition: A new entry in the printer monitor registry is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors

• ATT&CK ID: T1547, T1547.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=13 target_object="HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\*" detail="*.dll" -(("process"="C:\Windows\System32\spoolsv.exe" target_object="*\System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver*" detail="cpwmon64_v40.dll"user IN ["*AUTHORI*", "*AUTORI*"]) OR (target_object="*Control\Print\Monitors\MONVNC\Driver*") OR (target_object="*Control\Print\Environments\*"target_object="*\Drivers\*" target_object="*\VNC Printer*"))
  

LP_File Dropped in Suspicious Location¶

• Trigger Condition: Dropping a file in a suspicious system location is detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Ingress Tool Transfer

• ATT&CK ID: T1105

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=11 path IN ["C:\ProgramData*", "*\AppData\Local*", "*\AppData\Roaming*", "C:\Users\Public*"] -"process" IN ["*\Microsoft Visual Studio\Installer\*\BackgroundDownload.exe", "C:\Windows\system32\cleanmgr.exe", "*\Microsoft\Windows Defender\*\MsMpEng.exe", "C:\Windows\SysWOW64\OneDriveSetup.exe", "*\AppData\Local\Microsoft\OneDrive*", "*\Microsoft\Windows Defender\platform\*\MpCmdRun.exe", "*\AppData\Local\Temp\mpam-*.exe"] -file IN ["vs_setup_bootstrapper.exe", "DismHost.exe","*_PSScriptPolicyTest*.ps1"]
  

LP_Alternate PowerShell Hosts via Powershell Module¶

• Trigger Condition: Alternate PowerShell host trying to bypass detections based on powershell.exe. Adversaries can use this technique to potentially bypass detections looking for powershell.exe. They can use it to discover information or execute malicious code.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows

• Query:

  norm_id="WinServer" event_source="Microsoft-Windows-PowerShell" event_id=4103 -(host_application IN ["*powershell*", "*C:\Windows\System32\WindowsPowerShell\v1.0\powershell*", "*C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell*", "*C:/Windows/System32/WindowsPowerShell/v1.0/powershell*", "*C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell*", "*C:\WINDOWS\System32\sdiagnhost.exe -Embedding*", "*ConfigSyncRun.exe*", "*C:\Windows\system32\dsac.exe*", "*C:\Windows\system32\wsmprovhost.exe -Embedding*"] OR payload IN ["*Update-Help*", "*Failed to update Help for the module*"])
  

LP_Suspicious Usage of Where Binary¶

• Trigger Condition: An enumeration attempt on browser bookmarks to learn more about compromised hosts is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Browser Bookmark Discovery

• ATT&CK ID: T1217

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label="Process" label=Create "process"="*\where.exe" command in ["*places.sqlite*","*cookies.sqlite*",  "*formhistory.sqlite*", "*logins.json*",  "*key4.db*","*key3.db*",  "*sessionstore.jsonlz4*", "*History*", "*Bookmarks*", "*Cookies*", "*Login Data*" ]
  

LP_MSHTA - Activity Detected¶

• Trigger Condition: Network connection events initiated by mshta.exe are detected. Adversaries abuse mshta.exe for proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=3 (command="*mshta.exe" or parent_command="*mshta.exe") -user IN EXCLUDED_USERS
  

LP_Alternate PowerShell Hosts via Named Pipe¶

• Trigger Condition: Alternate Command and Scripting Interpreter and PowerShell hosts are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=17 pipe="\PSHost*" source_image=* -source_image IN ["*\powershell.exe", "*\powershell_ise.exe", "*\WINDOWS\System32\sdiagnhost.exe", "*\WINDOWS\System32\wsmprovhost.exe", "*\Windows\system32\dsac.exe", "*\Windows\system32\wbem\wmiprvse.exe", "*\ForefrontActiveDirectoryConnector.exe", "*c:\windows\system32\inetsrv\w3wp.exe", "C:\Program Files\Citrix\*", "C:\Program Files\Microsoft\Exchange Server\*", "C:\Windows\system32\ServerManager.exe", "C:\Program Files\PowerShell\7\pwsh.exe", "*:\Program Files*\Microsoft SQL Server\*\Tools\Binn\SQLPS.exe"]
  

LP_Suspicious File Execution Using Wcript or Cscript¶

• Trigger Condition: Process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers is detected. An adversary may attempt to block indicators or events captured by sensors from being gathered and analyzed.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

• ATT&CK ID: T1562, T1562.006

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label="Process" label=Create ("process"="*\fltmc.exe" OR command="*fltmc*unload*") -user IN EXCLUDED_USERS
  

LP_Suspicious Child Process Spawned by Microsoft Office Product¶

• Trigger Condition: Suspicious child process spawned by Microsoft Office Products such as Excel, Powerpoint, Onenote or Visio are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Windows Command Shell, Malicious File

• ATT&CK ID: T1059, T1059.001, T1059.003, T1204.002

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label="Process" label=Create parent_process IN ["*\winword.exe", "*\excel.exe", "*\powerpnt.exe", "*\mspub.exe", "*\visio.exe", "*\outlook.exe","*\msaccess.exe","*\eqnedt32.exe", "*\onenote.exe","*\wordview.exe", "*\onenoteim.exe"] ("process" IN ["*\appvlp.exe","*\bash.exe","*\bitsadmin.exe","*\certoc.exe","*\certutil.exe","*\cmd.exe","*\cmstp.exe","*\control.exe","*\cscript.exe","*\curl.exe","*\forfiles.exe","*\hh.exe","*\ieexec.exe","*\installutil.exe","*\javaw.exe","*\mftrace.exe","*\microsoft.workflow.compiler.exe","*\msbuild.exe","*\msdt.exe","*\mshta.exe","*\msidb.exe","*\msiexec.exe","*\msxsl.exe","*\odbcconf.exe","*\pcalua.exe","*\powershell.exe","*\pwsh.exe","*\regasm.exe","*\regsvcs.exe","*\regsvr32.exe","*\rundll32.exe","*\schtasks.exe","*\scrcons.exe","*\scriptrunner.exe","*\sh.exe","*\svchost.exe","*\verclsid.exe","*\wmic.exe","*\workfolders.exe","*\wscript.exe","*\appdata\*","*\users\public\*","*\programdata\*","*\windows\tasks\*","*\windows\temp\*","*\windows\system32\tasks\*"] OR file IN ["bitsadmin.exe","certoc.exe","certutil.exe","cmd.exe","cmstp.exe","cscript.exe","curl.exe","hh.exe","ieexec.exe","installutil.exe","javaw.exe","microsoft.workflow.compiler.exe","msdt.exe","mshta.exe","msiexec.exe","msxsl.exe","odbcconf.exe","pcalua.exe","powershell.exe","regasm.exe","regsvcs.exe","regsvr32.exe","rundll32.exe","schtasks.exe","scriptrunner.exe","wmic.exe","workfolders.exe","wscript.exe"])
  

LP_RClone Utility Execution¶

• Trigger Condition: Execution of the RClone tool or command line option used in the tool. Adversaries can utilize this utility to exfiltrate data to cloud storage.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Web Service, Exfiltration to Cloud Storage

• ATT&CK ID: T1567, T1567.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create (command="*--config *" command="*--no-check-certificate *" command="* copy *") OR (("process"="*\rclone.exe" OR description="Rsync for cloud storage") command IN ["*pass*","*user*","*copy*","*sync*","*config*","*lsd*","*remote*","*ls*","*mega*","*pcloud*","*ftp*","*ignore-existing*","*auto-confirm*","*transfers*","*multi-thread-streams*","*no-check-certificate *"])
  

LP_UAC Bypass via SDCLT¶

• Trigger Condition: Attempt to bypass User Account Control (UAC) via SDCLT.exe or modification to registry keys HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand and HKCU:\Software\Classes\Folder\shell\open\command indicating UAC bypass via registry key manipulation of sdclt.exe.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  (norm_id=WindowsSysmon event_id=1 parent_process="*\sdclt.exe" parent_command="*/kickoffelev*" integrity_level=High -"process" IN ["C:\Windows\SysWOW64\sdclt.exe", "C:\Windows\System32\sdclt.exe", "C:\Windows\SysWOW64\control.exe", "C:\Windows\System32\control.exe", "C:\Windows\System32\WerFault.exe", "C:\Windows\SysWOW64\WerFault.exe", "C:\Windows\System32\wermgr.exe", "C:\Windows\SysWOW64\wermgr.exe"]) OR (norm_id=WindowsSysmon event_id="13" target_object IN ["*\Classes\exefile\shell\runas\command\isolatedCommand*", "*\Classes\Folder\shell\open\command*"])
  

LP_Suspicious Binary Execution in User Directory¶

• Trigger condition: Execution of binaries from the users directory by Microsoft Office software such as Word and Excel. This may indicate dropping and subsequent execution of payloads by malicious Microsoft Office documents.

• ATT&CK Category: Execution

• ATT&CK Tag: Malicious File

• ATT&CK ID: T1204.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create parent_process IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\MSACCESS.exe", "*\EQNEDT32.exe","*\onenote.exe", "*\onenoteim.exe"] "process"="C:\Users\*.exe" -"process"="*\Microsoft\Teams\current\Teams.exe"
  

LP_Suspicious WMIC Child Process¶

• Trigger condition: Suspicious child process of WMIC is detected. Adversaries can utilize this technique to execute arbitrary commands, payloads, and evade defenses by using Windows internal binary.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create parent_process="*\wmic.exe" -"process" IN ["C:\Windows\System32\conhost.exe", "C:\Windows\system32\wbem\WMIC.exe", "C:\Windows\syswow64\wbem\WMIC.exe", "C:\Windows\system32\WerFault.exe", "C:\Windows\SysWOW64\WerFault.exe"]
  

LP_Suspicious File Execution Using Wscript or Cscript¶

• Trigger condition: Execution of .jse, .vbe, .js and .vba file extensions using wscript or cscript. Adversaries can write malicious payloads in files with these extensions, execute them using wscript or cscript, and bypass detection.

• ATT&CK Category: Execution

• ATT&CK Tag: Visual Basic, JavaScript

• ATT&CK ID: T1059.005, T1059.007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Create" label="Process" "process" IN ["*\wscript.exe", "*\cscript.exe"] command IN ["*.jse*", "*.vbe*", "*.js*", "*.vba*","*.vbs*","*.wsf*"] command IN ["*C:\Users*","*\AppData\Local\*", "*\ProgramData\*","*\Temp\*"] -parent_process = "*\winzip*" -command="*.json*"
  

LP_BCDEdit Safe Mode Command Execution¶

• Trigger condition: Spawning of Boot Configuration Data Edit (BCDEdit) from suspicious processes, to configure a reboot into safe mode.

• ATT&CK Category: Impact

• ATT&CK Tag: Inhibit System Recovery

• ATT&CK ID: T1490

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "process"="*\bcdedit.exe" command IN ["*minimal*", "*network*", "*safebootalternateshell*", "*delete*", "*import*", "*safeboot*"] parent_process IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.EXE", "*\MSACCESS.EXE", "*\MSPUB.EXE", "*\OUTLOOK.EXE", "*\fltldr.exe", "*\cscript.exe", "*\powershell.exe", "*\pwsh.exe", "*\wscript.exe", "*\cmd.exe", "*\rundll32.exe", "*\regsvr32.exe", "*\mshta.exe", "*\msbuild.exe"]
  

LP_Suspicious Encoded PowerShell Command Line¶

• Trigger condition: Suspicious PowerShell base64 encoded command is detected. Adversaries can use this technique to evade defense mechanisms by encoding and decoding payload.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create command IN ["* -e JAB*", "* -e JAB*", "* -e JAB*", "* -e JAB*", "* -e JAB*", "* -e JAB*", "* -en JAB*", "* -enc JAB*", "* -enc* JAB*", "* -w hidden -e* JAB*", "* BA^J e-", "* -e SUVYI*", "* -e aWV4I*", "* -e SQBFAFgA*", "* -e aQBlAHgA*", "* -enc SUVYI*", "* -enc aWV4I*", "* -enc SQBFAFgA*", "* -enc aQBlAHgA*"] -command="* -ExecutionPolicy remotesigned *" -user IN EXCLUDED_USERS
  

LP_Persistence Attack through Accessibility Process Feature¶

• Trigger condition: Accessibility features used to execute a command prompt or other backdoors are detected.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, Accessibility Features

• ATT&CK ID: T1546, T1546.008

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 user="SYSTEM" parent_process IN ["*\Utilman.exe","*\winlogon.exe"]  "process" IN ["*\osk.exe","*\Magnify.exe","*\Narrator.exe","*\sethc.exe","*\utilman.exe", "*\ATBroker.exe", "*\DisplaySwitch.exe"] -file IN ["osk.exe","sethc.exe","utilman2.exe","DisplaySwitch.exe","ATBroker.exe","ScreenMagnifier.exe","SR.exe","Narrator.exe","magnify.exe"]
  

LP_Firewall Rule Addition via Netsh Detected¶

• Trigger condition: A connection allowed by a port or application on the Windows firewall is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify System Firewall

• ATT&CK ID: T1562, T1562.004

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create command IN ["*netsh* firewall add*"] -user IN EXCLUDED_USERS
  

LP_MSHTA Spawned by SVCHOST Detected¶

• Trigger condition: Microsoft HTML Application Host (MSHTA) binary spawned by the Svchost process is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Mshta

• ATT&CK ID: T1218.005

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create parent_process="*\svchost.exe" "process"="*\mshta.exe" -user IN EXCLUDED_USERS
  

LP_Exploitation of CVE-2019-1388 Detected¶

• Trigger condition: An exploitation attempt of CVE-2019-1388 in which the UAC consent dialogue used to invoke a Windows process running as LOCAL_SYSTEM is detected. CVE-2019-1388 is an elevation of privilege vulnerability in the Windows Certificate Dialog.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Exploitation for Privilege Escalation

• ATT&CK ID: T1068

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create parent_process="*\consent.exe" "process"="*\iexplore.exe" command="* http*" (integrity_level="System" OR user IN ["SYSTEM","*AUTHORI*","*AUTORI*","*AUKTORI*"])
  

LP_Sophos EPP Registry Modification¶

• Trigger condition: Modifying Sophos EPP Tamper Protection registry keys to turn off services is detected. Sophos EPP Tamper Protection is the service offered by the EPP that constantly checks if a malware or adversary or rogue employee turns off the AV services to avoid detection.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=Registry label=Set label=value target_object IN ["*\CurrentControlSet\Services\Sophos Endpoint*\SEDEnabled", "*\CurrentControlSet\Services\Sophos Endpoint*\SAVEnabled "] detail="DWORD (0x00000000)"
  

LP_Office365 Inbox Rule with Special Characters Created¶

• Trigger condition: A new inbox rule created on Office365 with a suspicious name made of only special characters is detected.

• ATT&CK Category: Collection

• ATT&CK Tag: Email Forwarding Rule

• ATT&CK ID: T1114.003

• Minimum Log Source Requirement: Office365

• Query:

  norm_id=Office365 action="New-InboxRule" name=*| process regex("(?P<match>^[^a-zA-Z0-9]*$)", "name") | search match=*
  

LP_Suspicious WerFault Process Creation¶

• Trigger condition: A services.exe spawns werfault.exe process from non-default paths is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create  "process"="*\WerFault.exe" ("process"="C:\Windows\WinSxS\*" OR -"process" IN ["C:\Windows\System32\*","C:\Windows\SysWOW64\*"])
  

LP_Suspicious WerFault File Creation¶

• Trigger condition: A non-system process drops the WerFault.exe binary inside the C:\Windows\WinSxS\ folder is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=File label=Create  path="C:\Windows\WinSxS\*" file="WerFault.exe" -"process" IN ["C:\Windows\Systems32\*","C:\Windows\SysWOW64\*","*C:\Windows\WinSxS\*"]
  

LP_Snake Malware Covert Store Registry Key Detected¶

• Trigger condition: A registry operation for the key SECURITYPolicySecretsn is detected. Snake Malware utilizes the registry key to store the encryption key.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (norm_id=WindowsSysmon event_id IN [12,13,14]  target_object="*SECURITY\Policy\Secrets\n") OR (norm_id=Winserver event_id=4657 path="*SECURITY\Policy\Secrets\n")
  

LP_Suspicious WerFault Service Creation¶

• Trigger condition: A new service installed using the WerFault.exe file is detected. WerFault.exe is a system component that plays a crucial role in Windows operating systems. It manages system error reporting.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  norm_id=WinServer event_id IN [4697,7045] (file="WerFault.exe"  OR path="*WerFault.exe") (path="C:\Windows\WinSxS\*" OR -path IN ["C:\Windows\System32*","C:\Windows\SysWOW64*"])
  

LP_Suspicious Named Pipe Connection to Azure AD Connect Database¶

• Trigger condition: Named pipe connection to Azure AD Connect database from suspicious processes coming from command shells like PowerShell, which may indicate attackers attempting to dump plaintext credentials of AD and Azure AD connector account using tools such as AADInternals is detected.

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon label=Pipe label=Connect pipe="*\tsql\query" -image IN ["*\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe", "*\Tools\Binn\SqlCmd.exe"]
  

LP_Suspicious Driver Loaded¶

• Trigger condition: Misuse of known drivers by adversaries for malicious purposes is detected. The driver itself are not malicious but are misused by threat actors. For this alert to trigger SUSPICIOUS_DRIVER list is required.

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label=Image label=Load image IN SUSPICIOUS_DRIVER
  

LP_AADInternals PowerShell Cmdlet Execution¶

• Trigger condition: Execution of AADInternals commandlets is detected. AADInternals (S0677) toolkit is a PowerShell module containing tools for administering and hacking Azure AD and Office 365. Adversaries use AADInternals to extract the credentials from the system where the AAD Connect server was installed and compromise the AAD environment.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows, PowerShell

• Query:

  norm_id=WinServer event_source="Microsoft-Windows-PowerShell" event_id=4104 script_block IN AADINTERNALS_CMDLETS
  

LP_Suspicious Scheduled Task Creation via Masqueraded XML File¶

• Trigger condition: Creation of a suspicious scheduled task using an XML file with a masqueraded extension.

• ATT&CK Category: Persistence, Defense Evasion

• ATT&CK Tag: Masquerading, Match Legitimate Name or Location, Scheduled Task/Job and Scheduled Task

• ATT&CK ID: T1036, T1036.005, T1053 and T1053.005

• Minimum Log Source Requirement: Windows Sysmon, Windows

  label=create label="process" "process"="*\schtasks.exe" command IN ["*/create*", "*-create*"] command IN ["*/xml*", "*-xml*"] (-integrity_level=system OR -integrity_label=*system*) -command = *.xml* ((-parent_process IN ["*:\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe", "*:\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe", "*:\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe", "*:\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe", "*:\Program Files\Dell\SupportAssist\pcdrcui.exe" ] ) OR (-parent_process = "*\rundll32.exe" command = "*:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc" ))
  

LP_Suspicious Microsoft Equation Editor Child Process¶

• Trigger condition: Suspicious child process of Microsoft’s equation editor is detected as a sign of possible exploitation of CVE-2017-11882, a vulnerability in Microsoft Office’s Equation Editor component.

• ATT&CK Category: Execution

• ATT&CK Tag: Exploitation for Client Execution

• ATT&CK ID: T1203

• Minimum Log Source Requirement: Windows Sysmon, Windows

  label="Process" label=Create parent_process="*\EQNEDT32.exe" -"process" IN ["C:\Windows\System32\WerFault.exe", "C:\Windows\SysWOW64\WerFault.exe"]
  

LP_Windows Error Process Masquerading¶

• Trigger condition: Suspicious Windows error reporting process behavior, where network connections are made after execution is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

  [norm_id=WindowsSysmon event_id=1 "process" IN ["*\WerMgr.exe", "*\WerFault.exe"]] as s1 followed by [norm_id=WindowsSysmon event_id=3 "process" IN ["*\WerMgr.exe", "*\WerFault.exe"]] as s2 within 1 minute on s1.process_guid=s2.process_guid | rename s1.host as host, s1.user as user, s1.domain as domain, s1.image as image, s2.destination_address as destination_address, s2.destination_port as destination_port
  

LP_Bypass UAC via CMSTP Detected¶

• Trigger condition: Child processes of automatically elevated Microsoft Connection Manager Profile Installer instances like cmstp.exe are detected.

• ATT&CK Category: Privilege Escalation, Defense Evasion

• ATT&CK Tag: CMSTP, Bypass User Account Control

• ATT&CK ID: T1218.003, T1548.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  ( (label="Process" label=Create "process"="*\cmstp.exe" command IN ["*/s*", "*/au*", "*/ni*", "*-s*", "*-au*", "*-ni*"]) OR (norm_id=WindowsSysmon event_id=1 parent_process="*\DllHost.exe" parent_command IN ["*/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*", "*/Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}*", "*/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}*", "*/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*", "*/Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}*"] integrity_level IN ["High", "System"])) -user IN EXCLUDED_USERS
  

LP_Application Whitelisting Bypass via Dxcap Detected¶

• Trigger condition: Adversaries bypass process and/or signature-based defenses by execution of Dxcap.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution

• ATT&CK ID: T1127

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label=Create "process"="*\dxcap.exe" command="*-c*" command="*.exe*" -user IN EXCLUDED_USERS
  

LP_Suspicious WMIC XSL Script Execution¶

• Trigger condition: Loading of a Windows Script module through WMIC by Microsoft Core XML Services (MSXML) process to bypass application whitelisting. Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: XSL Script Processing

• ATT&CK ID: T1220

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  [norm_id=WindowsSysmon event_id=1 file="wmic.exe" command IN ["* format*:*", "*/format*:*", "*-format*:*"] -command IN ["*format:list*", "*format:table*", "*format:htable", "*format:texttablewsys*", "*format:texttable*", "*format:textvaluelist*", "*format:TEXTVALUELIST*", "*format:csv*", "*format:value*"]] as s1 followed by [norm_id=WindowsSysmon event_id=7 image IN ["*\jscript.dll", "*\vbscript.dll"]] as s2 within 2 minute on s1.process_guid=s2.process_guid | rename s1.process as "process", s1.host as host, s1.domain as domain, s1.command as command, s2.image as loaded_image
  

LP_Suspicious File Execution via MSHTA¶

• Trigger condition: Execution of javascript or VBScript files and other abnormal extension files executed via mshta binary is detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: JavaScript, Deobfuscate/Decode Files or Information, Mshta

• ATT&CK ID: T1059.007, T1140, T1218.005

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="Process" label="Create" "process"="*\mshta.exe" command IN ["*javascript*", "*vbscript*", "*.jpg*", "*.png*", "*.lnk*", "*.xls*", "*.doc*", "*.zip*"]
  

LP_Regsvr32 Anomalous Activity Detected¶

• Trigger condition: Various anomalies concerning regsvr32.exe are detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

• ATT&CK ID: T1218, T1218.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  label="Process" label=Create ((("process"="*\regsvr32.exe" (command IN ["*\AppData\Local*", "*C:\Users\*", "*\Temp\*"] OR command="*\\*\*")) OR ("process"="*\regsvr32.exe" parent_process IN ["*\powershell.exe", "*\pwsh.exe", "*\powershell_ise.exe","*\cmd.exe"]) OR ("process"="*\regsvr32.exe" command="*/i:*" command="*http*" command="*scrobj.dll") OR ("process"="*\regsvr32.exe" command="*/i:*" command="*ftp*" command="*scrobj.dll") OR ("process" IN ["*\cscript.exe", "*\wscript.exe"] parent_process="*\regsvr32.exe") OR ("process"="*\EXCEL.EXE" command="*..\..\..\Windows\System32\regsvr32.exe *") OR (parent_process="*\mshta.exe" "process"="*\regsvr32.exe") OR ("process"="*\regsvr32.exe" command IN ["*\AppData\Local*", "*C:\Users\Public*"]) OR ("process"="*\regsvr32.exe" command IN ["*.jpg", "*.jpeg", "*.png", "*.gif", "*.bin", "*.tmp", "*.temp", "*.txt"])) -(command IN ["*\AppData\Local\Microsoft\Teams*", "*\AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll*"] OR (parent_process="C:\Program Files\Box\Box\FS\streem.exe" command="*\Program Files\Box\Box\Temp\*") OR command="*/s C:\Windows\System32\RpcProxy\RpcProxy.dll"))
  

LP_Execution of Trojanized 3CX Application¶

• Trigger Condition: Execution of the trojanized version of the 3CX Desktop is detected. 3CX Desktop versions 18.12.407 and 18.12.416 are known to be trojanized by the Lazarus Group and are also signed using the 3CX signature.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masqueradings

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=1 file="3CXDesktopApp.exe" product IN ["*3CX Ltd*","*3CX Desktop App*"] file_version IN ["*18.12.407*","18.12.416*"]
  

LP_Msbuild Spawned by Unusual Parent Process¶

• Trigger condition: Suspicious use of msbuild.exe by an uncommon parent process is detected. msbuild.exe is a legitimate Microsoft tool used for building and deploying software applications.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution, MSBuild

• ATT&CK ID: T1127, T1127.001

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

  label=Create label="Process" "process"="*\MSBuild.exe" -parent_process in ["*\devenv.exe", "*\cmd.exe", "*\msbuild.exe", "*\python.exe", "*\explorer.exe", "*\nuget.exe"]
  

LP_Suspicious Files Designated as System Files Detected¶

• Trigger condition: The execution of the +s option of the attrib command is detected to designate scripts or executable files in suspicious locations as system files, hiding them from users and making them difficult to detect or remove. attrib.exe is a Windows command-line utility that allows users to adjust file or folder attributes such as read-only, hidden and system.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

• ATT&CK ID: T1564, T1564.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label=Create label="Process" "process"="*\attrib.exe" command = "* +s *" command in ["* %*", "*\Users\Public\*", "*\AppData\Local\*", "*\ProgramData\*", "*\Windows\Temp\*"] command in ["*.bat*", "*.dll*", "*.exe*", "*.hta*", "*.ps1*", "*.vbe*", "*.vbs*"] -command="*\Windows\TEMP\*.exe*"
  

LP_Bypass User Account Control using Registry¶

• Trigger condition: Bypass of User Account Control (UAC) is detected. Adversaries bypass UAC mechanisms to elevate process privileges on the system. The alert queries for *\mscfile\shell\open\command\* or *\ms-settings\shell\open\command\*.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon ((event_id=12 event_type=*Create*) OR (event_id=13 event_type=SetValue)) target_object IN ["*\mscfile\shell\open\command\*","*\ms-settings\shell\open\command\*"]
  

LP_Unsigned Image Loaded Into LSASS Process¶

• Trigger condition: Loading unsigned images like DLL or EXE into the LSASS process.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, LSASS Memory

• ATT&CK ID: T1003, T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

  norm_id=WindowsSysmon event_id=7 image="*\lsass.exe" signed="false" -user IN EXCLUDED_USERS
  

LP_Usage of Sysinternals Tools Detected¶

• Trigger condition: Usage of Sysinternals tools due to the addition of accepteula key to a registry.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  (label=Registry label=Set target_object="*\EulaAccepted") or (label=Create label="Process" command IN ["* -accepteula*", "* /accepteula*"])
  

LP_Microsoft SharePoint Remote Code Execution Detected¶

• Trigger condition: The execution of a remote code in Microsoft SharePoint (CVE-2019-19781).

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, IDS/IPS, Web server

• Query:

  request_method=POST (url='*_layouts/15/Picker.aspx*WebControls.ItemPickerDialog*' OR resource='*_layouts/15/Picker.aspx*WebControls.ItemPickerDialog*')
  

LP_DenyAllWAF SQL Injection Attack¶

• Trigger condition: DenyALLWAF detects SQL injection attack.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: DenyAll WAF

• Query:

  norm_id=DenyAllWAF label=SQL label=Injection
  

LP_Malicious use of Scriptrunner Detected¶

• Trigger condition: The malicious use of Scriptrunner.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="create" label="process" ("process"="*\ScriptRunner.exe" OR file="ScriptRunner.exe") command="* -appvscript *"
  

LP_Suspicious process related to Rundll32 Detected¶

• Trigger condition: A suspicious process related to RunDLL32.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Rundll32

• ATT&CK ID: T1218.011

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

  label="create" label="process" (command IN ["*javascript:*", "*.RegisterXLL*"] OR (command="*url.dll*" command="*OpenURL*") OR (command="*url.dll*" command="*OpenURLA*") OR (command="*url.dll*" command="*FileProtocolHandler*") OR (command="*zipfldr.dll*" command="*RouteTheCall*") OR (command="*shell32.dll*" command="*Control_RunDLL*") OR (command="*shell32.dll*" command="*ShellExec_RunDLL*") OR (command="*mshtml.dll*" command="*PrintHTML*") OR (command="*advpack.dll*" command="*LaunchINFSection*") OR (command="*advpack.dll*" command="*RegisterOCX*") OR (command="*ieadvpack.dll*" command="*LaunchINFSection*") OR (command="*ieadvpack.dll*" command="*RegisterOCX*") OR (command="*ieframe.dll*" command="*OpenURL*") OR (command="*shdocvw.dll*" command="*OpenURL*") OR (command="*syssetup.dll*" command="*SetupInfObjectInstallAction'*") OR (command="*setupapi.dll*" command="*InstallHinfSection*") OR (command="*pcwutl.dll*" command="*LaunchApplication*") OR (command="*dfshim.dll*" command="*ShOpenVerbApplication*"))